iRules
19425 TopicsUri Rewrite and relative Uri's/Links
Hello Folks, I think it's more an theoretical question, but with a practical background. I've the following secenario. Client side is requesting "https://www.domain.com/app Proxy performs a HTTP:uri rewrite from /app to "/" (content on backend system is in the root directory). That's working fine -> I'll get a Login mask and then I'll get some incomplete content back in the browser. After looking the site source code I'll find a lot of "relative links" <!DOCTYPE html> <html lang="en"><head><meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"> <base href="/" /> <link href="css/rich-text/bundle.min.css" rel="stylesheet"> <link href="css/rich-text/css/dx.light.css" rel="stylesheet"> <link href="css/rich-text/bundle-richedit.min.css" rel="stylesheet"> <script src="_framework/blazor.webassembly.js"></script> <script src="_content/MudBlazor/MudBlazor.min.js"></script> <script src="_content/Dsm.Blazor.Components/common.bundle.js"></script> <script src="_content/Dsm.Blazor.Components/contextmenu.bundle.js"></script> and so on. The problem is, the browser is requesting all these links without the subdirectory /app https://www.domain.com/css/rich-text instead of https://www.domain.com/app/css/rich-text A search on the WWW says that the usage of subfolders + rewrites with relative paths should not really be a problem. Or rather, this was described as a workaround. According to my understanding of relative links, these should simply be added to the existing browser URL during the request. Do I have a problem understanding relative links here or could be the <base href="/" /> the problem (because all paths are relative to / [root path] thus removing the /app path from subsequent requests)? Thanks in advance for you help. rschwarz26Views0likes2CommentsIrule for Host block with custom ASM violation
Dears, I have following scenarios, 1. if Traffic from Internal user/IP --- >Allow connection 2. Traffic from internet 2.1) Block access only on Host name ( URL ), That is -----> https://XYZ.com 2.2) Allow access to URI's, Thats is ------- > https://XYZ.com/abc or https://XYZ.com/* I tried multiple way and find some solution but its not working. Its great if some one helps here when HTTP_REQUEST { set reqBlock 0 if {[string tolower [HTTP::host]] eq "XYZ.Google.com" && [IP::addr [IP::client_addr] equals "10.0.0.0/8"]} { log local0. "[IP::client_addr] triggered geo" set reqBlock 1 } } when ASM_REQUEST_DONE { if {$reqBlock == 1} { ASM::raise VIOLATION_URL_GEOLOCATION } }46Views0likes1CommentiRule for X509 Subject
I have an iRule that is working and inserts a certificate DN into a header In the header the cert DN is inserted as: x-ssl-client-dn: C=<country >, O=<Org>, OU=<OU>, CN=<User name> the application owner wants changed to the following: x-ssl-client-dn: CN=<Usern Name> , OU=<OU> , O=<Org> , C= <Country) How can this be reversed52Views0likes1CommentMaintenance page - hosted on LTM or redirect with fallback host - or both?
I'm in the process of implementing an automated maintenance page that is displayed when I have a pool with no healthy members. Looking around, I see two distinct methods of doing this - utilizing the fallback host feature and redirecting to another url, or setting up a page to be hosted on the LTM and using an iRule with " [active_members [LB::server pool]] < 1" in it. Does anyone have any opinions on which one is preferred, and why? Currently, I'm using the fallback host method and I'm redirecting to a page hosted on AWS. My setup includes about 70 virtual servers on a 3600 HA cluster - some are QA, some are non-http. I will likley have the need for multiple versions of the maintenance page, depending on the site content it fronts. The one thing I do see as an advantage of the LTM hosted option is that an iRule code example shows a refresh option being used to automatically pull up the healthy site when it becomes available. Thanks!! Chris326Views0likes5CommentsTCP::collect and large TLS v1.3 client hello packets
Is anyone using iRules successfully to parse SNI names from the new TLS 1.3 hybridized Kyber client hello packets? The problem is the these packets are larger than MTU(?) size, around ~1800 bytes. Normal hello packets are ~500 bytes. I'm using TCP profile for which iRule parses SNI name to pass the connection as is to correct destination pool. How to reproduce: when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { # [TCP::payload length] shows only 1352, rest of packet missing, CLIENT_DATA is never called again } It only ever gets the first ~1352 bytes from packet, CLIENT_DATA is only called once, seems there is no way to get rest of the packet. If I add argument to collect length >1500 with "TCP::collect 1600", then it will read the whole ~1800 byte packet in first CLIENT_DATA. But this will break all connections that send normal small ~500 byte hello packets, as it just keeps on waiting for data indefinitely. Is there any workaround? BIG-IP version 16.1.4.1.Solved134Views0likes4CommentsOne Connect not keeping connection open on HTTP 204 No Content
We have an application that returns a 'HTTP 204 No Content' response on 99% of all requests. These connections are being kept open and reused on the client side of the F5. The problem is the Load Balancer closes these connections on the server side right after the HTTP 204 RESPONSE is received from the server. When we send a HTTP 200 the connection is kept open and reused(normal One Connect operation). Is there an iRule that we can apply to the VIP to keep the connection open even when the Server returns a 'HTTP 204 No Content'? Thanks548Views0likes9CommentsIrule to block specific users from login to back office system
Hi guys, i need your help to fine tune my Irule script i need to catch the username ( convert it to lower case ) and than match it to the data group list. if its not exist on the DataGroup list, send 403. so basically is a post method only and the uri always come with /login the payload is form data that contains the username and the password as you see at the form data my irule looks like this: Code when CLIENT_ACCEPTED { log local0. "[IP::client_addr]: HTTP Client Connected" } when HTTP_REQUEST { if {([string tolower [HTTP::uri]] ends_with "login") and ([HTTP::method] eq "POST")} { Trigger collection for up to 1MB of data if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576} { set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } Check if $content_length is not set to 0 if { $content_length > 0} { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { set username [lindex [split [string tolower [HTTP::payload]] "\""] 3] log local0. "Split payload and take username" if { [class match $username equals BOAgentName] } { log local0. "username matches data-group and this connection will be rejected" log local0. "BoAgent Blocked. Agent=$username and Source IP=[IP::client_addr]," HTTP::respond 403 } else { log local0. "BoAgent Allowed" } } but its not working for me.. 😞Solved684Views0likes5CommentsConnection limit on virtual server and message back to client
I am trying to set max connection limit and connection/sec on a virtual server, once the max connection limit is reached can LTM send message back to client that " it is over limit, please try after some time" or any schedule that try during this time window ?? Do we need to make any changes of back end servers in pool ? Will appreciate your answers.933Views0likes7Comments