iRule not executing on HTTP requests from internal network
Hi, I have a BIG-IP VE machine running as an AWS EC2 instance, and I have encountered some behavior I can't understand. I have a virtual server with an HTTP profile, with an iRule applied to it. When I send HTTP requests to this virtual server, the iRule runs as expected. However when I send requests from other EC2 VMs in the same AWS VPC, I do get the expected HTTP response as the client, but the iRule does not run (I added logs to the iRule to make sure of this). Both the BIG-IP instance and the VM I'm sending the requests from are also sitting in a single subnet, with private IPs in the 172.31.x.x range. What is causing this and how can I make the iRule always run?
Multiple http_request event with http::respond
Hello, I need to make two iRules on the same VS. The two are http_request triggered events with http::respond. When I'm doing this it's making a conflict between them. One is working well and the other one is working until it need to send me the http::respond instead of sending me the page I choose the client side receive an error "This site can’t be reached" in the browser side. Is there a solution to this ? Thanks :)How to implement LTM forward proxy client to determine the diversion pool based on the domain name
Through testing, I found that if I simply use all-zero virtual services and use standard mode, I must use the client SLL profile to obtain the SIN domain name in the TLS handshake message sent by the client. However, I don’t know what the domain name certificate that the client needs to access is for the client Internet exit. It is not fixed, and these certificates may not exist on my device. If I use a self-signed domain name certificate, the intranet client will prompt "Do not trust the domain name site". Does anyone have a better solution for this? The F5 forward proxy needs to know what the domain name requested by the client is or provide irules events or commands! Thank you for every reader’s reply! when CLIENTSSL_HANDSHAKE { binary scan [SSL::extensions -type 0] {@9A*} sni_name log local0. "$sni_name" pool ChinaRadioTelevisionPool } } #This method currently lacks remote certificate issues, prompting unsafe trust. Is there any other way to obtain the domain name information sent by the client for diversion? ltm virtual OverseasApplications { destination 0.0.0.0:https ip-protocol tcp mask any profiles { ForwardClientSSL { context clientside } ForwardServerSSL { context serverside } Forward_HTTP { } apm-forwarding-client-tcp { } } rules { OutboundIRules } source 0.0.0.0/0 source-address-translation { pool ChinaRadioTelevisionSNATPOOL type snat } translate-address disabled translate-port disabled vlans { internal_vlan_13 } vlans-enabled vs-index 3 }
An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)
Hello Community, I have a requirement to allow enriched https header enrichment. The SSL negotiation (I'm doing ssl termination on F5) fails because the enriched header from client contains reserved tls extension values. (https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtmltls-extensiontype-values-1). The Client Hello request in the SSL Handshake was captured and contained an Extensions list, which included a reserved TLS Extension value (17156), which the F5 isn't presenting in Server Hello. I need an irule that can allow that Extension to be added on the client ssl profile so the ssl handshake doesn't fail.
Diameter iRules attachment?
I'm creating iRules for a Diameter message routing virtual server. I can't seem to get the events DIAMETER_INGRESS or DIAMETER_EGRESS to be executed by the irule. I have the following simple iRule but but I get no log messages in /var/log/ltm when requests are sent. when DIAMETER_INGRESS { log local0. "diameter ingress event detected" if {[DIAMETER::command] == 268} { log local0. "diameter eap request detected" } } when DIAMETER_EGRESS { log local0. "diameter egress event detected" if {[DIAMETER::command] == 268} { log local0. "diameter eap egress detected" } } } I've attached this iRule to the transport profile as well as the VS but no log messages. The message routing configuration is working fine I get a request from upstream which F5 sends downstream and a response is back upstream. What am I doing wrong?Does the iHealth upgrade advisor consider iRule configuration
Hi all, I am currently preparing an upgrade from 11.6.1 to 13.1.0.8 for a customer. I noticed there a lot of large iRules configured. Does the upgrade advisor consider the iRules collected in the qkview file? I can't seem to find any information about this. Any help is appreciated! With regards, Jeroen
iRule to count how often the node is down
Hello, I want to monitor the nodes in the pool and, if a node/service goes down three times within five minutes, automatically take it offline and send an email notification. Could you help me determine how to track the number of times a node/service goes down within that five-minute window? Thank you!
Which runs first iRULE or PolicyLTM(With ASM being applied)
Hello all Its well known by the K16590 that LTMPolicies will run before the irules using the same event, for example HTTP_REQUEST in an irule and "at request time" in LTMPolicy. But regardless the order, if the LTM Policy says to enable ASM policy the BIG-IP would still return and process the irule or the traffic would be sent to ASM policy for process leaving the irule whitout a match/process ? In my understanding the LTM Policy would be read first, after that the irule and then the traffic sent to ASM Policy. But i'm not having my irule redirects occuring. In this case of configuration: when HTTP_REQUEST { if {[HTTP::uri] starts_with "/region1/abc"} { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } elseif {[HTTP::uri] starts_with "/region2/abc"} { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } elseif {[HTTP::uri] starts_with "/region3/abc"} { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } elseif {[HTTP::uri] starts_with "/region4/abc"} { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } else { # do nothing } } ltm policy LTM_POLICY_ASM_MYSITE { controls { asm } requires { http } rules { MYSITE { actions { 0 { asm enable policy /Common/ASM_MYSITEWAFPOLICY } } conditions { 0 { http-host values { www.mysiteexample.com.br mysiteexample.com.br } } } } default { actions { 0 { asm enable policy /Common/ASM_MYSITEWAFPOLICY_MISC } } conditions { 0 { http-uri contains values { miscelaneous } } } ordinal 1 } no_asm { actions { 0 { asm disable } } ordinal 2 } } status published strategy first-match }
