External Health monitor scripts
Hello DevCentral Friends: Im having an issue with external monitor scripts, and i wonder if any of you can help. Im trying to create a script to monitor my service at application layer. In BIG IP LTM i add the following info to my external monitor: >ltm monitor external eav_test_monitor { defaults-from external destination *:* interval 5 run /Common/Trails time-until-up 0 timeout 16 user-defined HOST sitefoint.net user-defined URI /v/1/siteservice.svc user-defined RECV siteService Service } >I have around 40 different services (Pools name) all using the the same back-end Server IPs (10.X.X.60, 10.X.X.61 and 10.X.X.62). when applied my ext-monitor to siteinfo.net service, it is also shown on other services (all 40 instances).. >The attached scripts is applied to the ext monitor in BIG-IP. But when the ext health monitors is applied the pool it doesn't work. The Pool goes Down. Logs shows eav failed. Services down due to ext monitor. Any idea what is wrong on the scripts below, or what might be the problem? I have tried with no recv string set as well... #!/bin/sh # # (c) Copyright 1996-2007 F5 Networks, Inc. # # This software is confidential and may contain trade secrets that are the # property of F5 Networks, Inc.No part of the software may be disclosed # to other parties without the express written consent of F5 Networks, Inc. # It is against the law to copy the software.No part of the software may # be reproduced, transmitted, or distributed in any form or by any means, # electronic or mechanical, including photocopying, recording, or information # storage and retrieval systems, for any purpose without the express written # permission of F5 Networks, Inc.Our services are only available for legal # users of the program, for instance in the event that we extend our services # by offering the updating of files via the Internet. # # @(#) $Id: http_monitor_cURL+GET,v 1.0 2007/06/28 16:10:15 deb Exp $ # (based on sample_monitor,v 1.3 2005/02/04 18:47:17 saxon) # # these arguments supplied automatically for all external monitors: # $1 = IP (IPv6 notation. IPv4 addresses are passed in the form #::ffff:w.x.y.z #where "w.x.y.z" is the IPv4 address) # $2 = port (decimal, host byte order) # # Additional command line arguments ($3 and higher) may be specified in the monitor template # This example does not expect any additional command line arguments # # Name/Value pairs may also be specified in the monitor template # This example expects the following Name/Vaule pairs: #URI= the URI to request from the server #RECV = the expected response (not case sensitive) #HOST =the host name of the SNI-enabled site # # remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) #IP=`echo ${1} | sed 's/::ffff://'` NODE=`echo ${1} | sed 's/::ffff://'` if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then NODE=${NODE} else NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/`basename ${0}`.${HOST}_${PORT}_${NODE}.pid" # kill of the last instance of this monitor if hung and log current pid if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${HOST}_${PORT}_${NODE}" | logger -p local0.error kill -9 `cat $PIDFILE` > /dev/null 2>&1 fi echo "$$" > $PIDFILE # send request & check for expected response #curl -fNsk https://${IP}:${PORT}${URI} | grep -i "${RECV}" 2>&1 > /dev/null curl -fNsk --resolve $HOST:$PORT:$NODE https://$HOST$URI | grep -i "${RECV}" > /dev/null 2>&1 # mark node UP if expected response was received if [ $? -eq 0 ] then rm -f $PIDFILE echo "UP" else rm -f $PIDFILE fi exit
iRule Limit the number of HTTP requests by a client within a specified time
This iRule block all the traffic from the clientes with the ip addresses listed inside the iRule, doesnt work like the logic code, can you help me to understand which is the issue with theiRule? when RULE_INIT { #This defines how long is the sliding window to count the requests. This example allows 10 requests in 1 seconds* set static::windowSecs 1 #IP Client address maximun request for each oneand the vlan id %819 for the partition set class::conn_limit_dg{ host 52.205.169.24%819 {"4"} host 52.205.60.156%819 {"4"} host 52.205.89.86%819 {"4"} host 71.201.163.113%819 {"4"} host 34.197.3.255%9819 {"26"} } } when CLIENT_ACCEPTED { #Max connections per client IP set limit [class match -value [IP::client_addr] equals conn_limit_dg] log local0. "[IP::client_addr]: \$limit: $limit" } when HTTP_REQUEST { #Check if client IP is in the connection limit data group and the request is a GET if { $limit ne "" and [HTTP::method] eq "GET"} { set getCount [table key -count -subtable [IP::client_addr]] log local0. "[IP::client_addr]: getCount=$getCount" if { $getCount < $limit} { incr getCount 1 table set -subtable [IP::client_addr] $getCount "" indefinite $static::windowSecs } else {log local0. "[IP::client_addr]: exceeded the number of requests allowed. $getCount / $limit" #HTTP header with connection limit exceed the count request HTTP::respond 429 content "Too Many Requests" } } }
Export VIP, Cert CN and Cert expiration date
Hi all, Client has requested the following information; VIP NAME, VIP IP, Cert CN + Cert Duration. I have a script that exports VIP and Pool, was hoping to collate all the information into this if possible. virtuallist=$(tmsh list ltm virtual | grep virtual | cut -d' ' -f3 | tr "\n" " " ); for v in $virtuallist ; do DEST=""; POOL=""; MEMB=""; DEST=$(tmsh list ltm virtual $v | grep destination | cut -d' ' -f6) POOL=$(tmsh list ltm virtual $v | grep pool | cut -d' ' -f6) MEMB=$(tmsh list ltm pool $POOL | egrep 'address '| sed '$!N;s/\n/ /') if [ "$POOL" != "" ]; then echo ""; echo " Virtual: $v - $DEST"; echo " Pool: $POOL"; echo "$MEMB"; else echo ""; echo "!! Virtual $v $DEST has no pool assigned"; echo ""; fi done :wq Cert expiry can be listed from - tmsh list sys file ssl-cert expiration-string Have noticed CN can be pulled using regex - regexp {CN=([^,]+)} [mcget {session.ssl.cert.subject} ] CNFull CNValue; return $CNValue Would there be a way to compilate this all into one script? I am very new to F5 and scripting, any help would be appreciated.
limit IP access to certain URIs
Hi, I am looking for help creating an IRULE for the following conditions: Allow access to two URIs within the policy to a specific group of IPs. Disallow access to these URIs to all other IPs. I tried creating a traffic policy for this but was unsuccessful. Thanks Vered
How to pass client IP onto access logs for TCP (port:22) connections?
We have bitbucket installed and we would want to capture client ip address for every ssh git operation. We were able to capture client IP for http git operation. We have apache httpd configured and we added the following configuration to make it work (under "IfModule log_config_module" section). RemoteIPHeader x-client-ip RemoteIPInternalProxy LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %% %T %D" combined LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %% %T %D SSL: %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combined-ssl By this, we're able to capture client IP for all git operations of http. But, we're not able to get the client IP for SSH Git operations. Currently, it is capturing LTM IP in the access logs.limit IP access to certain URIs
Hi, I am looking for help creating an IRULE for the following conditions: Allow access to two URIs within the policy to a specific group of IPs. Disallow access to these URIs to all other IPs. I tried creating a traffic policy for this but was unsuccessful. Thanks VerediRule to Throttle HTTP Requests for IP mask
We're trying to create an iRule that limits the number of http requests to a virtual server within a specified window. After doing some searching we found this example: https://devcentral.f5.com/wiki/irules.limit-the-number-of-http-requests-by-a-client-within-a-specified-time.ashx?lc=1 That iRule works on limiting the number of requests per specific IP address that matches within the list of networks included in the iRule datagroup. We would like to do the same but not based on specific IP addresses, but for subnets as a whole. That is, if we include the network 3.2.1.0/24 in the iRule datagroup, we would like to be able to set the limits for the whole mask. For example, if we set the limit to 1000 requests in 60 seconds and within one minute: 3.2.1.5 sends 300 requests 3.2.1.20 sends 300 requests 3.2.1.87 sends 400 requests we would like the table to account for every IP covered in the mask as a whole and throttle based on it. A client subscribed to a service that pulls some application data from their website. The problem is that that the service works as batch jobs. When it starts connecting to the website it sends huge bursts of requests in a short period of time. When it happens during peak hours it degrades the applications performance significantly. Since we already identified the source net mask for the service, the goal is to set the iRule to allow the service to continue working but throttling it so that it doesn't degrade the application's performance. Any suggestions?Forward request to IP contained in request header.
Customer is trying to avoid opening a bunch of firewall requests. They want to add a header (ex. DEST: 10.x.x.x) in the request that contains the real destination IP. When the VIP receives the request an iRule will grab that IP and forward the request to that IP. Is this possible? Anyone want to take a crack at it?