irule
647 TopicsNeed iRule to block the traffic for specific URL
Hello Can somebody help on this please? I have LTM appliance &Virtual server 'https://www100.test.com' hosted. The requirement I have is to block all the traffic destinated to one of the application 'https://www100.test.com/ce' - is this something achievable by iRule If so do you have any idea on the iRule? Would appreciate somebody can help. Have seen this - https://support.f5.com/csp/article/K74012450 but that is looking too complex to me. Thanks1.8KViews0likes6CommentsIrule to allow specific IPs
I have a site which is abc.com Trying to achieve below requirements- 1) If uri is / it should redirect to abc.com/xyz - open for all 2) If uri is /rdp_xyz_tshoot should accessible to internal network - (here we can use the datagroup list) As this site is migrated to akamai where they have requirement to use below irule- when HTTP_REQUEST { if { [HTTP::header exists True-Client-IP] } { set trueclientip [HTTP::header True-Client-IP] HTTP::header replace X-Forwarded-For $trueclientip } } Cause for above akamai irule= Normally the True-Client-IP header includes the real IP of the clients when requests are coming from Akamai. It will be unaffected and be sent as part of the request to the pool member. So, your backend servers could look for that header and do something with its value. However, if you want the F5 to translate it to the X-Forwarded-For header, you can use an iRule to convert the Akamai True-Client-IP header to the X-Forwarded-For header. we are trying with below irule which is not working- when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/rdp_xyz_tshoot") && (not[class match [IP::client_addr] equals allowed_IPs])} { reject } if { [HTTP::uri] == "/" } { HTTP::redirect "https://[HTTP::host]/abc_login.jsp" } } Please help36Views0likes2CommentsF5 Next - how to reference irule procedures
Hi, Anyone figured how references works for irule objects with the call command? and if it is possible do i need to assign it to the vs? This is my stack: I manage to use the call command to a proc within the samle irule but i haven't found a way how to reference proclibrary (irule) from my_irule https://clouddocs.f5.com/bigip-next/20-2-0/irules/bigipn_object_naming_irule.html { "_embedded": { "stacks": [ { "_links": { "self": "/applications/a95e7451-d077-4ec3-a9c1-d0f3bea7f615/stacks/e87175a1-34f3-43d2-b52a-7b7466ed8851" }, "clientSide": { "l4ClientSide": "default:service_2:vs", "persistence": { "cookieMethod": { "method": "COOKIE_INSERT_METHOD" }, "template": "COOKIE_TEMPLATE" } }, "enabled": true, "id": "e87175a1-34f3-43d2-b52a-7b7466ed8851", "irules": [ { "description": "default:service_2:proclibrary", "rule": "when RULE_INIT {\nlog local0. \"proclib started\"\n}\nproc responder {} {\n HTTP::respond 200 content {hell from proc}\n}" }, { "description": "default:service_2:my_irule", "rule": "proc test {} {\nHTTP::respond 200 content [virtual name]\n}\nwhen HTTP_REQUEST {\nset vs_name [virtual name]\nlog local0. \"hello there\"\ncall /app/default:service_2/proclibrary::responder\n\n}" } ], "name": "vs", "serverSide": { "l4ServerSide": "default:service_2:vs" }, "stackType": "HttpAdvancedProxy" } ] }, "_links": { "self": "/applications/a95e7451-d077-4ec3-a9c1-d0f3bea7f615/stacks?" }, "count": 1, "total": 1 }41Views0likes1CommentiRule for X509 Subject
I have an iRule that is working and inserts a certificate DN into a header In the header the cert DN is inserted as: x-ssl-client-dn: C=<country >, O=<Org>, OU=<OU>, CN=<User name> the application owner wants changed to the following: x-ssl-client-dn: CN=<Usern Name> , OU=<OU> , O=<Org> , C= <Country) How can this be reversed49Views0likes1CommentCreating iRule for Persistence Profile
Dear Community, Could you assist me in creating an iRule for a Persistence Profile requirement related to an SSO application? When users access our application via desktop, they are presented with a QR code for scanning through a mobile app to authenticate and gain access. The issue arises when, after browsing the website from the desktop (with the session routed to one node via F5 LTM), another request from the mobile app after scanning the QR code is routed to a different node. Ideally, both requests should be directed to the same node. To resolve this, the iRule needs to compare the var topic parameter with the QR_AUTHENTICATION_CHANNEL_ID from the mobile request and ensure both are directed to the same node attached is the screenshot of the code and HTML code of the website /*<![CDATA[*/ var endpoint = "\/qr-websocket"; var topic = "80f95f6f-cecf-4ab6-a70b-1196194e4baa"; var prefix = "\/qrtopic"; var stompClient = null; $(function () { var socket = new SockJS(endpoint); stompClient = Stomp.over(socket); stompClient.connect({}, function (frame) { stompClient.subscribe(prefix + '/' + topic + '/verify', function (result) { console.log(result.body); let body = JSON.parse(result.body); if (body.error) { $("#qrerror").show(); } else if (body.success) { stompClient.disconnect(); $("#qrerror").hide(); $("#qrform #token").val(body.token); $("#qrform #deviceId").val(body.deviceId); $("#qrform").submit(); } }); }); }); /*]]>*/ Regards Omran Mohamed52Views0likes1CommentNeed help to understand the flow logic of the irule
Hi Team, Below is the irule which I have worked. Could you please help me to know on the following: 1 - What is the difference in using reject and Return in an iRule? 2 - Why do we need to set debug 0 in an irule? 3 - Will the same logic will work without an debug? 4 - What is the use or array set in an irule? when CLIENTSSL_CLIENTCERT { set debug 0 # Check if client presented a cert after it was requested if {[SSL::cert 0] eq ""}{ reject } else { set ssl_cert [SSL::cert 0] log local0. "cert is $cert" set subject [X509::subject [SSL::cert 0]] array set subject_fields [split $subject ",="] log local0. "subject is $subject" } } when HTTP_REQUEST { log local0. "The X-common-name <---> $subject" if {[info exists subject_fields(CN)]} { HTTP::header insert X-Common-Name "$ubject_fields(CN)" log local0. "The X-common-name-to-server <---> $subject" HTTP::header insert X-Source-Ip [IP::remote_addr] } # If there is no CN then respond with a error 403 else { HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache } }38Views0likes1CommentHelp with an I-rule rewrite
I'm trying to use an I-rule to add the http hostname in the url to the beginning of the uri then rewrite the hostname. Example: If the client request to a VIP is https://proxy-v2.api-np-c.newapps.com/<somepath>, I want the request to the server pool to be this https://proxy-v2.api-gw-np-a.newapps.com/proxy-v2.api-np-c.newapps.com/<somepath> I've tried this and it didn't work: when HTTP_REQUEST { if {[HTTP::uri] starts_with "/" } { HTTP::uri /[HTTP::host][HTTP::uri] } switch -glob [HTTP::host] { "*.api-np-c.newapps.com*" { set http_host [HTTP::host] set startPos [string first .api-np-c $http_host] set endPos [expr $startPos + 11] set http_host [string replace $http_host $startPos $endPos .api-gw-np-a] HTTP::header replace Host "$http_host" } } } ------------------------------------------------------------------------------------------------------- After some digging, I plan to try this next: when HTTP_REQUEST { if {[HTTP::uri] starts_with "/" } { HTTP::uri /[HTTP::host][HTTP::uri] } else { switch -glob [HTTP::host] { "*.api-np-c.newapps.com*" { set http_host [HTTP::host] set http_host [string map -nocase {".api-np-c" ".api-gw-np-a"} [HTTP::uri]] HTTP::header replace Host "$http_host" } } } } As you can probably tell, I'm really new working with i-rules. Any help would be greatly appreciated!58Views0likes3CommentsHelp with iRule Proxy
Hi team, I’m working on an iRule where I need to replace the path /admin with the root / and forward the request to the appropriate pool. However, I’m encountering issues with the rule, and it doesn't seem to work as expected. Here’s the first version I implemented: when HTTP_REQUEST { if {[string tolower [HTTP::host]] equals "test.com" and [HTTP::path] starts_with "/admin"} { HTTP::path [string map -nocase {"/admin" "/"} [HTTP::path]] pool POOL-A #log local0.info "Client Address --> [IP::client_addr] | Path: [HTTP::path] | Pool: POOL-A" } else { pool POOL-B #log local0.info "Client Address --> [IP::client_addr] | Path: [HTTP::path] | Pool: POOL-B" } } After some research, I saw that HTTP::path might need to be changed to HTTP::uri. I tried this version: when HTTP_REQUEST { # Log the original URI for debugging log local0. "Original URI: [HTTP::uri]" # Check if the URI starts with "/admin" if {[HTTP::uri] starts_with "/admin"} { # Modify the URI by replacing "/admin" with "/" set new_uri [string map {"/admin" "/"} [HTTP::uri]] HTTP::uri $new_uri # Log the modified URI for debugging log local0. "Modified URI: [HTTP::uri]" # Forward the request to the appropriate pool pool POOL-A } else { # Log default traffic for debugging log local0. "Default traffic - URI: [HTTP::uri], Pool: POOL-B" # Forward to the default pool pool POOL-B } } Issue: Neither version seems to work. When I test requests to /admin, the path replacement does not happen as expected or The replace of path does not allow me to reach any subfolders after root “/” (ex. help, etc etc) and on these objects we faced 404 not found error.Could someone point out what I might be missing or any best practices for this kind of path manipulation? Thanks!45Views0likes2CommentsRe-execute iRule to read CN value of client cert, but after you know URI.
Hi We have been dealing with a new implementation where we need to either accept or reject access to a certain path/URI of a VIP based on the CN of the client cert.........and for other paths that either don't have a client cert or the CN of a client cert does not match our Data-group allow access to other URIs. We have a iRule below which works great, but it has to request a user for a client cert in which we only want to do when required to go to the target URIs. The only way we can get this to work is to have the "request" option enabled in the SSL client profile so it reads the subject under "when CLIENTSSL_CLIENTCERT' which obviously happens before we can read the path under "when HTTP_REQUEST" which is not great as it requests the client using a browser for a client certificate, which is what we want to avoid. What we want to do is renegotiate SSL when going to a certain path so only those trying to get to a special path get requested for a client cert and then the subject is read and decision made based on CN of cert as to whether they can get to that path We have tried to trigger a renegotiate ssl in a Proc, but the problem is we need to read the subject that you can only do in "when CLIENTSSL_CLIENTCERT" and don't know how to do that after a renegotiation ssl. We thought hat maybe we could restart the whole iRule again from the proc, but don't know how to do that. Maybe we could call another iRule, but it looks like that is just a proc too and we can't nest "when CLIENTSSL_CLIENTCERT" in anything. We have asked a TCL guru in our organisation and they are a little stumped too, so any help would be greatly appreciated. As far as we can tell that can't be nested in a proc or any other stanza. Maybe there is a better way or there is a simple line of code we are missing. Here is a our script that does everything we need , but requests human clients using a browser for a client cert. when RULE_INIT { set static::debug 1 } when CLIENTSSL_CLIENTCERT { # Check if client provided a cert if {[SSL::cert 0] eq ""}{ set subject_dn void log local0.info "NoCert: $subject_dn" } else { #Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith set subject_dn [X509::subject [SSL::cert 0]] set client_cert [SSL::cert 0] set ssl_client_cert_value [X509::whole $client_cert] set client_cert_validated 1 log local0.info "Client Certificate Accepted: [SSL::cert 0]" log local0.info "Client Certificate Received: $subject_dn" #Check if the client certificate contains the correct O and a CN from the list } } when HTTP_REQUEST { set httpUri [HTTP::uri] switch -glob [HTTP::uri] { "/BlahBlah" - "/YadaYada/*" { ##This is where we want to renegoiate a new SSL profile and read the client cert" if { [info exists client_cert_validated] and ([matchclass $subject_dn contains API-CN_List]) } { #Accept the client cert log local0.info "ClientCertAccepted: $subject_dn" return } else { log local0.info "nugh 2.1" ###Or here } } "/FreeForAll" - "/NoNeedForCertHere" { log local0.info "NoCertRequired" return } default { log local0.info "NoMatchingPath" reject return } } }68Views0likes2Comments