F5 iRule to route traffic based on AS2 headers doesnt work
We are testing iRule on our F5 load balancer to route traffic based on the AS2 headers to different internal servers. We have created below iRule that inspects the HTTP headers and to directs the traffic accordingly. But we dont see traffic come to new pool member but goes to the existing pool member. can anyone help on this, this is a new requirement for our client. when HTTP_REQUEST { # Check if the AS2 header exists if { [HTTP::header exists "AS2-From"] } { # Get the value of the AS2 header set as2_from [HTTP::header "AS2-From"] # Route based on the AS2 header value switch $as2_from { "INTGHXCOMS" { pool pool_partner1 } "INTGHXEUCOMS" { pool pool_partner2 } default { # Default pool if the AS2 header value does not match any known values pool pool_default } } } else { # Default pool if the AS2 header does not exist pool pool_default } }8Views0likes0CommentsiRule http host with wildcard domain
Hi, I want to ask a question. I want to limit the http::host wildcard domain in iRule. Allow *.domain.com, but disallow *.*.domain.com. Such as if http::host is a.aaa.com or b.aaa.com, then go on. If http::host is a.b.domain.com or or b.c.d.domain.com, then drop. How could I do that?Solved69Views0likes8CommentsF5 Irule for maintenance page on application
Hello All, Is it possible to use the page screenshot(jpg) on ifile and call it on irule when HTTP_REQUEST { # Retrieve the file contents, send it in an HTTP 200 response and clear the temporary variable set ifileContent [ifile get "test_application_name"] HTTP::respond 200 content $ifileContent unset ifileContent }30Views0likes2CommentsAdvice to partial rename uri path
Hi there masters! I would like to ask for advice. Is there a possibility that after I redirect an URL I can partial rename the 1st two paths in the redirected URI path? So, for example: when client requested our main page... "https://companyA.com/" I will redirect this to a path of "https://companyA.com/room/desktop/r/Home".. Then, I will hide/or rename the 1st two paths and this will appear on client's browser as "https://companyA.com/bed/table/r/Home". /bed/table uri path are strings not location or directory. Would this be plausible? I really just want to change their strings. I tried to code it but only the redirect is successful except for the changing of the names of the two paths: When HTTP_REQUEST{ if {([HTTP::host] equals "companyA.com" and [HTTP::uri]equals "/")}{ HTTP::redirect "https://[HTTP::host]/room/desktop/r/Home" } } When HTTP_RESPONSE { if {[HTTP::header exists "Location"]}{ HTTP::header replace "Location" [string map {"/bed/table" "/room/desktop"} [HTTP::header "Location"]] } } Can you help me on this? Thanks! Regards, ZeigSolved49Views0likes5CommentsRedirect iRule differences...
We have a situation where we need to redirect users from one domain to another and had been using Method 1 ( shown below ) of redirection via iRule. It was recently brought to our attention by our web team that the way we were doing the redirects for one of their sites in particular was "really bad" for SEO and we ended up making them happy with doing it via Method 2 ( shown below ). While my team officially maintains our BIG-IP's, we are not network/web savvy and don't really understand the difference here. We have a new site that needs to be redirected and we are not sure which method to use. Would someone please explain in what cases you would use one over the other. Thanks. Method 1 when HTTP_REQUEST { if { [HTTP::host] eq "website1.com" } { HTTP::redirect https://websitesite2.com } } Method 2 when HTTP_REQUEST { if { ([string tolower [HTTP::host]] eq "website1.com")} { HTTP::respond 301 Location "http://website2.com" return } }31Views1like1CommentAPM combine check for ldap group plus IP ACL
Hi, A client wishes to create an APM policy that will, amongst other things, do the following - The client has a group of users that have to meet two conditions to access the resource. We need to check in combination that the user is both a member of an AD group and that the group also matches an IP ACL. Can this be done using only APM, and if so, how? Or do we need to combine an IRULE and if so, is there a simple way to do this? (we have 30 groups that need to be matched to ACLs). Thanks, Vered31Views0likes2CommentsHelp with iRule
Good day all! I have the following iRule: when HTTP_REQUEST { if { ([HTTP::host] eq "lists.example.com") and ([HTTP::uri] eq "/cgi-bin/wa?INDEX" || [HTTP::uri] eq "/cgi-bin/wa?MOD" || [HTTP::uri] eq "/cgi-bin/wa?SYSCFG" || [HTTP::uri] eq "/cgi-bin/wa?OWNER" || [HTTP::uri] eq "/cgi-bin/wa?INDEX=" || [HTTP::uri] eq "/cgi-bin/wa?LOGON" || [HTTP::uri] eq "/cgi-bin/wa?LOGON=INDEX" || [HTTP::uri] eq "/cgi-bin/wa?LOGON=" || [HTTP::uri] eq "/cgi-bin/wa?ADMINDASH" || [HTTP::uri] eq "/cgi-bin/wa?LSTCR1") } { switch -glob [class match [IP::client_addr] eq "LISTSERV-TST_Allowed_IPs"] { "1" { return } default { HTTP::redirect "https://www.google.com/" } } } else { return } } As you can see, it is inefficient, and it doesn't account for all possibilities. Let me explain what I am aiming. If an `HTTP_REQUEST` comes to "lists.example.com" (`[HTTP::host]`), and the URI (`[HTTP::uri]`) isn't "/cgi-bin/wa?SUBEDIT1*" (that is, "cgi-bin/wa?SUBEDIT1", and anything after it), redirect it unless it is from an IP on the "LISTSERV-TST_Allowed_IPs", in which case, allow anything on the URI and continue to it. What would you do?Solved125Views0likes15CommentsSend Client HTTP Request to Pool And Send HTTP Response From BIG-IP to Client.
Good day everyone. We are starting a F5 XC POV and I'm currently focused on external logging to Graylog. XC is sending log messages via HTTPS to a BIG-IP VIP. Graylog doesn't support HTTP JSON messages. However we've configured a Raw/Plaintext TCP input and it is processing received messages great with the help of some pipeline rules. Graylog however isn't sending any HTTP response, which I understand why but that is what I'm trying to see if I can overcome. I am seeing XC repeatedly sending the same log messages. I'm assuming because it never receives a HTTP 200 response. Seems like reasonable behavior. So XC is sending messages properly and Graylog is consuming them properly. Because there isn't any option I can see to get Graylog to generate a HTTP response I am exploring options to get the BIG-IP to send the response with an iRule. I read to the following doc: https://clouddocs.f5.com/api/irules/HTTP__respond.html Snip from that: Generates a response to the client as if it came from the server. If the command runs on the client side, it sends the response to the client without any load balancing taking place. If the command runs on the server side, the content from the actual server is discarded and replaced with the information provided. I am hanging my hopes on getting the bold comment working. But I don't know if this requires a server-side response to behave properly. I started with following iRule: when HTTP_REQUEST_SEND { serverside { HTTP::respond 200 -version 1.1 noserver } } I'm POST'ing some JSON via cURL I've seen sent from XC. I see the log message in Graylog without the iRule in place and cURL eventually times out expected. When I put the above iRule in place and execute the same cURL test I get a HTTP 200 response from the BIG-IP however I don't see the log message in Graylog. I've verified with a server-side packet capture on the BIG-IP the HTTP post is never sent to Graylog. This obviously explains why I don't see it in Graylog. I've tried several variants of the above iRule. For example, I tried the clientside context even though the documentation clearly states I should get the behavior I'm seeing. I tried putting the HTTP::respond in different events, HTTP_RESPONSE for example. But I am not able to find the correct approach to get the BIG-IP to send the HTTP POST to Graylog and send the HTTP 200 to the client. I'm hoping someone is able to either confirm this is even possible or provide some guidance to get the BIG-IP to send the HTTP POST to Graylog and send the HTTP 200 to the client. Thank you kindly in advance.55Views0likes1CommentVPN fragmented IP packets dropped
VPN fragmented IP packets being dropped by the Big-IP, because of 'tm.minipfragsize > default=552' (K52103592) TCPDump showed the ip packets arriving on the client-side and never being forwarded on the server-side. Any idea if an iRule could disregard 'tm.minipfragsize > default=552' for specific Virtual Servers, without affecting other Virtual Servers?142Views0likes9Comments