SNI Sites not taking correct certificate.
I have configured one VIP with two certificate aks.test.com aks4.test.com On SSL profile for aks.test.com i have enabled SNI feature and aks.test.com is working fine taking correct certificate (aks.test.com). but aks4.test.com having not secure error on browser and taking the certificate of (aks.test.com). Could someone please help what could be the issue in this case.
Persistent hash iRule
Hi All, I have a question regarding the Persistent hash iRule. Two Pool members are configured as Round robin. Sessions have been concentrated as one pool member since we added the Persistent hash iRule below to the virtual server. There are two Client IPs in total and have not changed since iRule was applied. What is the reason? Please help me. <Pool member#1 connection> <Pool member#2 connection> Thanks.
iRule to count how often the node is down
Hello, I want to monitor the nodes in the pool and, if a node/service goes down three times within five minutes, automatically take it offline and send an email notification. Could you help me determine how to track the number of times a node/service goes down within that five-minute window? Thank you!Editing iRule for Maintainance Page with image local in F5 Big-IP iFile
Dear Community, I hope this message finds you well. I am reaching out to request your assistance in editing the iRule to redirect users to a maintenance page when all nodes are down. While the iRule is currently functioning as intended, I would like to incorporate images that represent our organization and application for users. I have successfully uploaded the images to F5 using iFile however, I am uncertain about how to reference these images within the HTML code of the iRule. Attached below, you will find a screenshot of the current page and a visual representation of the desired maintenance page. The code below: =================================================================================== when HTTP_REQUEST { if { [active_members [LB::server pool]] == 0 } { HTTP::respond 503 content " <!DOCTYPE html> <html lang='en'> <head> <meta charset='UTF-8'> <meta name='viewport' content='width=device-width, initial-scale=1.0'> <title>Maintenance Page</title> <style> body { font-family: Arial, sans-serif; background-color: #f4f4f4; color: rgb(27, 131, 111); display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; text-align: center; } .container { background: white; padding: 20px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0, 0, 0, 0.1); } h1 { font-size: 2em; margin: 0; } p { font-size: 1.2em; } .logos { margin-bottom: 20px; } .logos img { height: 150px; margin: 0 15px; } .gear-icon { font-size: 3em; color: rgb(27, 131, 111); } @media (max-width: 600px) { h1 { font-size: 1.5em; } p { font-size: 1em; } } </style> </head> <body> <div class='container'> <div class='logos'> <img src='/iFiles/Blackboard-LOGO' alt='Blackboard Logo'> <img src='/iFiles/PSAU-LOGO' alt='PSAU Logo'> </div> <h1>We'll be back soon!</h1> <p>Our website is currently undergoing maintenance. We are working hard to improve your experience. Stay tuned!</p> <p>! الموقع حاليا تحت الصيانة, نحن نعمل بجد لتحسين تجربة المستخدم، ترقبوا</p> <div class='gear-icon'>⚙️</div> </div> </body> </html> " "Content-Type" "text/html" } else { switch [HTTP::uri] { "/iFiles/Blackboard-LOGO" { HTTP::respond 200 content [ifile get "Blackboard-LOGO"] "Content-Type" "image/png" } "/iFiles/PSAU-LOGO" { HTTP::respond 200 content [ifile get "PSAU-LOGO"] "Content-Type" "image/png" } default { # Optionally handle requests for other pages here } } } } ================================================================================= Thank you in advance for your support. Regards Omran Mohamed
Trigger js challenge/Captcha for ip reputation/ip intelligence categories
Problem solved by this Code Snippet Because some ISP or cloud providers do not monitor their users a lot of times client ip addresses are marked as "spam sources" or "windows exploits" and as the ip addresses are dynamic and after time a legitimate user can use this ip addresses the categories are often stopped in the IP intelligence profile or under the ASM/AWAF policy. To still make use of this categories the users coming from those ip addresses can be forced to solve captcha checks or at least to be checked for javascript support! How to use this Code Snippet Have AWAF/ASM and ip intelligence licensed Add AWAF/ASM policy with irule support option (by default not enabled under the policy) or/and Bot profile under the Virtual server Optionally add IP intelligence profile or enable the Ip intelligence under the WAF policy without the categories that cause a lot of false positives, Add the irule and if needed modify the categories for which it triggers Do not forget to first create the data group, used in the code or delete that part of the code and to uncomment the Bot part of the code, if you plan to do js check and not captcha and maybe comment the captcha part ! Code Snippet Meta Information Version: 17.1.3 Coding Language: TCL Code You can find the code and further documentation in my GitHub repository: reputation-javascript-captcha-challlenge/ at main · Nikoolayy1/reputation-javascript-captcha-challlenge when HTTP_REQUEST { # Take the ip address for ip reputation/intelligence check from the XFF header if it comes from the whitelisted source ip addresses in data group "client_ip_class" if { [HTTP::header exists "X-Forwarded-For"] && [class match [IP::client_addr] equals "/Common/client_ip_class"] } { set trueIP [HTTP::header "X-Forwarded-For"] } else { set trueIP [IP::client_addr] } # Check if IP reputation is triggered and it is containing "Spam Sources" if { ([llength [IP::reputation $trueIP]] != 0) && ([IP::reputation $trueIP] contains "Spam Sources") }{ log local0. "The category is [IP::reputation $trueIP] from [IP::client_addr]" # Set the variable 1 or bulean true as to trigger ASM captcha or bot defense javascript set js_ch 1 } else { set js_ch 0 } # Custom response page just for testing if there is no real backend origin server for testing if {!$js_ch} { HTTP::respond 200 content { <html> <head> <title>Apology Page</title> </head> <body> We are sorry, but the site you are looking for is temporarily out of service<br> If you feel you have reached this page in error, please try again. </body> </html> } } } # when BOTDEFENSE_ACTION { # Trigger bot defense action javascript check for Spam Sources # if {$js_ch && (not ([BOTDEFENSE::reason] starts_with "passed browser challenge")) && ([BOTDEFENSE::action] eq "allow") }{ # BOTDEFENSE::action browser_challenge # } # } when ASM_REQUEST_DONE { # Trigger ASM captcha check only for users comming from Spam sources that have not already passed the captcha check (don't have the captcha cookie) if {$js_ch && [ASM::captcha_status] ne "correct"} { set res [ASM::captcha] if {$res ne "ok"} { log local0. "Cannot send captcha_challenge: \"$res\"" } } } Extra References: BOTDEFENSE::action ASM::captcha ASM::captcha_status
Extract SSL extension from client hello
Hi, need support to extract SSL extension field name = DATA from client hello and than insert it into the client application packet. Please let me know how to accomplish this using irule. Sample client hello packet capture: Extension: Unknown type 1000 (len=14) Type: Unknown (1000) Length: 14 DATA: 1111123458998874222
establish a sideband connection to an HTTPS destination using the connect command
Hi, I have iRule that establish sideband connection to an HTTP destination. I need to change it to HTTPS connection with SSL. I tried this command but it not get it because the -ssl argument: when ACCESS_POLICY_AGENT_EVENT { set conn [connect -ssl [name of SSL client profile] -status conn_status 10.5.12.181:443] } somebody have an idea how should I do it?
