Need help to understand the flow logic of the irule
Hi Team, Below is the irule which I have worked. Could you please help me to know on the following: 1 - What is the difference in using reject and Return in an iRule? 2 - Why do we need to set debug 0 in an irule? 3 - Will the same logic will work without an debug? 4 - What is the use or array set in an irule? when CLIENTSSL_CLIENTCERT { set debug 0 # Check if client presented a cert after it was requested if {[SSL::cert 0] eq ""}{ reject } else { set ssl_cert [SSL::cert 0] log local0. "cert is $cert" set subject [X509::subject [SSL::cert 0]] array set subject_fields [split $subject ",="] log local0. "subject is $subject" } } when HTTP_REQUEST { log local0. "The X-common-name <---> $subject" if {[info exists subject_fields(CN)]} { HTTP::header insert X-Common-Name "$ubject_fields(CN)" log local0. "The X-common-name-to-server <---> $subject" HTTP::header insert X-Source-Ip [IP::remote_addr] } # If there is no CN then respond with a error 403 else { HTTP::respond 403 content "You don't have authorization to view this page. Access Denied" noserver Content-Type text/html Connection Close Cache-Control no-cache } }14Views0likes0CommentsHelp with an I-rule rewrite
I'm trying to use an I-rule to add the http hostname in the url to the beginning of the uri then rewrite the hostname. Example: If the client request to a VIP is https://proxy-v2.api-np-c.newapps.com/<somepath>, I want the request to the server pool to be this https://proxy-v2.api-gw-np-a.newapps.com/proxy-v2.api-np-c.newapps.com/<somepath> I've tried this and it didn't work: when HTTP_REQUEST { if {[HTTP::uri] starts_with "/" } { HTTP::uri /[HTTP::host][HTTP::uri] } switch -glob [HTTP::host] { "*.api-np-c.newapps.com*" { set http_host [HTTP::host] set startPos [string first .api-np-c $http_host] set endPos [expr $startPos + 11] set http_host [string replace $http_host $startPos $endPos .api-gw-np-a] HTTP::header replace Host "$http_host" } } } ------------------------------------------------------------------------------------------------------- After some digging, I plan to try this next: when HTTP_REQUEST { if {[HTTP::uri] starts_with "/" } { HTTP::uri /[HTTP::host][HTTP::uri] } else { switch -glob [HTTP::host] { "*.api-np-c.newapps.com*" { set http_host [HTTP::host] set http_host [string map -nocase {".api-np-c" ".api-gw-np-a"} [HTTP::uri]] HTTP::header replace Host "$http_host" } } } } As you can probably tell, I'm really new working with i-rules. Any help would be greatly appreciated!49Views0likes3CommentsHelp with iRule Proxy
Hi team, I’m working on an iRule where I need to replace the path /admin with the root / and forward the request to the appropriate pool. However, I’m encountering issues with the rule, and it doesn't seem to work as expected. Here’s the first version I implemented: when HTTP_REQUEST { if {[string tolower [HTTP::host]] equals "test.com" and [HTTP::path] starts_with "/admin"} { HTTP::path [string map -nocase {"/admin" "/"} [HTTP::path]] pool POOL-A #log local0.info "Client Address --> [IP::client_addr] | Path: [HTTP::path] | Pool: POOL-A" } else { pool POOL-B #log local0.info "Client Address --> [IP::client_addr] | Path: [HTTP::path] | Pool: POOL-B" } } After some research, I saw that HTTP::path might need to be changed to HTTP::uri. I tried this version: when HTTP_REQUEST { # Log the original URI for debugging log local0. "Original URI: [HTTP::uri]" # Check if the URI starts with "/admin" if {[HTTP::uri] starts_with "/admin"} { # Modify the URI by replacing "/admin" with "/" set new_uri [string map {"/admin" "/"} [HTTP::uri]] HTTP::uri $new_uri # Log the modified URI for debugging log local0. "Modified URI: [HTTP::uri]" # Forward the request to the appropriate pool pool POOL-A } else { # Log default traffic for debugging log local0. "Default traffic - URI: [HTTP::uri], Pool: POOL-B" # Forward to the default pool pool POOL-B } } Issue: Neither version seems to work. When I test requests to /admin, the path replacement does not happen as expected or The replace of path does not allow me to reach any subfolders after root “/” (ex. help, etc etc) and on these objects we faced 404 not found error.Could someone point out what I might be missing or any best practices for this kind of path manipulation? Thanks!45Views0likes2CommentsRe-execute iRule to read CN value of client cert, but after you know URI.
Hi We have been dealing with a new implementation where we need to either accept or reject access to a certain path/URI of a VIP based on the CN of the client cert.........and for other paths that either don't have a client cert or the CN of a client cert does not match our Data-group allow access to other URIs. We have a iRule below which works great, but it has to request a user for a client cert in which we only want to do when required to go to the target URIs. The only way we can get this to work is to have the "request" option enabled in the SSL client profile so it reads the subject under "when CLIENTSSL_CLIENTCERT' which obviously happens before we can read the path under "when HTTP_REQUEST" which is not great as it requests the client using a browser for a client certificate, which is what we want to avoid. What we want to do is renegotiate SSL when going to a certain path so only those trying to get to a special path get requested for a client cert and then the subject is read and decision made based on CN of cert as to whether they can get to that path We have tried to trigger a renegotiate ssl in a Proc, but the problem is we need to read the subject that you can only do in "when CLIENTSSL_CLIENTCERT" and don't know how to do that after a renegotiation ssl. We thought hat maybe we could restart the whole iRule again from the proc, but don't know how to do that. Maybe we could call another iRule, but it looks like that is just a proc too and we can't nest "when CLIENTSSL_CLIENTCERT" in anything. We have asked a TCL guru in our organisation and they are a little stumped too, so any help would be greatly appreciated. As far as we can tell that can't be nested in a proc or any other stanza. Maybe there is a better way or there is a simple line of code we are missing. Here is a our script that does everything we need , but requests human clients using a browser for a client cert. when RULE_INIT { set static::debug 1 } when CLIENTSSL_CLIENTCERT { # Check if client provided a cert if {[SSL::cert 0] eq ""}{ set subject_dn void log local0.info "NoCert: $subject_dn" } else { #Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith set subject_dn [X509::subject [SSL::cert 0]] set client_cert [SSL::cert 0] set ssl_client_cert_value [X509::whole $client_cert] set client_cert_validated 1 log local0.info "Client Certificate Accepted: [SSL::cert 0]" log local0.info "Client Certificate Received: $subject_dn" #Check if the client certificate contains the correct O and a CN from the list } } when HTTP_REQUEST { set httpUri [HTTP::uri] switch -glob [HTTP::uri] { "/BlahBlah" - "/YadaYada/*" { ##This is where we want to renegoiate a new SSL profile and read the client cert" if { [info exists client_cert_validated] and ([matchclass $subject_dn contains API-CN_List]) } { #Accept the client cert log local0.info "ClientCertAccepted: $subject_dn" return } else { log local0.info "nugh 2.1" ###Or here } } "/FreeForAll" - "/NoNeedForCertHere" { log local0.info "NoCertRequired" return } default { log local0.info "NoMatchingPath" reject return } } }67Views0likes2CommentsCreating iRule for Persistence Profile
Dear Community, Could you assist me in creating an iRule for a Persistence Profile requirement related to an SSO application? When users access our application via desktop, they are presented with a QR code for scanning through a mobile app to authenticate and gain access. The issue arises when, after browsing the website from the desktop (with the session routed to one node via F5 LTM), another request from the mobile app after scanning the QR code is routed to a different node. Ideally, both requests should be directed to the same node. To resolve this, the iRule needs to compare the var topic parameter with the QR_AUTHENTICATION_CHANNEL_ID from the mobile request and ensure both are directed to the same node attached is the screenshot of the code and HTML code of the website /*<![CDATA[*/ var endpoint = "\/qr-websocket"; var topic = "80f95f6f-cecf-4ab6-a70b-1196194e4baa"; var prefix = "\/qrtopic"; var stompClient = null; $(function () { var socket = new SockJS(endpoint); stompClient = Stomp.over(socket); stompClient.connect({}, function (frame) { stompClient.subscribe(prefix + '/' + topic + '/verify', function (result) { console.log(result.body); let body = JSON.parse(result.body); if (body.error) { $("#qrerror").show(); } else if (body.success) { stompClient.disconnect(); $("#qrerror").hide(); $("#qrform #token").val(body.token); $("#qrform #deviceId").val(body.deviceId); $("#qrform").submit(); } }); }); }); /*]]>*/ Regards Omran Mohamed43Views0likes0CommentsTCP::collect and large TLS v1.3 client hello packets
Is anyone using iRules successfully to parse SNI names from the new TLS 1.3 hybridized Kyber client hello packets? The problem is the these packets are larger than MTU(?) size, around ~1800 bytes. Normal hello packets are ~500 bytes. I'm using TCP profile for which iRule parses SNI name to pass the connection as is to correct destination pool. How to reproduce: when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { # [TCP::payload length] shows only 1352, rest of packet missing, CLIENT_DATA is never called again } It only ever gets the first ~1352 bytes from packet, CLIENT_DATA is only called once, seems there is no way to get rest of the packet. If I add argument to collect length >1500 with "TCP::collect 1600", then it will read the whole ~1800 byte packet in first CLIENT_DATA. But this will break all connections that send normal small ~500 byte hello packets, as it just keeps on waiting for data indefinitely. Is there any workaround? BIG-IP version 16.1.4.1.Solved94Views0likes4CommentsiRule - redirection and capturing a string value
Looking for suggestions regarding the capture of a value and injecting that into a new URL / URI (the value below (3745) is dynamic. https://www.site1.com/aaaa/sc-dsp.jsp?rc=3745&lang=eng Redirects to: https://www.site2.com/en/Office?posui=374526Views0likes1CommentiRule not working for URI Block
I have a virtual server www.xyz.com hosted on LTM for HTTPS service and i'm looking to block (403 response) one of the application URI which is https://www.xyz.com/MW/entryPoint.htm I tried below irule but its not working . when HTTP_REQUEST { if { [HTTP::has_responded] } { return } if {[string tolower [HTTP::host]] contains "www.xyz.com" && [string tolower [HTTP::uri]] eq "/MW/entryPoint.htm" } { HTTP::respond 403 return } } Any suggestions appreciated. Thanks.25Views0likes1CommentAdvice to partial rename uri path
Hi there masters! I would like to ask for advice. Is there a possibility that after I redirect an URL I can partial rename the 1st two paths in the redirected URI path? So, for example: when client requested our main page... "https://companyA.com/" I will redirect this to a path of "https://companyA.com/room/desktop/r/Home".. Then, I will hide/or rename the 1st two paths and this will appear on client's browser as "https://companyA.com/bed/table/r/Home". /bed/table uri path are strings not location or directory. Would this be plausible? I really just want to change their strings. I tried to code it but only the redirect is successful except for the changing of the names of the two paths: When HTTP_REQUEST{ if {([HTTP::host] equals "companyA.com" and [HTTP::uri]equals "/")}{ HTTP::redirect "https://[HTTP::host]/room/desktop/r/Home" } } When HTTP_RESPONSE { if {[HTTP::header exists "Location"]}{ HTTP::header replace "Location" [string map {"/bed/table" "/room/desktop"} [HTTP::header "Location"]] } } Can you help me on this? Thanks! Regards, ZeigSolved97Views0likes8Comments