irule
641 TopicsSNI Sites not taking correct certificate.
I have configured one VIP with two certificate aks.test.com aks4.test.com On SSL profile for aks.test.com i have enabled SNI feature and aks.test.com is working fine taking correct certificate (aks.test.com). but aks4.test.com having not secure error on browser and taking the certificate of (aks.test.com). Could someone please help what could be the issue in this case.94Views0likes7CommentsPersistent hash iRule
Hi All, I have a question regarding the Persistent hash iRule. Two Pool members are configured as Round robin. Sessions have been concentrated as one pool member since we added the Persistent hash iRule below to the virtual server. There are two Client IPs in total and have not changed since iRule was applied. What is the reason? Please help me. <Pool member#1 connection> <Pool member#2 connection> Thanks.13Views0likes0CommentsiRule to count how often the node is down
Hello, I want to monitor the nodes in the pool and, if a node/service goes down three times within five minutes, automatically take it offline and send an email notification. Could you help me determine how to track the number of times a node/service goes down within that five-minute window? Thank you!60Views0likes1CommentEditing iRule for Maintainance Page with image local in F5 Big-IP iFile
Dear Community, I hope this message finds you well. I am reaching out to request your assistance in editing the iRule to redirect users to a maintenance page when all nodes are down. While the iRule is currently functioning as intended, I would like to incorporate images that represent our organization and application for users. I have successfully uploaded the images to F5 using iFile however, I am uncertain about how to reference these images within the HTML code of the iRule. Attached below, you will find a screenshot of the current page and a visual representation of the desired maintenance page. The code below: =================================================================================== when HTTP_REQUEST { if { [active_members [LB::server pool]] == 0 } { HTTP::respond 503 content " <!DOCTYPE html> <html lang='en'> <head> <meta charset='UTF-8'> <meta name='viewport' content='width=device-width, initial-scale=1.0'> <title>Maintenance Page</title> <style> body { font-family: Arial, sans-serif; background-color: #f4f4f4; color: rgb(27, 131, 111); display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; text-align: center; } .container { background: white; padding: 20px; border-radius: 8px; box-shadow: 0 2px 10px rgba(0, 0, 0, 0.1); } h1 { font-size: 2em; margin: 0; } p { font-size: 1.2em; } .logos { margin-bottom: 20px; } .logos img { height: 150px; margin: 0 15px; } .gear-icon { font-size: 3em; color: rgb(27, 131, 111); } @media (max-width: 600px) { h1 { font-size: 1.5em; } p { font-size: 1em; } } </style> </head> <body> <div class='container'> <div class='logos'> <img src='/iFiles/Blackboard-LOGO' alt='Blackboard Logo'> <img src='/iFiles/PSAU-LOGO' alt='PSAU Logo'> </div> <h1>We'll be back soon!</h1> <p>Our website is currently undergoing maintenance. We are working hard to improve your experience. Stay tuned!</p> <p>! الموقع حاليا تحت الصيانة, نحن نعمل بجد لتحسين تجربة المستخدم، ترقبوا</p> <div class='gear-icon'>⚙️</div> </div> </body> </html> " "Content-Type" "text/html" } else { switch [HTTP::uri] { "/iFiles/Blackboard-LOGO" { HTTP::respond 200 content [ifile get "Blackboard-LOGO"] "Content-Type" "image/png" } "/iFiles/PSAU-LOGO" { HTTP::respond 200 content [ifile get "PSAU-LOGO"] "Content-Type" "image/png" } default { # Optionally handle requests for other pages here } } } } ================================================================================= Thank you in advance for your support. Regards Omran Mohamed60Views0likes8CommentsPossible to combine multiple DataGroupLists for IP-Check?
Hello F5 Community, I am working on an irule to check on two datagroup-lists and country, but I am not sure if this is possible like I want to implement this. It should check if the IP is in the list1 or list2 or its part of FR and US and if true it should allow the traffic otherwise it should be dropped. My questions would be is it possible to check against two datagroup lists, like i did in the my irule example. Or should avoid this? when HTTP_REQUEST { set client_ip [getfield [IP::client_addr] "%" 1] set from_country [whereis $client_ip country] if { not (([class match $client_ip equals /Common/list1]) || ([class match $client_ip equals /Common/list2]) || ($from_country eq "FR") || ($from_country eq "US"))} { drop } switch -glob -- [string tolower [HTTP::path]] { default { pool /Common/pool1 } } } Thank you.Solved36Views0likes4CommentsiRule URI Matching Not Working as expected.
We have a virtual server that has these three requirements: mTLS negotiation Match start of URI Match CN of certificate Note: The the virtual server where this iRule is applied does not have a pool configured as I learned that the 'reject' command doesn't necessarily do what I thought it did. Testing has proven mTLS works and I think the CN validation does too. The problem is with URI matching. Using Postman, we've found that using a bogus URI fails indefinately until a valid URI is accessed by the same source. After that, the bogus URI works too. We just found this so haven't done extensive testing. Below is a simplified version of the iRule and this is the sequence of events: https://virtualserver/bogus - fails https://virtualserver/uri-a-yaddi-yaddi - works https://virtualserver/bogus - This works for I don't know why!!! Note: Not sure the bogus URI has to be used first but that's what the tester reported. when CLIENTSSL_CLIENTCERT { set subject_dn [X509::subject [SSL::cert 0]] if { $subject_dn != "" }{ } } when HTTP_REQUEST { if { [HTTP::uri] starts_with "/uri-a" } { if { $subject_dn contains "mauth-a" } { pool serverpool-a-443 } else { reject } } elseif { [HTTP::uri] starts_with "/uri-b" } { if { $subject_dn contains "mauth-b" } { pool serverpool-b-443 } else { reject } } } The bogus URL does get rejected by the server but it should not have made it there to begin with. I'm no expert on iRules so I thought I'd post this before searching for a solution. If you happen to know what the problem is I'd be happy to save the time. Also, I'm guessing there may be a better way to do this iRule but it was created by a consultant and thought to be working properly until today. Thanks!Solved48Views0likes4CommentsExtract SSL extension from client hello
Hi, need support to extract SSL extension field name = DATA from client hello and than insert it into the client application packet. Please let me know how to accomplish this using irule. Sample client hello packet capture: Extension: Unknown type 1000 (len=14) Type: Unknown (1000) Length: 14 DATA: 111112345899887422252Views0likes0Commentsestablish a sideband connection to an HTTPS destination using the connect command
Hi, I have iRule that establish sideband connection to an HTTP destination. I need to change it to HTTPS connection with SSL. I tried this command but it not get it because the -ssl argument: when ACCESS_POLICY_AGENT_EVENT { set conn [connect -ssl [name of SSL client profile] -status conn_status 10.5.12.181:443] } somebody have an idea how should I do it?49Views0likes3CommentsiRule to Force Source IP to Specific Backend Node
Hi everyone, Hope someone could help me with this kind of setup. We need an iRule to force specific IPs to connect on specific backend server of the VS. Please see flow below. Client (1.1.1.1) when connecting to VS1 traffic should go to Node1 Client (2.2.2.2) when connecting to VS1 traffic should go to Node2 I saw this discussion but I think there's something to add? Instead of deny. Thank you so much. https://community.f5.com/discussions/technicalforum/f5-whitelisting-allowing-a-specific-range-of-traffic-to-vs/195967Solved102Views0likes4CommentsCustom Attack Signature for Accept Header
Hi Guys, In the past, I worked on an iRule to block specific Accept header patterns, and it was working fine. Now that we have WAF in place, I was wondering if this is something I could achieve using custom signatures instead. The idea is: text/html,application/xhtml+xml,application/xml, - Block text/html,application/xhtml+xml,application/xml - Allow text/html,application/xhtml+xml,application/xml,application/rss+xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - Allow text/html,application/xhtml+xml,application/xml,text/xml - Allow And similar scenarios with other Accept header. Is this possible to achieve with F5 WAF, and if so, could anyone provide guidance on how to configure this properly? I am currently using in the lab the following costum signature: regex: re2:"/text\/html,application\/xhtml\+xml,application\/xml,/H"; nocase; This works well to block text/html,application/xhtml+xml,application/xml, but the signature also triggers in the cases of 3 and 4, which I want to avoid. Any suggestions or guidance would be appreciated. Thnx.74Views0likes0Comments