irule
633 TopicsiRule to Force Source IP to Specific Backend Node
Hi everyone, Hope someone could help me with this kind of setup. We need an iRule to force specific IPs to connect on specific backend server of the VS. Please see flow below. Client (1.1.1.1) when connecting to VS1 traffic should go to Node1 Client (2.2.2.2) when connecting to VS1 traffic should go to Node2 I saw this discussion but I think there's something to add? Instead of deny. Thank you so much. https://community.f5.com/discussions/technicalforum/f5-whitelisting-allowing-a-specific-range-of-traffic-to-vs/195967Solved85Views0likes4CommentsCustom Attack Signature for Accept Header
Hi Guys, In the past, I worked on an iRule to block specific Accept header patterns, and it was working fine. Now that we have WAF in place, I was wondering if this is something I could achieve using custom signatures instead. The idea is: text/html,application/xhtml+xml,application/xml, - Block text/html,application/xhtml+xml,application/xml - Allow text/html,application/xhtml+xml,application/xml,application/rss+xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - Allow text/html,application/xhtml+xml,application/xml,text/xml - Allow And similar scenarios with other Accept header. Is this possible to achieve with F5 WAF, and if so, could anyone provide guidance on how to configure this properly? I am currently using in the lab the following costum signature: regex: re2:"/text\/html,application\/xhtml\+xml,application\/xml,/H"; nocase; This works well to block text/html,application/xhtml+xml,application/xml,but the signature also triggers in the cases of 3 and 4, which I want to avoid. Any suggestions or guidance would be appreciated. Thnx.58Views0likes0CommentsHSTS is not working.
Hi there, We have one irule is configured on VIP which is redirecting to maintenance page if user access the wrong url on that page HSTS is not working but if we access the right url then HSTS is working. We have enabled HSTS in http profile and that is attached to the same VIP with irule. Is there any way to enable HSTS on maintenance page or any remediation to fix that issue. if { $DEBUG } { log local0. "TEST - Source IP address: [IP::client_addr]" } switch -glob $uri_ext { "/httpfoo*" {set uri_int [string map {"/httpfoo" "/adapter_plain"} $uri_ext]} "/httptest*" {set uri_int [string map {"/httptest" "/adapter_plain"} $uri_ext]} default { HTTP::respond 200 content [ifile get ifile_service_unavailable_html] set OK 0 } } Many thanks in advance.Solved112Views0likes1CommentConnecting a AWS Cloudfront Distribution Pool/Node to an F5 iApp
Hi there, I was wondering if I could get some advice on connecting up AWS Cloudfront Distribution Pool/Node to an F5 iApp. The iApp in question has a default pool of on premises servers but we have a requirement in that for a specific URL path then we instead forward onto a AWS Cloudfront distribution. The below is a snippet from the irule we currently have configured: when CLIENT_ACCEPTED { SSL::disable serverside } when HTTP_REQUEST { if {([HTTP::uri] starts_with "/falc/")} { SSL::enable serverside HTTP::header replace Host "d2s8lx2sdbghef.cloudfront.net" pool d2s8lx2sdbghef.cloudfront.net } } The pool and the FQDN node are showing green which means F5 can resolve the addresses. However when we attempt to go to a URL which starts with the prefix above instead of being direct to the Cloudfront distribution (and the S3 content behind) we instead get the following: Check and the distribution has redirect HTTP to HTTPS configured on the behaviour and we are attempting to replace the Host with the matching distribution. I was wondering if this has been encountered by anyone before, if anyone has attempted anything similar and if able to get it working how that was achieved. Thank you in advance of any assistance that may provide.30Views0likes0CommentsiRule URI rewrites don't always use the correct pool
Hello F5 community! I have created an iRule for specific URI rewrites, but it seems that the requests are not getting directed always to the proper pool. Example: We want www.example.com/api/views to use the 9231 pool. However some requests are ending up to different pools as well, even though the rewrite is correct. I have attached the traffic logs and the irule configuration as well. I'd appreciate your feedback! Thank you in advance. NikosSolved81Views0likes6CommentsNeed iRule to block the traffic for specific URL
Hello Can somebody help on this please? I have LTM appliance &Virtual server 'https://www100.test.com' hosted. The requirement I have is to block all the traffic destinated to one of the application 'https://www100.test.com/ce' - is this something achievable by iRule If so do you have any idea on the iRule? Would appreciate somebody can help. Have seen this - https://support.f5.com/csp/article/K74012450 but that is looking too complex to me. Thanks2.2KViews0likes6CommentsIrule to allow specific IPs
I have a site which is abc.com Trying to achieve below requirements- 1) If uri is / it should redirect to abc.com/xyz - open for all 2) If uri is /rdp_xyz_tshoot should accessible to internal network - (here we can use the datagroup list) As this site is migrated to akamai where they have requirement to use below irule- when HTTP_REQUEST { if { [HTTP::header exists True-Client-IP] } { set trueclientip [HTTP::header True-Client-IP] HTTP::header replace X-Forwarded-For $trueclientip } } Cause for above akamai irule= Normally the True-Client-IP header includes the real IP of the clients when requests are coming from Akamai. It will be unaffected and be sent as part of the request to the pool member. So, your backend servers could look for that header and do something with its value. However, if you want the F5 to translate it to the X-Forwarded-For header, you can use an iRule to convert the Akamai True-Client-IP header to the X-Forwarded-For header. we are trying with below irule which is not working- when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/rdp_xyz_tshoot") && (not[class match [IP::client_addr] equals allowed_IPs])} { reject } if { [HTTP::uri] == "/" } { HTTP::redirect "https://[HTTP::host]/abc_login.jsp" } } Please help44Views0likes2CommentsF5 Next - how to reference irule procedures
Hi, Anyone figured how references works for irule objects with the call command? and if it is possible do i need to assign it to the vs? This is my stack: I manage to use the call command to a proc within the samle irule but i haven't found a way how to reference proclibrary (irule) from my_irule https://clouddocs.f5.com/bigip-next/20-2-0/irules/bigipn_object_naming_irule.html { "_embedded": { "stacks": [ { "_links": { "self": "/applications/a95e7451-d077-4ec3-a9c1-d0f3bea7f615/stacks/e87175a1-34f3-43d2-b52a-7b7466ed8851" }, "clientSide": { "l4ClientSide": "default:service_2:vs", "persistence": { "cookieMethod": { "method": "COOKIE_INSERT_METHOD" }, "template": "COOKIE_TEMPLATE" } }, "enabled": true, "id": "e87175a1-34f3-43d2-b52a-7b7466ed8851", "irules": [ { "description": "default:service_2:proclibrary", "rule": "when RULE_INIT {\nlog local0. \"proclib started\"\n}\nproc responder {} {\n HTTP::respond 200 content {hell from proc}\n}" }, { "description": "default:service_2:my_irule", "rule": "proc test {} {\nHTTP::respond 200 content [virtual name]\n}\nwhen HTTP_REQUEST {\nset vs_name [virtual name]\nlog local0. \"hello there\"\ncall /app/default:service_2/proclibrary::responder\n\n}" } ], "name": "vs", "serverSide": { "l4ServerSide": "default:service_2:vs" }, "stackType": "HttpAdvancedProxy" } ] }, "_links": { "self": "/applications/a95e7451-d077-4ec3-a9c1-d0f3bea7f615/stacks?" }, "count": 1, "total": 1 }60Views0likes1CommentiRule for X509 Subject
I have an iRule that is working and inserts a certificate DN into a header In the header the cert DN is inserted as: x-ssl-client-dn: C=<country >, O=<Org>, OU=<OU>, CN=<User name> the application owner wants changed to the following: x-ssl-client-dn: CN=<Usern Name> , OU=<OU> , O=<Org> , C= <Country) How can this be reversed71Views0likes1Comment