Access Page without resetting the session timer
I'm asking this question with the assumption that F5 is storing some kind of session timer, and resetting it each time the user makes an HTTP request. My application will have it's own session timer, set to be shorter than the F5. This is so I can pause their input progress in a friendly way to tell them they need to reauthenticate before F5's session ends and possibly makes them lose progress on their work. Our server will the the authoritative source of the users session time. The front end javascript will callback to an API on the server to resynchronize it's session time with the server. It will do this on an interval. Based on my assumptions, each one of those synchronize requests would cause the F5 session timer to reset. Since this requested is an automated process and not triggered by a user request, that session timer resetting is an undesirable side effect. Long explanation for a short question: How can I make my resynchronize calls to the server without causing the F5 to reset it's session time. Ideally these requests would still have the users EDIPI in the header. Is this possible?
No CAPTCHA - URL is not yet qualified for challenge injection
Hi, I am setting up Brute Force protection in ASM and have noted that I can get this drop traffic and alert, but when attempting to show the CAPTCHA, I only get the blocking page we have configured. The help notes that this occurs when theURL is not yet qualified for challenge injection, but the help also provides no details how to correct this. Can anyone assist? Assuming ASM policy: PolicyX and url: /LoginHere.aspx Thank you
What causes the TSbd/TSbp script to be inserted into the source code of a website?
In the source code of the website I work on I see that the script below is being inserted. <script type="text/javascript"> //<![CDATA[ window["_tsbp_"] = { ba : "X-TS-BP-Action", bh : "X-TS-AJAX-Request"}; //]]> </script><script type="text/javascript" src="/TSbd/08300f25d2ab20002940ca95b1a84050e4ba6d156f677a6f2819bde419b59b20e8b36a05eca4b390?type=2"></script> As we have AMP pages on our website which doesn't allow any custom JavaScript we would like to not get this script inserted. However, we are having some problems indentifying what exactly is causing this script to be inserted. We do run the WAF on our F5 and I suspect it's the culprit but I have been unable to confirm this. Also, I've been moving around some elements in the <head> tags and when I specifically move our scripts down to the bottom the TSbd/TSbp script is no longer being inserted. What I would like to know is what triggers the TSbd/TSbp script to be inserted. I am starting to think something on the F5 looks at the first X bytes of the page and then decides whether or not to insert the script. I would also like to know if there is more information about this topic available as I've not been able to find a lot. Maybe I am just not searching for the correct thing.
javascript fails with var is undefined
We use F5 with several upstream servers without SSL termination, and after our application update we faced some strange issues with undefined variables and pending xhr requests. Is there some advices for configuring F5 for slow and big server responses, does tcp-lan-optimized profile suitable for it?
SEC7111 HTTP Security Compromised Generated by a JavaScript.
Hey everyone! I just ran into an issue that I haven't seen before. Let me give you some background: We have a backend web application running only on port 80 and publish this through a standard HTTPS virtual server using only a Client SSL Profile. We have also a HTTP to HTTPS VS to make sure we access the site over HTTPS. Everything is working great except for a specific function on the site. The application is used to handle internal billing and once you are done with entering your details, you can print a report. When working correctly, this should open up the report as a PDF file in a new window. This is when things go south. Apparently there is a JavaScript that helps creating this PDF file. First we get the "Internet Explorer is not showing all of the content". When accepting that we get nothing. When checking the debugging you find this: The JavaScript is generating a URL of http:// when we have an active session running on https:// and security is being jeopardized. When going to the exact URL that reports the error but changing it to https:// it works straight away. So I know what the problem is but I have no idea how to fix it. Long term would be to turn on HTTPS on the back-end server but that will take some time and we need a fix for this quite fast since they cannot print out these reports if they are not in the local office, connecting to the server directly. I tried searching through the JavaScript to see if I can find where it actually uses http:// and just using a Stream Profile change it but I have not found anything. I also tried to add a Stream Profile changing Source: http://[URL] to Target: https://[URL] but that bricked the site. Since the problem is the JavaScript, the browser won't even send the request to the F5. If it were to send the request to the F5 it would hit the iRule and get redirected to HTTPS. Do you guys have any idea?
Feedback requested - WebUI Tweaks Script
Hi! I've added a function to the WebUI script which parses the LTM log and adds a top row with some statistics. Here's an example of what it may look like: Any ideas about what you would appreciate to see in this summary except for the things above? Suggestions are very welcome! Things already on the to-do list are: Expired certificates CPU usage Memory usage Disk usage If you want to see more features or/and try out the script you can find it here: https://devcentral.f5.com/codeshare/webui-tweaks-v12-1109 /PatrikWeb UI Tweaks for version 12
Hi! I've just released the new Web UI Tweaks for v12 in case someone want's to try: https://devcentral.f5.com/codeshare/webui-tweaks-v12-1109 Feedback very much welcome! Here's a list of what it does: Pool improvements Pool list member statuses When the pools contains one available member the status is still green today. This script shows you icons depending on what different statuses a pool contains. If all members are disabled, the color is black. If the pool contains both available and members being down, the circle is half green, half red. Pool details on mouse over Hovering the mouse over a status icon shows the member details: Custom loading screen Got a big partition so the statuses takes a while to load? No problem, the script will let you know when it's finished. Default options when creating a pool Pool name suffix, action on service down, load balancing method, and select node node instead of creating a new one can be pre-populated for you by editing the configuration. Automatically generated monitor tests Test strings for browser, curl and netcat commands are generated automatically for http monitors. iRule improvements Detecting data group lists The when editing an iRule the script will detect the used data group lists and show them on the left hand side. Hovering the mouse over a data group list name will show it's content. Clicking on it will take you to that data group lists configuration form. Data group list improvements No more accidentally deleting data group list records If you use data group lists as much as we do there's a chance that you have encountered this scenario. You need to edit a record, so you click on the "Edit" button, change the entries and then click on update. Ooops, now that record was deleted. Instead, the script would disable the edit button after clicking on it. It won't be enabled again until either after you click add, or when you clear the text in the input fields. Bulk import The script allows you to do bulk edits to your data group lists. Merge the lists: Takes all the records in the import text area, compares them to the active list and imports the records that does not have duplicate keys. This means that if "apple" := "banana" exists in the active list and the import list has "apple" := "banana", then "apple" := "banana" won't be imported. Replace the current list: Takes all the records in the import text area and replaces the active list. Duplicate records are ignored like with "Merge the lists". Edit active list: Moves all the records from the active list to the import list. Client SSL Profile improvements Automatically match SSL Client profile name, certificate and key When creating an SSL profile the script will attempt to find a matching certificate and key according to the name of the profile. So when you click on on the add button in the Client SSL Profile form you'd get everything automatically populated for you (providing that you have configured the default chain in the script). SSL CSR improvements Pre-populated profiles for creating certificate signing requests. Other small things Larger select fields when ie. choosing monitors, editing data group lists. Mark objects in the current partition with bold text to distinguish them from the common partition. Adds a link to the default pool in the virtual server resources configuration page. (Patrik
F5 APM Login Page Reload Attempts Username Evaluation
I am working on a tricky F5 Issue. While trying to port a custom HTML page from Microsoft TMG to F5 BIG-IP APM, I have come across a behavior on the F5 that I would like to mitigate. This particular custom HTML page requires that there is a link that inserts a cookie and reloads the page. This function happens in JavaScript. When the page reloads the F5 logs and entry for Username ''. After 3 reloads APM reaches Max Failed Login Attempts and displays "Your session could not be established." The first question I have is why is authentication attempted before the Form Submit button is pressed? JavaScript, Cookie, Page Reload: When the link is pressed a cookie is inserted and the page a location.reload() is invoked. Cookie Evaluation: The presence of the cookie loads an alternate CSS file, and the location.reload() allows the page to load with the new CSS file. This allows for a different logo and color scheme to be applied. When the link is pressed a 2nd time, the cookie is removed, the page is reloaded, and the default CSS file is applied. Is it possible to prevent the F5 from evaluating form data when the page is reloaded? Would it be possible to redirect the user back to the login page and reset the number of login attempts?
APM Disable JavaScript Patching
I want to disable JavaScript Patching from a portal access resource. The web site contains JavaScripts using AJAX (There are no links content in JavaScript code). The web site should fully function after disabling JavaScript Patching. I know that there is a need to enable JavaScript Patching for some of the links (XMLHttpRequests,*.JS) How can I know which links I need to patch ? Many Thanks for answer !
