URL Rewrite using local traffic policy
I am looking to use a local traffic policy instead of a iRule (if possible). We want to rewrite the URI portion of incoming requests as they are presented to the inside web host. Outside: https://www.domain.com/something/prod/something/something Inside: https://www.domain.com/something/something I see the action when creating a policy to REPLACE a portion of the URI. I set it to match "/prod" and replace "" blank field. I also tried to match "/something/prod" and replace with "/something". Neither option seems to work. Is this the correct way to handle this? What is the best way to see how it is getting rewritten if you do not have direct access to web server? Thanks!
LTM policies only works with http profile?
Hi all, Today I found a limit when needed the following config: A tcp-only service on one VS which does listen to any. About 60 tcp-only listener ports which should be load balanced to two backends. We need to monitor each of the tcp-ports of the backends, therefore we need about 60 pools for this. I created the following objects: 1 VS ANY TCP listener 60 pools, one for each tcp listener with two backend members. 1 LTM policy with 60 rules like the following: rule_AQ { actions { 0 { forward select pool /Common/pool_AQ_8137 } } conditions { 0 { tcp port values { 8137 } } } } When I try to add the LTM policy to the VS I get the error: 010716d9:3: Virtual server /Common/AQ-domain.com_any requires a profile of type http for ltm policy /Common/pol_AQ_8137. Since this config would be used as a tcp-only service, I cannot add a http profile to the VS. So are LTM policies only usable for HTTP traffic? Thanks, Peter
Configuring LTM policies with request and response conditions
BIG IP VERSION 13.1.0.6 Afternoon. The following LTM policy exists to insert security headers into responses when missing. The LTM policy is attached to a VS which performs virtual hosting using another LTM policy to switch the back-end pools depending on incoming header. A new requirement to remove the X-Content-Type-Options nosniff header for specific sites hosted on this virtual server exists and the LTM policy was adjusted as below to include a request condition against the host isnot header, this however has resulted in unexpected behaviour where-by the header is no longer inserted regardless of whatever site is being requested. Any ideas? Code ltm policy pol-tp-http-header-apply-security-controls-inc-exclusions { description "Edit headers on response to enable security controls" last-modified 2019-01-10:14:09:44 requires { http } rules { rl-tp-header-insert-x-content-type-options { actions { 0 { http-header response insert name X-Content-Type-Options value nosniff } } conditions { 0 { http-host host not values { site1.example.com site2.example.com } } 1 { http-header response name X-Content-Type-Options not values { nosniff } } } description "Insert the x-content-type-options header set to no sniff" ordinal 2 }
Using F5 instead of nginx for reverse proxy
Hello All, We're doing an implementation of a product and the vendor has a deployment guide for using nginx however I've been asked to convert the nginx configuration to the F5 instead. I'm not entirely familiar with nginx so I want to make sure that I understand how to do this properly based on the configuration they've given. I've taken parts of the configuration guide they've provided and attached them below as well as my interpretation of the instructions as to how the F5 will handle it. For example, a request to <>/Portal/Guest/Login.htm is sent to the backend as a request for http://<>/Guest/Login.htm. The header "Host: Portal" is added to the backend request replacing the original “Host: www.<>" header. I believe that much of this behaviour is accomplished by default on the F5. For example converting from https to http can be done with ssl offloading and a client-ssl profile. The forwarding to the internal web server name is simply the way the f5 forwards traffic to the appropriate pool I think? The part that I'm not sure how best to implement is the removing of /Portal/ from the URI and replacing the host header with Portal (there are also about 10 other applications that I will need to do this for. My initial thought is to use a Policy to match the host header and uri path and rewrite them? For example : Will this work? Or do I need to add more info to remove /Portal/ from the path in the actions section?
LTM Policy with HTTP_REQUEST and HTTP_PROXY_REQUEST
Hello, I try to create ltm Policy Rule to forward traffic to different virtual IP with check http host. BIG IP version: 13.1.08 I created a first Policy with two rules: Policy name: TEST2 First Rule to match HTTP PROXY REQUEST And When attempting to create a second rule to match HTTP REQUEST , the system displays an error message that appears similar to the following example: An error occurred: transaction failed:010716e2:3: Policy '//Drafts/', rule ''; an action precedes its conditions. The same configuration with an irule works. Thank you for your return. Guillaume
Redirect base on source IP Address for Virtual Server - Local Traffic Policy
Is it possible to have a local traffic policy to redirect traffic based on source ip address. Here's what I've setup but I don't get any hits on the policy Policy Name: Redirect-Traffic Strategy: Execute first matching rule Rule1 Rule Name: Match-Server1 Match all of the following conditions: TCP address matches any of 10.1.1.1 at request time (apply to traffic on remote side of external interface Forward traffic to node 10.2.2.1 Rule2 Rule Name: Match-Server1 Match all of the following conditions: TCP address matches any of 10.1.1.2 at request time (apply to traffic on remote side of external interface Forward traffic to node 10.2.2.2 ` I've generated traffic from both sources but the traffic policy never applies to Rule1 Here's an output of show ltm policy in tmsh `----------------------------------------------------- | Rule Action Invoked Succeeded ----------------------------------------------------- | Match-Server1 0 [forward select] 0 0 | Match-Server2 0 [forward select] 118 118 Is the remote side of external interface - the source client IP address (cs-client-addr)?
Negating traffic policy rules
Hoping someone can help me out with this. Recently tried deploying a traffic policy to redirect users to https if the URI contains a list of different strings, and to redirect back to http if it does not contain a list of strings. Logic seemed simple. As an example: HTTP virtual server: if URI path contains login.php, redirect to the same host/URI over https. HTTPS virtual server: if URI path NEGATE contains login.php, redirect to same host/URI over http. The contains works great, but the minute I negate the same rule for my https server, I wind up in a redirect loop. so even if my http request is sent is I get redirected to http, which in turns redirects me back to https, looping me indefinitely. What I expected to happen was the traffic policy would be evaluated and since I was already using HTTPS and my URI contained login.php, I would not get a 302 redirect. I can get all this to work by changing my negate rule to use STARTS WITH instead of CONTAINS, however this limits me if I need to specify different URI path's that aren't stored at the root of the web server. Has anyone run into this or can someone explain the the boolean logic for contains and how it changes when it is negated? It is not working as I would expect. Thanks all, -GR
