HTTPS passthrough for a single domain name
Hi Everyone, I have 1x HTTPS virtual server hosting multiple applications/ domain names (e.g. X.com, Y.com, Z.com, etc.) it is configured with SSL Bridging mode (both VS and pool members are 443). My question is if I want a specific domain nameY.comto be handled as SSL passthrough wherecertificate is terminated on the backend servers. Meaning if domain name isY.comthe traffic will not be inspected, and HTTP, clientssl, and serverssl profiles must disable in this case. Not sure if this could be implemented, but any idea would be highly appreciated. Thank you.
Local Traffic Policy to Redirect Based on Hostname
Hello Community, I hope someone can point me in the right direction. We are in the process of migrating our web applications to a new portal system. I need to redirect the client to the new URL, but I don't want the client to see the redirection. I think this is similar to the ProxyPass iRule, but I would like to do this through traffic policies instead of an iRule. Here is an example of the application I am trying to redirect. https://application-a.domain.com/ -> https://portal.internal.domain.local/application-a I have a traffic policy to rewrite the hostname and URI path that seems to be working correctly, but the server returns a 302 redirection to https://portal.internal.domain.local/application-a. I've been banging my head against a wall trying to figure out how to replace https://portal.internal.domain.local/application-a with https://application-a.domain.com/. I've tried adding a rule to replace portal.internal.domain.local with application-a.domain.com in the HTTP header Location path, but that does not seem to do anything. Here is the full policy... ltm policy /Common/Test_Policy { requires { http } rules { Test_Rule1 { actions { 0 { http-host replace value portal.internal.domain.local } 1 { http-uri replace path "tcl:[string map { / /application-a/ } [HTTP::uri]]" } 2 { http-header response replace name Location value "[string map {portal.internal.domain.local application-a.domain.com} [HTTP::header Location]]" } } conditions { 0 { http-host host values { application-a.domain.com } } } } } strategy /Common/first-match } And here is the client side redirect from Wireshark. HTTP/1.1 302 Found Date: Thu, 03 Sep 2020 13:50:48 GMT Server: Apache/2.4.38 (Debian) Referrer-Policy: no-referrer X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: none X-XSS-Protection: 1; mode=block X-Powered-By: PHP/7.3.18 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-cGxGUVVWczZMM3E2S0pScEh0V0dmeDd4cHVVU2QrbjhZUjREaXAvWTlMWT06alFBWkN6RVBXQVA0WXRVZFNKdjBWRk9UbHRVblQ2YVpOMnhBd3ZYeng1az0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self'; Location: https://portal.internal.domain.local/application-a/index.php/login Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Thanks for any assistance. Brian Burns
Rewrite profile - any better way?
Hi, I wonder is there is any simpler way to achieve something described below: Scenario: Single VS - IP mapped to few external FQDNs Each external FQDN maps to virtual host on the same backend server (so traffic accepted only if there is Host header match in request send from BIG-IP to backend) There is possibility that some links returned from backend (in content) are not relative and can use backend srv FQDN. Setup: Local Traffic Policy forwarding traffic to appropriate pool based on host header in request from client - sure it could be one pool but because FQDN nodes has to be used I guess separate pools are needed - or not? Then Rewrite profile with URI rules for each ext FQDN to int FQDN with Rewrite Header, Rewrite content set, like * -> * -> * -> * and so on When redirect from http to https (send from backend) is needed then another Rewrite profile is necessary for HTTPS VS: * -> * -> * -> * and so on It is working OK but requires plenty of objects to be configured, everything has to be entered by hand, in few places and cause a lot of work and possibility to make mistake :-( Is there any other way (simpler, less error prone) to achieve the same goal? Piotr
ASM Application Security PolicyManual Configuration (Advanced)
Hi, In 13.1.0.7 (I am not sure if it was the same in 13.1.4 but for sure not like that in 12.1.x) when security policy is applied via Security tab of VS configuration pop up allowing to disable or change policy is gone. Instead entry like that is presented: Application Security PolicyManual Configuration (Advanced) Why so? Is that some kind of weird improvement? With this change management becomes quite complicated: There is no way to figure out which policy is attached to VS (except checking Resources > Policies section of VS) There is no easy way to change or disable security policy (again Resources > Policies and detach Local traffic Policy pointing to security policy) What is reason for this change, I can't see any benefits. PiotrHow to remove config from LTM policy using CLI?
Hi all, We have following policy on one of our LTMs. ltm policy /Common/Test { controls { forwarding } requires { http } rules { Test-Client1 { actions { 0 { forward select pool /Common/CLient1_Pool } } conditions { 0 { http-uri contains values { 0099/ } } } ordinal 1 } We need to remove the "ordinal 1" part of the config from this policy. We can't find any option in GUI. How do we remove this using the CLI? Thanks,Local Traffic Policy and forward to virtual not working
Hi, Maybe not "not working at all" but for some reasons for some configs not :-( I tried setup like that: VS1 - Standard, wildcard with pool containing default gateway IP (not really relevant here), SNAT enabled, Address and port translation disabled VS2 - ForwardingIP, wildcard VS1 has LTP attached: forward to VS2 Client pointed at BIGIP selfIP as default gateway. Because VS1 has Source Address set to client IP VS1 is processing client request. From log it's obvious that traffic from VS1 is passed to VS2 then delivered to target server. Setup like that is not working - forward to VS2 is completely ignored, traffic is passed directly to target server (same one as for first config) VSProxy - Standard, Explicit forward proxy profile attached, no pool, SNAT enabled, Address and Port translation disabled VS2 - same as above VSProxy has same LTP attached No traffic ever reaches VS2, client request is passed directly to target server. I know of course how VS with explicit proxy HTTP profile is working but can't understand why it's ignoring LTP and not forwarding traffic to VS2 - even if connection will not work then forward should not be ignored - but it is :-( Sure there is Address/Port translation enabled but still... When Address/Port translation is disabled on VSProxy connection fails completely but traffic is not hitting VS2 as well. So either it's by design or it's kind of bug? Piotr
