F5 Local traffic policy / wrong requirement!
Hi, I worked on a customer deployment where we wanted to create a virtual server to dispatch HTTPS requests to internal virtual servers based on Host header. In version 13.0, there is a condition ssl-extension server-name .I thought Great, I can create the main VS without HTTP profile and filter based SNI extension So I tried to create a ltm policy with rules like: condition : Server name equals "mysite1.company.com" action : forward virtual server VS-mysite1.company.com And tried to assign it to the VS with only ClientSSL profile. I can't because of policy requirements... When I looked in policy configuration in tmsh, the policy requires http ssl-persistence which is weird when I look the rule configuration. In versions 11.X, this configuration was manual but starting with version 12, this is created automatically when selecting rule conditions and actions. I didn't checked if the requirements selected is also wrong in v12. I so tried to create a policy and looked the generated configuration in TMSH policy without rule ltm policy Drafts/bug_policy_requires { last-modified 2017-08-28:18:36:02 status draft strategy first-match } Policy with one rule assigning pool without condition ltm policy Drafts/bug_policy_requires { controls { forwarding } last-modified 2017-08-28:18:37:17 requires { http } rules { rule_no_condition { actions { 0 { forward select pool Pool_icap } } } } status draft strategy first-match } what configuration in this rule requires http ??? Policy with one rule assigning pool and with SNI condition ltm policy Drafts/bug_policy_requires { controls { forwarding } last-modified 2017-08-28:18:38:20 requires { http ssl-persistence } rules { rule_condition_sni { actions { 0 { forward select pool pool_ad_http } } conditions { 0 { ssl-extension ssl-client-hello server-name values { test.company.com } } } ordinal 1 } rule_no_condition { actions { 0 { forward select pool Pool_icap } } } } status draft strategy first-match } Why ssl-persistence and not client-ssl condition which may be the best requirement?
Traffic policy not evaluating TCL commands
I've setup a traffic policy to check if a header exists and if it doesn't then to add it. That bit of the logic works however it doesn't add what I need it to - it basically doesn't evaluate the tcl command I put in. I've tried it using with and without quotes and basically the output I get into the XFF header is the string so either "tcl:[IP::client_addr]" or just tcl:[IP::client_addr] actions { 0 { http-header replace name X-Forwarded-for value \"tcl:[IP::client_addr]\" } or actions { 0 { http-header replace name X-Forwarded-for value tcl:[IP::client_addr] } There are good reasons why I am not using the standard Insert XFF in the HTTP profile and whilst it could easily be done by an iRule I really need this to work, as it should do, in a traffic policy. I am running 11.5.1 HF7Complex Irule transform to local traffic policy which is with the substring.
I'm trying to convert this below Complex irule to a local traffic policy.I'm facing problem at converting that substring. Can anyone help me. elseif { $http_uri starts_with "/servicecenter/servicerequest"} { set http_uri_suffix [substr $http_uri 14] HTTP::uri "$http_uri_suffix" SSL::disable serverside HTTP::redirect "https://www.xyz.com[HTTP::uri]"
Local Traffic Policy for complex URI transform; order of eval relative to iRules
New to 11.4, and getting my hands around Local Traffic Policies. I have a scenario in which I evaluate starts-with against the URI, and depending on value, select a pool. But for certain URIs, I also change the URI in a non-trivial manner. For example: when HTTP_REQUEST { if {[HTTP::uri] starts_with "/MP"} { pool pool1 } elseif {[HTTP::uri] starts_with "/MA/2.00"} { HTTP::uri [string map {"/MA/2.00" "/MA"} [HTTP::uri]] pool pool2 } } First – how do I do that URI transformation with a Policy? Target: http-uri has parameters of path, query-string and value. Can I just select “value” and add “[string map {"/MA/2.00" "/MA"} [HTTP::uri]]”? I mean, does an action get evaluated that way, such that you can use TCL string functions and data class references? As an alternative, I considered using the Policy to select a pool (easy to do), and leaving the URI transform as a smaller, simpler iRule – but which gets run first, the Policy or the iRules? If the iRule went first, it would prevent to Policy "URI starts-with" condition from being met, because the URI would have been changed to not match, and no pool would get selected. Sorry if this kind of thing is clarified somewhere – I couldn’t find it if so.
Problema policy forward url to pool
hello people, I'm having trouble using URL to forward specific policy pool. follows the configuration: ----------Policy---------- Name: rewrite_extranet_ssl Configuration: forward_pool_portaleconomiario http-host all equals test.extranet.box http-uri all equals /Portalonline forward select pool /Common/Pool_Portalonline ----------Virtual Server ltm virtual vs_extranet_ssl { destination 192.168.100.130:https ip-protocol tcp mask 255.255.255.255 persist { source_addr { default yes } } policies { rewrite_extranet_ssl } pool Pool_Extranet profiles { box_extranet_ssl { context clientside } http_with_redirect_rewrite { } rewrite_extranet_ssl { } stream { } tcp { } } rules {} source 0.0.0.0/0 source-address-translation { type automap } vs-index 1576 } Turns out he is not headed for the pool specified in the policy but for the VS default pool Any idea?local traffic policy http-header insert action
Hi! BIG-IP 11.4 introduces new feature called Local Traffic Policies. Could you please help with the question if it is possible to use iRules commands inside local traffic policies? I want use logic like represented below. Insert specific header with IP address value. policy_rule_1 { actions { 0 { http-header insert name My-Header-Client-IP value [IP::client_addr] } } conditions { none } }
HTTPS passthrough for a single domain name
Hi Everyone, I have 1x HTTPS virtual server hosting multiple applications/ domain names (e.g. X.com, Y.com, Z.com, etc.) it is configured with SSL Bridging mode (both VS and pool members are 443). My question is if I want a specific domain nameY.comto be handled as SSL passthrough wherecertificate is terminated on the backend servers. Meaning if domain name isY.comthe traffic will not be inspected, and HTTP, clientssl, and serverssl profiles must disable in this case. Not sure if this could be implemented, but any idea would be highly appreciated. Thank you.
Local Traffic Policy to Redirect Based on Hostname
Hello Community, I hope someone can point me in the right direction. We are in the process of migrating our web applications to a new portal system. I need to redirect the client to the new URL, but I don't want the client to see the redirection. I think this is similar to the ProxyPass iRule, but I would like to do this through traffic policies instead of an iRule. Here is an example of the application I am trying to redirect. https://application-a.domain.com/ -> https://portal.internal.domain.local/application-a I have a traffic policy to rewrite the hostname and URI path that seems to be working correctly, but the server returns a 302 redirection to https://portal.internal.domain.local/application-a. I've been banging my head against a wall trying to figure out how to replace https://portal.internal.domain.local/application-a with https://application-a.domain.com/. I've tried adding a rule to replace portal.internal.domain.local with application-a.domain.com in the HTTP header Location path, but that does not seem to do anything. Here is the full policy... ltm policy /Common/Test_Policy { requires { http } rules { Test_Rule1 { actions { 0 { http-host replace value portal.internal.domain.local } 1 { http-uri replace path "tcl:[string map { / /application-a/ } [HTTP::uri]]" } 2 { http-header response replace name Location value "[string map {portal.internal.domain.local application-a.domain.com} [HTTP::header Location]]" } } conditions { 0 { http-host host values { application-a.domain.com } } } } } strategy /Common/first-match } And here is the client side redirect from Wireshark. HTTP/1.1 302 Found Date: Thu, 03 Sep 2020 13:50:48 GMT Server: Apache/2.4.38 (Debian) Referrer-Policy: no-referrer X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: none X-XSS-Protection: 1; mode=block X-Powered-By: PHP/7.3.18 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-cGxGUVVWczZMM3E2S0pScEh0V0dmeDd4cHVVU2QrbjhZUjREaXAvWTlMWT06alFBWkN6RVBXQVA0WXRVZFNKdjBWRk9UbHRVblQ2YVpOMnhBd3ZYeng1az0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self'; Location: https://portal.internal.domain.local/application-a/index.php/login Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Thanks for any assistance. Brian BurnsRewrite profile - any better way?
Hi, I wonder is there is any simpler way to achieve something described below: Scenario: Single VS - IP mapped to few external FQDNs Each external FQDN maps to virtual host on the same backend server (so traffic accepted only if there is Host header match in request send from BIG-IP to backend) There is possibility that some links returned from backend (in content) are not relative and can use backend srv FQDN. Setup: Local Traffic Policy forwarding traffic to appropriate pool based on host header in request from client - sure it could be one pool but because FQDN nodes has to be used I guess separate pools are needed - or not? Then Rewrite profile with URI rules for each ext FQDN to int FQDN with Rewrite Header, Rewrite content set, like * -> * -> * -> * and so on When redirect from http to https (send from backend) is needed then another Rewrite profile is necessary for HTTPS VS: * -> * -> * -> * and so on It is working OK but requires plenty of objects to be configured, everything has to be entered by hand, in few places and cause a lot of work and possibility to make mistake :-( Is there any other way (simpler, less error prone) to achieve the same goal? Piotr
