iRule - Url rewrite and header replace and pool selection not working
I have a scenario where I need to perform a header replace and url rewrite and select a pool. I have several sites that I need to select a specific pool and they all have to come through the same virtual server. When I select a pool the content returned is not complete. The web page is missing formatting and content. If I define a default pool that would be used for the specific site the content returned is complete for that site but still missing content for the other sites not using a default pool. I have tried a /32 oneconnet profile and that made no difference. Below is my irule when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { "mywebsite.test.edu" { switch -glob [string tolower [HTTP::uri]] { "/mytestsite1" { HTTP::redirect "https://mywebsite.test.edu/mytestsite1/Authentication/Login?" } "/mytestsite1/*" {if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite1/" "/differentname1/"} [HTTP::uri]] } pool mypool1 return } "/mytestsite2" { HTTP::redirect "https://mywebsite.test.edu/mytestsite2/Authentication/Login?" } "/mytestsite2/*" { if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite2/" "/differentname2/"} [HTTP::uri]] } pool mypool2 return } "/mytestsite3" { HTTP::redirect "https://mywebsite.test.edu/mytestsite3/Authentication/Login?" } "/mytestsite3/*" { if {[HTTP::host] ne ""} { HTTP::header replace Host "differentname.test.edu" HTTP::uri [string map -nocase {"/mytestsite3/" "/differentname3/"} [HTTP::uri]] } pool mypool3 return } } } } }
LTM for load balance DNS queries with real IP addresses
Hello everyone, I’m seeking advice from experts. I’ve configured an LTM to load balance requests across multiple internal DNS servers. However, I’m facing a challenge: the DNS servers need to see the real client IP addresses in the requests, rather than the LTM’s IP. How can I achieve this? Please note that I only have an LTM license. Thank you in advance for your assistance!
Priority group activation on GTM.
Hello All, I need to configure active standby configuration on GTM pool level, only one VS should be UP and second should be standby if one vs is down then traffic should pass to another VS and i can see there is one option Minimum-up Members but i do not know how to use it as a priority group activation on GTM level. If any one has any article or config suggestion please share. Many thanks in advanced for your time and consideration.
Especial Load Balancing Active-Passive Scenario (I)
Problem this snippet solves: This code was written to solve this issue REF - https://devcentral.f5.com/s/feed/0D51T00006i7jWpSAI Specification: 2 clusters with 2 nodes each one. each cluster will be served as active-passive method. each node in the cluster will be served as round robin. when a cluster changes to active, it will keep this status although the initial active cluster change back to up status. Only one BIG-IP device. There are many topics suggesting to use "Manual Resume" trying to goal this specifications, but this requires to manually restore each node when is back online. My initial idea was to have an unattended virtual server. To do so, I use a combination of persistence and an internal virtual server loadbalancing (Vip-targeting-Vip in the same device). How to use this snippet: This scenario is composed by the next set of objects: 4 nodes (Node1, Node2, Node3, Node4) 1 additional node called "internal_node" (which represents the VIP used on VIP-Targeting-VIP) 2 pools called "ClusterA_pool" and "ClusterB_pool" (which points to each pair of nodes) 1 additional pool called "MyPool" (which points the two internal VIP) 2 virtual servers called "ClusterA_vs" and "ClusterB_vs" (which use RoundRobin to the pools of the same name) 1 virtual server called "MyVS" (which is the visible VS and points to "MyPool") By the way, I use a "Slow Ramp Time" of 0 to reduce the failover time. Following you can find an example of configuration: ----------------- ltm virtual MyVS { destination 10.130.40.150:http ip-protocol tcp mask 255.255.255.255 persist { universal { default yes } } pool MyPool profiles { tcp { } } rules { MyRule } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 53 } ltm virtual ClusterA_vs { destination 10.130.40.150:1001 ip-protocol tcp mask 255.255.255.255 pool ClusterA_pool profiles { tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 54 } ltm virtual ClusterB_vs { destination 10.130.40.150:1002 ip-protocol tcp mask 255.255.255.255 pool ClusterB_pool profiles { tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 55 } ltm pool ClusterA_pool { members { Node1:http { address 10.130.40.201 session monitor-enabled state up } Node2:http { address 10.130.40.202 session monitor-enabled state up } } monitor tcp slow-ramp-time 0 } ltm pool ClusterB_pool { members { Node3:http { address 10.130.40.203 session monitor-enabled state up } Node4:http { address 10.130.40.204 session monitor-enabled state up } } monitor tcp slow-ramp-time 0 } ltm node local_node { address 10.130.40.150 } ----------------- Code : when CLIENT_ACCEPTED { set initial 0 set entry "" } when LB_SELECTED { incr initial # Checks if persistence entry exists catch { set entry [persist lookup uie [virtual name]] } # Loadbalancing selection base on persistence if { $entry eq "" } { set selection [LB::server port] } else { set selection [lindex [split $entry " "] 2] set status [LB::status pool MyPool member [LB::server addr] $selection] if { $status ne "up" } { catch { [persist delete uie [virtual name]] } set selection [LB::server port] } } # Adds a new persistence entry catch { persist add uie [virtual name] } # Applies the selection switch $selection { # This numbers represents the ports used at the VIP-targeting-VIP "1001" { LB::reselect virtual ClusterA_vs } "1002" { LB::reselect virtual ClusterB_vs } } } Tested this on version: 12.1
Need to restrict access to URLs
Hello team, I have a new https://xyz.com that needs to be published to internet. We are planning to launch its services in phases. For 1st phase I have received set of 29 URI paths (These are wildcard URI path i.e https://xyz.com/asdf/xyz/morning*) that needs to be accessible from internet public IPv4 & public IPv6 IPs. Any other URI paths than these 29 paths should be redirected tohttps://oldapplication.com when accessed from internet public IPv4 & public IPv6 IPs. Access to https://xyz.com from internal organization private IPs should be accessible without any URI path restriction. Please inform how I can achieve above requirement using iRule or LTM policy or WAF. Thanks in advanceRenew BIG-IP device SSL certificate
hello Team, I am going to renew our BIG-IP device SSL certificate, but this time we have GTM so we also need to update the GTM side. This is what I am planning Renew the BIG-IP device SSL certificate via cli on config/httpd/conf/ssl.crt/server.crt Restart the httpd service I am planning to update the GTM via GUI DNS -> GSLB -> Servers -> Trusted Server certificates -> Import -> Append -> paste the new cert Restart the big3d and gtm service Question is, is this correct way? also will this also update my cert on big3d (/config/big3d/client.crt)? If not, do I need to update the cert on big3d? Thank you!question about getting hsl data to be formatted properly in splunk
I posted a similar question about 2 weeks ago and I am still not able to get the data that I send to splunk to have the proper json format. Has anyone either configured their own log pool, log destination and log published or used the f5 supported iapps template f5 analytics version to send log data to splunk ? I will include my HSL::open and HSL:send commands and my log command as well as a screen print with the problem we are trying to solve. What I have been told is that the red color in splunk is the key and the light blue is the value. When I just use the log statement everything is formatted correctly in splunk. When I use the HSL::send command everything I send becomes the key and then the value is something called hostname which is not usable. I have the need to send massive amounts of data to splunk so it is prohibitive to use the log command and put all this data also on local disk. set hsl [HSL::open -proto TCP -pool analytics-iapp-hec-forwarder-tcp-log-stage0] HSL::send $hsl "<190>,hsl test,f5_irule=hsl_splunk_logging_new,client_ip=$client, client_port=$client_port, vip_ip=$vip, vip_port=$vip_local_port, snat_ip=$self_ip,snat_port=$self_ip_local_port,remote_ip=$node,remote_port=$node_server_port " log local0.info "hsltest Event=CLIENT_CLOSED protocol=tcp hsl=$hsl client_ip= $client client_port= $client_port vip_ip= $vip vip_port= $vip_local_port snat_ip= $self_ip snat_port= $self_ip_local_port remote_ip= $node remote_port= $node_server_port "
Problem with lets encrypt and redirect after update
Hi, we have updated our BigIP last week from 15.x to 17.1.1.4, since then we are not able to get certificates from lets encrypt, if there is the _sys_https_redirect iRule active on the Virtual Server. As an example, i have for the IP 1.2.3.4 (asdf123.info) two VS with port 80 and 443, on port 80 are two iRules mapped: lets_encrypt: when HTTP_REQUEST { if {[HTTP::has_responded]} {return} if { not ([HTTP::path] starts_with "/.well-known/acme-challenge/") } { return } set token [lindex [split [HTTP::path] "/"] end] set response [class match -value -- $token equals acme_responses] if { "$response" == "" } { log local0. "Responding with 404 to ACME challenge $token" HTTP::respond 404 content "Challenge-response token not found." } else { log local0. "Responding to ACME challenge $token with response $response" HTTP::respond 200 content "$response" "Content-Type" "text/plain; charset=utf-8" } } and _sys_https_redirect: # Copyright 2003-2006, 2012-2013, 2016, 2019. F5 Networks, Inc. See End User License Agreement ("EULA") # for license terms. Notwithstanding anything to the contrary in the EULA, # Licensee may copy and modify this software product for its internal business # purposes. Further, Licensee may upload, publish and distribute the modified # version of the software product on devcentral.f5.com. # when HTTP_REQUEST { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } definition-signature tJY87UPbfpgQ3TPXqXhbCAgqIJhR1MvyFxXLTX/wNqmH+XV51tNkr8HWmv4PBq8hm6w7peLKj88shG+0RiX+yAMU31n6jS9vRcg0VKNPBWLTzu3Ic8abqyyY6XYgkMel+d9Sa8x+vakcuPcAZ0dnICHQiQFePjxYUD0XKwIrbGqQb8vEcU3HHbDaLoMQry4KDnV3s1crFpWXBZBo6esIdzM/s0jYncqZBNdTmIEH3ujEunmo2Jh9MBDhwfGKy1XwCfeeZvzk8b1J+HbRk7W/vbrRUewJZDt+Z13i9u/MbneAL4QXZgtjSxU2nN4GcZjWePUIm7oxc1nz9FGeNva1xg== This configuration had worked for years now, but since the update to 17.1.1.4 we get a "connection reset by peer" at requests for http://asdf123.info/.well-known/acme-challenge/30IpwjJqyA7LKANXCvu7gyN9txfYQOqzllBNC3ROPnY if i remove the _sys_https_redirect iRule, it works fine. Has anyone an solution for this problem?
