Intermittent Net::ERR_CONNECTION_RESET Error and Incomplete Loading over HTTPS
I have an F5 load balancing setup configured with two servers. My MVC web application, which incorporates Kendo UI, Jquery, and bootstrapping, is hosted on an IIS server with an SSL certificate. However, when accessing the application via HTTPS from outside the server, it often or sometimes results in a 'net::ERR_CONNECTION_RESET' error, with intermittent failures to load javascript and CSS files to the client browser. Strangely, upon reloading the page, the assets load properly, and the page functions as expected. This issue did not occur when the application was accessed via HTTP, where it worked properly without any issues. What could be the reason behind this problem?
Loadbalancing a 2-stage proxy environment - persistence problems
Hello fellow F5-experts, My situation: I try to loadbalance Web-Proxy traffic. In genenal it seems to work, but we've run into some problems relating to websites with weird session handling. I sketched up the environment in the following Image A clients uses VS-A as it's HTTP proxy. This VS loadbalances to two of our own proxies in Pool A. Those are not transparent, so outgoing traffic toward their upstream proxy (VS-B) will have the Pool A node's IP as source address. The Proxies use the HTTP: Connect method. VS-B on the other hand, has a Pool B attached with a lot (as in really a lot) other proxy servers, that are not under our control (but are trustworthy, and have to be used. No way around it). VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: none Default Persistence Profile: source_addr Pool A: LB Method: Fastest (node) VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: SNAT Default Persistence Profile: none Pool B: LB Method: Fastest (node) Problem: On some websites, people complain about loosing their sessions. I tracked it down to the VS-B, which can not persist connections to a website to the same node in Pool B. Since the VS-B does not see the original client IP, but only the 2 proxy IP's I have no idea how to establish a propper persistence. For a very important website, i wrote an iRule that "hard-binds" to a single Node in Pool B, based on the HTTP:URI. My question: Is my config any viable? Or what should I change? I read a lot of article here, but I never had the feeling, that those met my situation with the "2-stage" proxy environment. I was thinking about adding a http header with the original client IP by an iRule in VS-A so I have something to make a persistence decision in VS-B, but I'm not sure how to do that. I also often read about applying the OneConnect profile combined with proxy loadbalancing, but I don't think I really understood the reason and/or benefit, nor do I know where to apply it in this environment. I hope I made it some kind of clear what I try to accomplish and where the problems are, since English is not my mother language and I'm a but rusted using it. Any help or hint is very much appreciated. Thanks in advance, ichnafi EDIT:(28th Feb) I just found out, that the desired website can be acquired from the HTTP::host header even by Vs-B. So would it be possible to establish a persinstence for the combination client IP and HTTP::host header? EDIT2: Possible Solution found (1st Mar) I currently endet up with an iRule creating a universal persistence based on the http::host header. the iRule is then bound to a universal Persistense-Profile. The iRule looks lilke this: when HTTP_REQUEST { persist uie [HTTP::host] } I'm thinking of maybe creating a custom header that contains a combination of client_ip and http:host value to get an even more definite persistence, but not quite sure about that. What do you guys think?
FTp proxy via iRule
Hello, I'm trying to do an anonymous ftp connection through an F5 irule. My logs of the irule look like this: Rule /Common/iRule_ftp_proxy <CLIENT_ACCEPTED>: client FTP accepted Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: client payload - USER anonymous@193.190.198.27 Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: sitename:193.190.198.27 - cmd:USER - uid:anonymous Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: address 193.190.198.27 port 21 Rule /Common/iRule_ftp_proxy <SERVER_CONNECTED>: connected to server Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 220-Welcome to the Belnet public FTP server ftp.belnet.be !This server is located in Brussels, Belgium and operated by Belnet, the BelgianEducation and Research Network. If you have any problem, question or mirrorrequest, please send them to ftpmaint@belnet.be.This archive is available through the following means:RSYNC rsync://rsync.belnet.be (IPv4)HTTP http://ftp.belnet.be (IPv4 + IPv6)FTP ftp://ftp.belnet.be (IPv4 + IPv6) Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server found 220 ok Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payloadNote: opening too many parallel connections to this host is considered an abuse.All access is logged.Currently used storage capacity : 34T / 100T on /ftp220 193.190.198.27 FTP server ready Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 331 Anonymous login ok, send your complete email address as your password When I check with a wireshark capture on my client; the '331 Anonymous login ok, send your complete email address as your password' never reaches the client. Without the proxy, it does reach the client and filezilla knows how to deal with it. This is my server_data in the irule; when SERVER_DATA { if { $static::debug } { log local0. "server payload [TCP::payload]" } if { [TCP::payload] starts_with "220" }{ if { $static::debug } { log local0. "server found 220 ok" } TCP::respond "USER $uid\r\n" TCP::payload replace 0 [TCP::payload length] "" } TCP::release TCP::collect } I also tried modifying the rule like this: when SERVER_DATA { if { $static::debug } { log local0. "server payload [TCP::payload]" } if { [TCP::payload] starts_with "220" }{ if { $static::debug } { log local0. "server found 220 ok" } TCP::respond "USER $uid\r\n" TCP::payload replace 0 [TCP::payload length] "" } if { [TCP::payload] starts_with "331" }{ TCP::respond "PASS $uid@example.com\r\n" TCP::payload replace 0 [TCP::payload length] "" } TCP::release TCP::collect } This get's me one step further, but I'm still not able to connect. When I check with a wireshark capture on my client; the '331 Anonymous login ok, send your complete email address as your password' never reaches the client. Without the proxy, it does reach the client and filezilla knows how to deal with it. Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 230 Anonymous access granted, restrictions apply Why is the '331 server_data' not being forwarded to my client so it can respond to it, or is this the task of the proxy? And why is the '230 server data' not reaching the client? CheersFTP proxy data connection
I've used this ftp proxy for ftp connection. https://devcentral.f5.com/codeshare/ftp-proxy-v10-and-up My iRule when CLIENT_ACCEPTED { TCP::respond "220 Welcome to the F5 FTP Proxy v10\r\n" log local0. "client accepted" TCP::collect } when CLIENT_DATA { set ftplogin [TCP::payload] log local0. "login is $ftplogin" if { $ftplogin starts_with "USER" } { You can set it up to use any DNS server you want. set dnslookup "10.191.31.60" set cuser [TCP::payload] scan $cuser {%[^@]@%s} garbage sitename scan $garbage %s%s cmd uid log local0. "$sitename" set ips [RESOLV::lookup @/OpusCapita/vs_dns_test -a $sitename] set ips $sitename if {$ips eq "" } { Input wasn't an IP address, take some default action? log local0. "$ips Input wasn't an IP address" reject } else { TCP::payload replace 0 [TCP::payload length] "" set ftp_serv "[lindex $ips 0]" node [lindex $ips 0] [TCP::local_port] log local0. "member adresa [lindex $ips 0] port [TCP::local_port]" } } TCP::release } when SERVER_CONNECTED { TCP::collect } when SERVER_DATA { set serv_data [TCP::payload] if { $serv_data contains "220" } { TCP::respond "USER $uid\r\n" log local0. "user= "USER $uid\r\n" " TCP::payload replace 0 [TCP::payload length] "" } TCP::release } User can connect to my FP proxy VIP and connect to dest ($sitename) server. At the moment donĀ“t use DNS. But when user try trasfer some data to FTP server. User see only timeout and no data sent. Can you please check where can be problem? my ftp profile Name proxy_ftp Parent Profile ftp ranslate Extended Enabled Inherit Parent Profile Enabled Data Port 0 And log from ftp server [Cway2:/home/jtoivola/TEMP] date ; ftp 82.180.230.19 121 Fri May 20 12:31:06 EEST 2016 Connected to 82.180.230.19. 220 Welcome to the F5 FTP Proxy v10 Name (82.180.230.19:jtoivola): cwjuha1@82.180.220.75 331 Password required for cwjuha1. Password: 230 User CWay2005Juha1 logged in. Remote system type is UNIX. ftp-child [32279] <05/20-12:37:47> TECH-DBG from Server-PI (3): '230 User CWay2005Juha1 logged in.' ftp-child [32279] <05/20-12:37:47> USER-INF 'SYST' from 82.180.230.19 ftp-child [32279] <05/20-12:37:47> TECH-DBG from Server-PI (3): '215 UNIX Cway' ftp-child [32279] <05/20-12:37:51> USER-INF 'PORT 82.180.230.19:51418' from 82.180.230.19 ftp-child [32279] <05/20-12:37:51> USER-INF 'STOR testi' from 82.180.230.19 ftp-child [32279] <05/20-12:37:51> TECH-DBG from Server-PI (3): '227 Entering Passive Mode (10,190,8,6,225,252)' ftp-child [32279] <05/20-12:37:51> TECH-DBG got SRV-PASV 10.190.8.6:57852 for 82.180.230.19:28912 ftp-child [32279] <05/20-12:37:51> TECH-INF 'STOR testi' sent for 82.180.230.19 ftp-child [32279] <05/20-12:37:51> TECH-DBG from Server-PI (3): '150 ASCII data connection for testi (82.180.220.75,36979).' ftp-child [32279] <05/20-12:37:55> USER-INF Transfer for 82.180.230.19 completed: STOR 'testi' read 0/4 byte/sec ftp-child [32279] <05/20-12:37:55> TECH-DBG from Server-PI (3): '552 testi: An invalid argument value was given.'
Websites do not load correctly when load balancing via proxy
We currently have a pair of BIG-IPs with 11.5 running in our DC. One of the services we want to load balance is a pair of Cisco WSAs (IronPort) which function as web proxies. When a client connects via the BIG-IP's VIP to access the Proxies we have the problem that not all of the content is loaded. This problem does not change if we take one of the WSAs out of the pool so that we can be sure we always go via the same proxy. It is also working fine when the clients go via one of the proxies directly. [UPDATE] The http-WSA-proxy profile is based obn the fastL4 but has XFF enabled. Does anyone have an idea what we are missing and why we are not receiving the complete page? High level traffic flow: Client <> BIG-IP Cluster <> Firewall <> 2x Cisco WSA Web Proxy <> Firewall <> Internet LTM config: ltm virtual vs_NAME { destination VIP%RD:webcache ip-protocol tcp mask 255.255.255.255 partition NAME persist { source_addr_mirror { default yes } } pool NAME profiles { /Common/fastL4 { } http-WSA-proxy { } } source 0.0.0.0/0 source-address-translation { type automap } vlans { NAME-VIPs } vlans-enabled vs-index 17 }
Any iRules that acts as Virtual Server for By-Pass Cert
F5 APM with SWG module, so this F5 acts as Proxy and Intercept Cert. I have a problem about intercept certificate some website cannot use it, then I solved that problem by create the new virtual machine and fixed the destination of each website's IP. (nslookup) But I think it's not a good solution, because If some website occurs like this problem more, I have to add more virtual server. So I try to use iRules to by-pass the destination by using iRules. when CLIENT_ACCEPTED { if { [ IP::Addr [IP::local_addr] equals "xxx.xxx.xxx.xxx" ] } { SSL::disable } } But it's did not work, please could you suggest me for the iRules command.
Proxy Protocol Receiver
Problem this snippet solves: iRule for BIG-IP to receive PROXY protocol (v1 and v2) header in TCP Payload and remove it before forwarding remaining TCP Payload to server side pool member. How to use this snippet: Enable iRule on virtual server where upstream proxy will be sending PROXY header. Testing done using proxied IPv6 and IPv4 HTTP connections from HAProxy using Proxy Protocol v1 and v2. Use of client or server SSL profiles slated for testing and validation since ELB promotes use of Proxy Protocol as a solution for customers that don't want to have ELB terminate HTTPS traffic but do want servers to see original IP addresses. Code : #PROXY Protocol Receiver iRule # c.jenison at f5.com (Chad Jenison) # v2.0 - Added support for PROXY Protocol v2, control for v1,v2 or lack of proxy via static:: variables set in RULE_INIT # v2.1 - Fix for skipping bytes in v2 code when RULE_INIT { set static::allowProxyV1 0 set static::allowProxyV2 1 set static::allowNoProxy 0 } when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { binary scan [TCP::payload 12] H* v2_protocol_sig if {$static::allowProxyV1 && [TCP::payload 0 5] eq "PROXY"} { set proxy_string [TCP::payload] set proxy_string_length [expr {[string first "\r" [TCP::payload]] + 2}] scan $proxy_string {PROXY TCP%s%s%s%s%s} tcpver srcaddr dstaddr srcport dstport log "Proxy Protocol v1 conn from [IP::client_addr]:[TCP::client_port] for an IPv$tcpver stream from Src: $srcaddr:$srcport to Dst: $dstaddr:$dstport" TCP::payload replace 0 $proxy_string_length "" } elseif {$static::allowProxyV2 && $v2_protocol_sig eq "0d0a0d0a000d0a515549540a"}{ binary scan [TCP::payload] @12H* v2_proxyheaderremainder binary scan [TCP::payload] @12H2H* v2_verCommand v2_remainder if {$v2_verCommand == 21}{ binary scan [TCP::payload] @13H2 v2_addressFamilyTransportProtocol if {$v2_addressFamilyTransportProtocol == 11} { binary scan [TCP::payload] @16ccccccccSS v2_sourceAddress1 v2_sourceAddress2 v2_sourceAddress3 v2_sourceAddress4 v2_destAddress1 v2_destAddress2 v2_destAddress3 v2_destAddress4 v2_sourcePort1 v2_destPort1 set v2_sourceAddress "[expr {$v2_sourceAddress1 & 0xff}].[expr {$v2_sourceAddress2 & 0xff}].[expr {$v2_sourceAddress3 & 0xff}].[expr {$v2_sourceAddress4 & 0xff}]" set v2_destAddress "[expr {$v2_destAddress1 & 0xff}].[expr {$v2_destAddress2 & 0xff}].[expr {$v2_destAddress3 & 0xff}].[expr {$v2_destAddress4 & 0xff}]" set v2_sourcePort [expr {$v2_sourcePort1 & 0xffff}] set v2_destPort [expr {$v2_destPort1 & 0xffff}] log "Proxy Protocol v2 conn from [IP::client_addr]:[TCP::client_port] for an IPv4 Stream from Src: $v2_sourceAddress:$v2_sourcePort to Dst: $v2_destAddress:$v2_destPort" binary scan [TCP::payload] @14S address_size set skip_bytes [expr 16 + $address_size] TCP::payload replace 0 $skip_bytes "" } elseif {$v2_addressFamilyTransportProtocol == 21} { binary scan [TCP::payload] @16H4H4H4H4H4H4H4H4 v2_v6sourceAddress1 v2_v6sourceAddress2 v2_v6sourceAddress3 v2_v6sourceAddress4 v2_v6sourceAddress5 v2_v6sourceAddress6 v2_v6sourceAddress7 v2_v6sourceAddress8 binary scan [TCP::payload] @32H4H4H4H4H4H4H4H4 v2_v6destAddress1 v2_v6destAddress2 v2_v6destAddress3 v2_v6destAddress4 v2_v6destAddress5 v2_v6destAddress6 v2_v6destAddress7 v2_v6destAddress8 binary scan [TCP::payload] @48SS v2_v6sourcePort1 v2_v6destPort1 set v2_v6sourcePort [expr {$v2_v6sourcePort1 & 0xffff}] set v2_v6destPort [expr {$v2_v6destPort1 & 0xffff}] set v2_v6sourceAddress "$v2_v6sourceAddress1:$v2_v6sourceAddress2:$v2_v6sourceAddress3:$v2_v6sourceAddress4:$v2_v6sourceAddress5:$v2_v6sourceAddress6:$v2_v6sourceAddress7:$v2_v6sourceAddress8" set v2_v6destAddress "$v2_v6destAddress1:$v2_v6destAddress2:$v2_v6destAddress3:$v2_v6destAddress4:$v2_v6destAddress5:$v2_v6destAddress6:$v2_v6destAddress7:$v2_v6destAddress8" log "Proxy Protocol v2 conn from from [IP::client_addr]:[TCP::client_port] for an IPv6 Stream from Src: $v2_v6sourceAddress:$v2_v6sourcePort to Dst: $v2_v6destAddress:$v2_v6destPort" binary scan [TCP::payload] @14S address_size set skip_bytes [expr 16 + $address_size] TCP::payload replace 0 $skip_bytes "" } else { log "v2_proxy conn from [IP::client_addr]:[TCP::client_port] - possible unknown/malformed transportProtocol or addressFamily" reject } } elseif {$v2_verCommand == 20}{ log "Proxy Protocol v2 and LOCAL command from [IP::client_addr]:[TCP::client_port]; skipping" binary scan [TCP::payload] @14S address_size set skip_bytes [expr 16 + $address_size] TCP::payload replace 0 $skip_bytes "" binary scan [TCP::payload] H* local_remainder } else { log "Proxy Protocol Protocol Signature Detected from [IP::client_addr]:[TCP::client_port] but protocol version and command not legal; connection reset" reject } } elseif {$static::allowNoProxy} { log "Connection from [IP::client_addr]:[TCP::client_port] allowed despite lack of PROXY protocol header" } else { reject log "Connection rejected from [IP::client_addr]:[TCP::client_port] due to lack of PROXY protocol header" } TCP::release } Tested this on version: 12.0
iRule for web proxy for only 2 address in internet
Hello, i create proxy by the manual https://community.f5.com/t5/technical-articles/configure-the-f5-big-ip-as-an-explicit-forward-web-proxy-using/ta-p/286647 After that i want create custom iRule or other solution for next task: source address - 5 servers in dmz zone destination address to inet only 2 addresses: https://login.microsoftonline.com https://graph.microsoft.com first of all i need to create data gorup list with string this url and attached to irule or all all the information only in irule? Pls can somebody you share manual or example for that solution.ProxyPass v10/v11 modifications - how to share?
I've just started using the ProxyPass v10/v11 iRule to move a number of Apache mod_proxy reverse proxies to our F5 HA pair. The first site moved was a simple HTTP clientside to HTTP serverside with no payload rewriting and it worked perfectly as documented. Then I started to see things that could be improved and a few things that didn't work and could be fixed. Localised Options The static::ProxyPassDebug and static::RewriteResponsePayload are inconvenient when the iRule is used by multiple virtual servers, so I've localised these for each virtual server in a new Data Group "ProxyPassOptionsVIRTUAL". Protocol Rewriting We offload SSL to some of our proxies so I found the request header and referer rewriting wasn't rewriting the protocol, resulting in the browser getting connection errors at least, I think, unless the virtual server accepts both HTTP and HTTPS in which case the iRule appears to trap the unchanged protocol in the new request and rewrites and redirects it back to itself. I have fixed this by inferring the serverside protocol for each pool from the ProxyPassSSLProfile information if it exists. There are a couple of assumptions/requirements supporting this method: 1. If any pool, default or alternative, requires SSL it must have a server profile entry in this data group. 2. The clientside protocol is detected via the CLIENTSSL_HANDSHAKE event. Response Payload Protocol Rewriting Payload rewriting doesn't rewrite the protocol. I have fixed this also following from previous item. Response Payload Rewriting Generally I think payload rewriting is incomplete if it only rewrites matching the current request URL components. That is, currently for a request rewrite e.g. "http://www.company.com/some/path" to "", the response payload will reverse only this URL. If the payload includes other absolute URLs e.g. "", this will be missed. So the iRule needs to be modified to rewrite just the "protocol://host_serverside" part for all URLs starting with that string, but it also needs to rewrite any path components that start with any path component in "ProxyPassVIRTUAL" that match the serverside host. For example, given the following "ProxyPathVIRTUAL": "www.company.com/some/path" := "backend.internal/other/path" "www.company.com/some/other/path" := "backend.internal/yet/another/path" Given a request "http://www.company.com/some/path", all of the following rewrites need to occur if found in the response payload: "http://backend.internal/other/path" -> "http://www.company.com/some/path" "http://backend.internal/yet/another/path" -> "http://www.company.com/some/other/path" "http://backend.internal/unchanged/path" -> "http://www.company.com/unchanged/path" "/other/path" -> "/some/path" "/yet/another/path" -> "/some/other/path" URL rewriting and Case (In)Sensitivity The original iRule assumes case sensitivity, which may be valid but is impractical. Unfortunately, we have a backend application running on Windows and the developers were arbitrary about case, hence an inbound request in lowercase will go through ok but response headers and payloads may contain the URL in uppercase. Apache mod_proxy appears, from our experience, to handle this somehow, I assume by checking each response URL against all paths listed for proxying. Our Apache reverse proxy lists each path as lower and upper case and we have not had a problem. This is the same problem as "Response Payload Rewriting Generally" applied to header rewriting. Current thinking is to add an option "ProxyPassURLDownCasing" to invoke down casing of all URL path elements before checking and rewriting. The option needs to be settable per pool, so the option value would probably be a list of pools. Code Sharing I haven't implemented the latter two items yet but I'm happy to provide the modified iRule code once I have if someone can tell me how I can upload it. I don't have any dev points to upload it directly and I tried posting the first three mods to this iRules forum but exceeded the word count and was rejected. Thanks.
