502 Proxy Error
Hello, I've been investigating several 502 Proxy Errors in our environment and can't seem to nail it down. We have a typical architecture of: F5->RP->F5->AS And we are getting the following: HTTP/1.1 502 Proxy Error Date: Wed, 06 Aug 2014 20:18:58 GMT Server: Apache/2.4.9 (Win64) 502 Proxy Error The proxy server received an invalid response from an upstream server.The proxy server could not handle the request GET. Reason: Error reading from remote server It seems quite random although when it happens, it seems tied to the session, then after a period of time gets reset and we don't get it for a while.
Monitor Authenticating proxy
I am trying to monitor health on a pair of Clearswift SWG appliances by connecting to external websites. I have set up an HTTP monitor sending 'get http://www.bbc.co.uk/ http/1.1\r\n\r\n' and if I use a receive string of 407 the monitor works. This suggests the proxy is returning 407 Authentication required as expected. If I add Username and Password to the monitor, it still works with a return string of 407, but not with 200. This suggests that the monitor isn't passing the authentication through to the Clearswift proxy. Can anyone point me in the right direction for a simple HTTP health monitor through an authenticating proxy Thanks Steve
ProxyPass Replacement Question
Hello, I have a customer who needs an environment set up that will be replacing their Apache environment. I have the VS set up but am not confident on how I should go about setting up the reverse proxy piece. I created a rewrite profile but am also interested in a related iRule. Here is what is being requested: ProxyPass /apps/locale ----> http://server1:8103/SharedPHP/locale ProxyPass /apps ----> http://server1:8103/Resources2011Apps/ ProxyPass /cdn ----> http://server2:8100/cdn/ ProxyPass / ----> http://server2:8100/ Is the URI rewrite profile the correct way to do this? I set up something as follows for example for the rewrite profile: Rule Type: Both Client URI: /apps/locale/ Server URI: http://server1:8103/SharedPHP/locale Can someone also provide an example of how I would achieve this with an iRule as well? Thanks!Basic Auth to OAuth 2.0 Client proxy and vice versa
I am a bit of a dabbler in Big-IP configuration and iRules and not an expert, so please forgive any ignorance on my part. I am wondering whether it is possible to use the F5 Big-IP APM to act as an authentication proxy that (1) receives requests with a Basic Auth header that is validated against either a list of static usernames and password or an Active Directory/LDAP server. After authenticating the request, the Big-IP should (2) request a token from an external OAuth 2.0 authorization server using the client_credentials grant type (or get an existing token from cache). This external authorization server does not support OIDC. After receiving the token it should (3) be added to the downstream request as an "Authorization: Bearer" header. We would also like to have the reverse of the above, where a request is (4) received on the F5 with an OAuth 2.0 Bearer token which is then authenticated and (5) replaced by a Basic Auth header on the downstream request that leaves the F5. From prior experience with a Big-IP appliance and custom iRules, I'm fairly certain that (1) and (5) are possible. Regarding (2), when configured as an OAuth client, Access Policy ManagerĀ®(APMĀ®) supports authorization code and resource owner password credentials grant types. https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/37.html However, it would seem that there is a workaround available to use a client_credentials grant type. But I'm not sure if the external authorization server not supporting OIDC, is going to be a problem. https://devcentral.f5.com/s/articles/allow-support-of-grant-type-client-credentials-1161 Most of the use cases I have read up on seem to cover the Big-IP performing the OAuth 2.0 authentication on the incoming request/acting as a resource server instead of adding the token to the outgoing request as is required in (3). There are some articles which almost seem to cover the topics I need, but not exactly: https://devcentral.f5.com/s/feed/0D51T00006i7jtFSAQ https://clouddocs.f5.com/training/community/iam/html/class2/module2/module2.html This iRule function also seems to provide a mechanism for caching OAuth 2.0 tokens, but where exactly the originate from is not completely clear to me: https://clouddocs.f5.com/api/irules/ACCESS__oauth.html In (3) it is certainly possible to add the "Authorization: Bearer" header in an iRule once it has been obtained, but I'm kind of stuck on how to obtain it in an iRule or link to the APM configuration elements. Firstly, can someone please let me know if what I am asking is it all possible and secondly if you could provide some details on the murky/missing parts of my solution.iRule for web proxy for only 2 address in internet
Hello, i create proxy by the manual https://community.f5.com/t5/technical-articles/configure-the-f5-big-ip-as-an-explicit-forward-web-proxy-using/ta-p/286647 After that i want create custom iRule or other solution for next task: source address - 5 servers in dmz zone destination address to inet only 2 addresses: https://login.microsoftonline.com https://graph.microsoft.com first of all i need to create data gorup list with string this url and attached to irule or all all the information only in irule? Pls can somebody you share manual or example for that solution.
Loadbalancing a 2-stage proxy environment - persistence problems
Hello fellow F5-experts, My situation: I try to loadbalance Web-Proxy traffic. In genenal it seems to work, but we've run into some problems relating to websites with weird session handling. I sketched up the environment in the following Image A clients uses VS-A as it's HTTP proxy. This VS loadbalances to two of our own proxies in Pool A. Those are not transparent, so outgoing traffic toward their upstream proxy (VS-B) will have the Pool A node's IP as source address. The Proxies use the HTTP: Connect method. VS-B on the other hand, has a Pool B attached with a lot (as in really a lot) other proxy servers, that are not under our control (but are trustworthy, and have to be used. No way around it). VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: none Default Persistence Profile: source_addr Pool A: LB Method: Fastest (node) VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: SNAT Default Persistence Profile: none Pool B: LB Method: Fastest (node) Problem: On some websites, people complain about loosing their sessions. I tracked it down to the VS-B, which can not persist connections to a website to the same node in Pool B. Since the VS-B does not see the original client IP, but only the 2 proxy IP's I have no idea how to establish a propper persistence. For a very important website, i wrote an iRule that "hard-binds" to a single Node in Pool B, based on the HTTP:URI. My question: Is my config any viable? Or what should I change? I read a lot of article here, but I never had the feeling, that those met my situation with the "2-stage" proxy environment. I was thinking about adding a http header with the original client IP by an iRule in VS-A so I have something to make a persistence decision in VS-B, but I'm not sure how to do that. I also often read about applying the OneConnect profile combined with proxy loadbalancing, but I don't think I really understood the reason and/or benefit, nor do I know where to apply it in this environment. I hope I made it some kind of clear what I try to accomplish and where the problems are, since English is not my mother language and I'm a but rusted using it. Any help or hint is very much appreciated. Thanks in advance, ichnafi EDIT:(28th Feb) I just found out, that the desired website can be acquired from the HTTP::host header even by Vs-B. So would it be possible to establish a persinstence for the combination client IP and HTTP::host header? EDIT2: Possible Solution found (1st Mar) I currently endet up with an iRule creating a universal persistence based on the http::host header. the iRule is then bound to a universal Persistense-Profile. The iRule looks lilke this: when HTTP_REQUEST { persist uie [HTTP::host] } I'm thinking of maybe creating a custom header that contains a combination of client_ip and http:host value to get an even more definite persistence, but not quite sure about that. What do you guys think?
Squid forward caching proxy server conflicting with Load Balancer; images, JS, CSS not rendering in application
Have an interesting one here that I hope others can help unravel. A user tells me that the website application, which sits behind an F5 LB, is not rendering properly: E.g.: is missing images, stylesheets, javascript files, and the like. And it's not just this user but a colleague at his workplace has the same issue and seemingly others in the company also can reproduce this issue. I will say that this client (as in the company) is the only one who has reported such an issue. No other companies who use the application are reporting pages not rendering content properly. He had tried testing with a work laptop, work phone, personal phone, over the company network, cellular network, and home network and using multiple browsers. It was consistent across multiple browsers. I asked him to clear cache and cookies and that did not help. Here are the results of his testing: Work laptop on home network: Pass. Work laptop on company network : Fail. Work laptop at their customer's location (possibly connected to customer's network): Fail Work phone on company network: Fail. Work phone on cellular network (Verizon)*: Fail. Personal phone on cellular network (AT&T)*: Pass. Work colleague of user laptop connected to said colleague's phone configured as hotspot (Sprint) (not sure if devices are work or personal)**: **This was conducted while on company premises. It didn't seem to matter what browser was employed. I didn't get a report that it worked in one browser but not another, for instance. To make a long story short, I asked him to send me a fiddler log and the logs showed something that I cannot reproduce on my end. The Fiddler log shows the page loaded with HTTP 200 but the content on the page (i.e. JavaScript files, stylesheets, images) show HTTP 304. In the response headers, under Transport, for all requests, I see Connection: close and Via: 1.1 {unique ID} (squid/3.5.23) (The unique ID is some kind of specific value. It might be sensitive information so I decided to not include it in this post). For , the response header Cache shows: X-Cache: MISS from {unique ID} X-Cache-Lookup: HIT from {unique ID}:{Port number} For , the response header Cache shows: X-Cache: HIT from {unique ID} X-Cache-Lookup: HIT from {unique ID}:{Port number} I don't recall seeing anything like this before. It looks to be Squid, a caching and forward proxy server, that is sitting in front of the client and making requests to the LB. Since this company is the only one who has reported this issue and I cannot reproduce it on my end, it's probably safe to say that either this company is running Squid, their ISP is running Squid, or even both. I pressed the user to inquire with the company's IT if they are running any proxies and the answer was no. It's certainly possible the company's IT could be mistaken. Today, the user says that he came into his office and everything is working now. He tried Firefox, IE, wireless network, cellular network and does not understand why it's working. The likely possibilities I can think of as to what and why is: Squid cache was flushed, which means this problem may return in the future. Squid was not configured properly by company's IT/ISP and now it is, thus resolving the issue. Squid was taken offline and the client is connecting directly to the LB now. What I am very concerned about is what happens if the company reports the same issue or maybe another company who is running Squid or some other forward caching/proxy server reports the same issue? I really don't know if this is something where I have to tell the user that this is not our problem, this is your IT infrastructure and/or your local ISP's problem. In other words, whether the Squid server is configured properly or not, is this something where the LB needs to be configured such that it works around the problem? Does that make sense? If there is a configuration change that I need to enact on the LB, what are these changes and what are step-by-step instructions? I'm sorry for the long-winded explanation but I'm trying to be detailed and thorough with this. Thank you very much.
Implement v2 of Proxy protocol based on TCP
One of our service hosted in the on-prem datacenter and it requires to forward the client IP address to the backend pool servers. So I would like to implement the v2 of proxy protocol based on TCP Layer 4 header using iRules. I went through this link but it has only v1 implementation: https://devcentral.f5.com/s/articles/proxy-protocol-initiator Appreciate the help in advance.
F5 HTTPS Transparent to Forward Proxy Encapsulator
Hello, My setup includes legacy clients sending https requests but cannot set their https proxy. f5 is a transparent proxy and the goal is to dynamically forward their traffic to an external squid proxy's using CONNECT method. the squid's ip and port is transferred in a specific http header. as for http traffic it works fine by using an iRule to forward their traffic to the destined proxy based on the header contents, for HTTPS it's a bit complicated and we havent figured out a way so far to establish it. would appriciate any suggestion for a way to establish it. Thanks. E.
