proxy
46 TopicsServer reporting requests coming from port 80
I have a site using F5 to provided CAC authentication. It's a PHP server, I get these values from the SERVER data: $_SERVER['SERVER_PROTOCOL'] = HTTP/1.1 $_SERVER['SERVER_PORT] = 80 As a user, when I navigate to the site I type HTTPS into the browser, but the site php server still sees it coming in on port 80. Im assuming the connection between the user and the F5 proxy is over HTTPS, but whats the connection between F5 and my server? Is that supposed to be HTTPS? I guess what I'm wondering is... should I be concerned and looking into this deeper?Solved42Views0likes2CommentsHelp with iRule Proxy
Hi team, I’m working on an iRule where I need to replace the path /admin with the root / and forward the request to the appropriate pool. However, I’m encountering issues with the rule, and it doesn't seem to work as expected. Here’s the first version I implemented: when HTTP_REQUEST { if {[string tolower [HTTP::host]] equals "test.com" and [HTTP::path] starts_with "/admin"} { HTTP::path [string map -nocase {"/admin" "/"} [HTTP::path]] pool POOL-A #log local0.info "Client Address --> [IP::client_addr] | Path: [HTTP::path] | Pool: POOL-A" } else { pool POOL-B #log local0.info "Client Address --> [IP::client_addr] | Path: [HTTP::path] | Pool: POOL-B" } } After some research, I saw that HTTP::path might need to be changed to HTTP::uri. I tried this version: when HTTP_REQUEST { # Log the original URI for debugging log local0. "Original URI: [HTTP::uri]" # Check if the URI starts with "/admin" if {[HTTP::uri] starts_with "/admin"} { # Modify the URI by replacing "/admin" with "/" set new_uri [string map {"/admin" "/"} [HTTP::uri]] HTTP::uri $new_uri # Log the modified URI for debugging log local0. "Modified URI: [HTTP::uri]" # Forward the request to the appropriate pool pool POOL-A } else { # Log default traffic for debugging log local0. "Default traffic - URI: [HTTP::uri], Pool: POOL-B" # Forward to the default pool pool POOL-B } } Issue: Neither version seems to work. When I test requests to /admin, the path replacement does not happen as expected or The replace of path does not allow me to reach any subfolders after root “/” (ex. help, etc etc) and on these objects we faced 404 not found error.Could someone point out what I might be missing or any best practices for this kind of path manipulation? Thanks!55Views0likes1CommentIntermittent Net::ERR_CONNECTION_RESET Error and Incomplete Loading over HTTPS
I have an F5 load balancing setup configured with two servers. My MVC web application, which incorporates Kendo UI, Jquery, and bootstrapping, is hosted on an IIS server with an SSL certificate. However, when accessing the application via HTTPS from outside the server, it often or sometimes results in a 'net::ERR_CONNECTION_RESET' error, with intermittent failures to load javascript and CSS files to the client browser. Strangely, upon reloading the page, the assets load properly, and the page functions as expected. This issue did not occur when the application was accessed via HTTP, where it worked properly without any issues. What could be the reason behind this problem?544Views0likes2CommentsLoadbalancing a 2-stage proxy environment - persistence problems
Hello fellow F5-experts, My situation: I try to loadbalance Web-Proxy traffic. In genenal it seems to work, but we've run into some problems relating to websites with weird session handling. I sketched up the environment in the following Image A clients uses VS-A as it's HTTP proxy. This VS loadbalances to two of our own proxies in Pool A. Those are not transparent, so outgoing traffic toward their upstream proxy (VS-B) will have the Pool A node's IP as source address. The Proxies use the HTTP: Connect method. VS-B on the other hand, has a Pool B attached with a lot (as in really a lot) other proxy servers, that are not under our control (but are trustworthy, and have to be used. No way around it). VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: none Default Persistence Profile: source_addr Pool A: LB Method: Fastest (node) VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: SNAT Default Persistence Profile: none Pool B: LB Method: Fastest (node) Problem: On some websites, people complain about loosing their sessions. I tracked it down to the VS-B, which can not persist connections to a website to the same node in Pool B. Since the VS-B does not see the original client IP, but only the 2 proxy IP's I have no idea how to establish a propper persistence. For a very important website, i wrote an iRule that "hard-binds" to a single Node in Pool B, based on the HTTP:URI. My question: Is my config any viable? Or what should I change? I read a lot of article here, but I never had the feeling, that those met my situation with the "2-stage" proxy environment. I was thinking about adding a http header with the original client IP by an iRule in VS-A so I have something to make a persistence decision in VS-B, but I'm not sure how to do that. I also often read about applying the OneConnect profile combined with proxy loadbalancing, but I don't think I really understood the reason and/or benefit, nor do I know where to apply it in this environment. I hope I made it some kind of clear what I try to accomplish and where the problems are, since English is not my mother language and I'm a but rusted using it. Any help or hint is very much appreciated. Thanks in advance, ichnafi EDIT:(28th Feb) I just found out, that the desired website can be acquired from the HTTP::host header even by Vs-B. So would it be possible to establish a persinstence for the combination client IP and HTTP::host header? EDIT2: Possible Solution found (1st Mar) I currently endet up with an iRule creating a universal persistence based on the http::host header. the iRule is then bound to a universal Persistense-Profile. The iRule looks lilke this: when HTTP_REQUEST { persist uie [HTTP::host] } I'm thinking of maybe creating a custom header that contains a combination of client_ip and http:host value to get an even more definite persistence, but not quite sure about that. What do you guys think?804Views0likes12CommentsFTp proxy via iRule
Hello, I'm trying to do an anonymous ftp connection through an F5 irule. My logs of the irule look like this: Rule /Common/iRule_ftp_proxy <CLIENT_ACCEPTED>: client FTP accepted Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: client payload - USER anonymous@193.190.198.27 Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: sitename:193.190.198.27 - cmd:USER - uid:anonymous Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: address 193.190.198.27 port 21 Rule /Common/iRule_ftp_proxy <SERVER_CONNECTED>: connected to server Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 220-Welcome to the Belnet public FTP server ftp.belnet.be !This server is located in Brussels, Belgium and operated by Belnet, the BelgianEducation and Research Network. If you have any problem, question or mirrorrequest, please send them to ftpmaint@belnet.be.This archive is available through the following means:RSYNC rsync://rsync.belnet.be (IPv4)HTTP http://ftp.belnet.be (IPv4 + IPv6)FTP ftp://ftp.belnet.be (IPv4 + IPv6) Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server found 220 ok Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payloadNote: opening too many parallel connections to this host is considered an abuse.All access is logged.Currently used storage capacity : 34T / 100T on /ftp220 193.190.198.27 FTP server ready Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 331 Anonymous login ok, send your complete email address as your password When I check with a wireshark capture on my client; the '331 Anonymous login ok, send your complete email address as your password' never reaches the client. Without the proxy, it does reach the client and filezilla knows how to deal with it. This is my server_data in the irule; when SERVER_DATA { if { $static::debug } { log local0. "server payload [TCP::payload]" } if { [TCP::payload] starts_with "220" }{ if { $static::debug } { log local0. "server found 220 ok" } TCP::respond "USER $uid\r\n" TCP::payload replace 0 [TCP::payload length] "" } TCP::release TCP::collect } I also tried modifying the rule like this: when SERVER_DATA { if { $static::debug } { log local0. "server payload [TCP::payload]" } if { [TCP::payload] starts_with "220" }{ if { $static::debug } { log local0. "server found 220 ok" } TCP::respond "USER $uid\r\n" TCP::payload replace 0 [TCP::payload length] "" } if { [TCP::payload] starts_with "331" }{ TCP::respond "PASS $uid@example.com\r\n" TCP::payload replace 0 [TCP::payload length] "" } TCP::release TCP::collect } This get's me one step further, but I'm still not able to connect. When I check with a wireshark capture on my client; the '331 Anonymous login ok, send your complete email address as your password' never reaches the client. Without the proxy, it does reach the client and filezilla knows how to deal with it. Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 230 Anonymous access granted, restrictions apply Why is the '331 server_data' not being forwarded to my client so it can respond to it, or is this the task of the proxy? And why is the '230 server data' not reaching the client? Cheers579Views1like0CommentsFTP proxy data connection
I've used this ftp proxy for ftp connection. https://devcentral.f5.com/codeshare/ftp-proxy-v10-and-up My iRule when CLIENT_ACCEPTED { TCP::respond "220 Welcome to the F5 FTP Proxy v10\r\n" log local0. "client accepted" TCP::collect } when CLIENT_DATA { set ftplogin [TCP::payload] log local0. "login is $ftplogin" if { $ftplogin starts_with "USER" } { You can set it up to use any DNS server you want. set dnslookup "10.191.31.60" set cuser [TCP::payload] scan $cuser {%[^@]@%s} garbage sitename scan $garbage %s%s cmd uid log local0. "$sitename" set ips [RESOLV::lookup @/OpusCapita/vs_dns_test -a $sitename] set ips $sitename if {$ips eq "" } { Input wasn't an IP address, take some default action? log local0. "$ips Input wasn't an IP address" reject } else { TCP::payload replace 0 [TCP::payload length] "" set ftp_serv "[lindex $ips 0]" node [lindex $ips 0] [TCP::local_port] log local0. "member adresa [lindex $ips 0] port [TCP::local_port]" } } TCP::release } when SERVER_CONNECTED { TCP::collect } when SERVER_DATA { set serv_data [TCP::payload] if { $serv_data contains "220" } { TCP::respond "USER $uid\r\n" log local0. "user= "USER $uid\r\n" " TCP::payload replace 0 [TCP::payload length] "" } TCP::release } User can connect to my FP proxy VIP and connect to dest ($sitename) server. At the moment don´t use DNS. But when user try trasfer some data to FTP server. User see only timeout and no data sent. Can you please check where can be problem? my ftp profile Name proxy_ftp Parent Profile ftp ranslate Extended Enabled Inherit Parent Profile Enabled Data Port 0 And log from ftp server [Cway2:/home/jtoivola/TEMP] date ; ftp 82.180.230.19 121 Fri May 20 12:31:06 EEST 2016 Connected to 82.180.230.19. 220 Welcome to the F5 FTP Proxy v10 Name (82.180.230.19:jtoivola): cwjuha1@82.180.220.75 331 Password required for cwjuha1. Password: 230 User CWay2005Juha1 logged in. Remote system type is UNIX. ftp-child [32279] <05/20-12:37:47> TECH-DBG from Server-PI (3): '230 User CWay2005Juha1 logged in.' ftp-child [32279] <05/20-12:37:47> USER-INF 'SYST' from 82.180.230.19 ftp-child [32279] <05/20-12:37:47> TECH-DBG from Server-PI (3): '215 UNIX Cway' ftp-child [32279] <05/20-12:37:51> USER-INF 'PORT 82.180.230.19:51418' from 82.180.230.19 ftp-child [32279] <05/20-12:37:51> USER-INF 'STOR testi' from 82.180.230.19 ftp-child [32279] <05/20-12:37:51> TECH-DBG from Server-PI (3): '227 Entering Passive Mode (10,190,8,6,225,252)' ftp-child [32279] <05/20-12:37:51> TECH-DBG got SRV-PASV 10.190.8.6:57852 for 82.180.230.19:28912 ftp-child [32279] <05/20-12:37:51> TECH-INF 'STOR testi' sent for 82.180.230.19 ftp-child [32279] <05/20-12:37:51> TECH-DBG from Server-PI (3): '150 ASCII data connection for testi (82.180.220.75,36979).' ftp-child [32279] <05/20-12:37:55> USER-INF Transfer for 82.180.230.19 completed: STOR 'testi' read 0/4 byte/sec ftp-child [32279] <05/20-12:37:55> TECH-DBG from Server-PI (3): '552 testi: An invalid argument value was given.'583Views0likes1CommentWebsites do not load correctly when load balancing via proxy
We currently have a pair of BIG-IPs with 11.5 running in our DC. One of the services we want to load balance is a pair of Cisco WSAs (IronPort) which function as web proxies. When a client connects via the BIG-IP's VIP to access the Proxies we have the problem that not all of the content is loaded. This problem does not change if we take one of the WSAs out of the pool so that we can be sure we always go via the same proxy. It is also working fine when the clients go via one of the proxies directly. [UPDATE] The http-WSA-proxy profile is based obn the fastL4 but has XFF enabled. Does anyone have an idea what we are missing and why we are not receiving the complete page? High level traffic flow: Client <> BIG-IP Cluster <> Firewall <> 2x Cisco WSA Web Proxy <> Firewall <> Internet LTM config: ltm virtual vs_NAME { destination VIP%RD:webcache ip-protocol tcp mask 255.255.255.255 partition NAME persist { source_addr_mirror { default yes } } pool NAME profiles { /Common/fastL4 { } http-WSA-proxy { } } source 0.0.0.0/0 source-address-translation { type automap } vlans { NAME-VIPs } vlans-enabled vs-index 17 }457Views0likes5CommentsAny iRules that acts as Virtual Server for By-Pass Cert
F5 APM with SWG module, so this F5 acts as Proxy and Intercept Cert. I have a problem about intercept certificate some website cannot use it, then I solved that problem by create the new virtual machine and fixed the destination of each website's IP. (nslookup) But I think it's not a good solution, because If some website occurs like this problem more, I have to add more virtual server. So I try to use iRules to by-pass the destination by using iRules. when CLIENT_ACCEPTED { if { [ IP::Addr [IP::local_addr] equals "xxx.xxx.xxx.xxx" ] } { SSL::disable } } But it's did not work, please could you suggest me for the iRules command.196Views0likes1CommentHow to delete proxy sys db configurations on ASM?
Hello Everyone, I'm having an issue here where I'd like to totally remove the Proxy Configurations.As what happens here is that the ASM tries to resolve <null> as a domain so the update fails. We are using TMOS v14.1 Thanks in advance!Solved2.5KViews0likes5CommentsiRule for web proxy for only 2 address in internet
Hello, i create proxy by the manual https://community.f5.com/t5/technical-articles/configure-the-f5-big-ip-as-an-explicit-forward-web-proxy-using/ta-p/286647 After that i want create custom iRule or other solution for next task: source address - 5 servers in dmz zone destination address to inet only 2 addresses: https://login.microsoftonline.com https://graph.microsoft.com first of all i need to create data gorup list with string this url and attached to irule or all all the information only in irule? Pls can somebody you share manual or example for that solution.939Views0likes4Comments