Disable Server SSL profile using iRules while using the ProxyPass iRule
Hey everyone! We have a generic VS which receives all of the traffic for a certain IP address + port 443. We have applied the ProxyPass iRule which distributes the connections to the correct pool based on the URL. The VS itself is configured to use both a Client SSL profile and a Server SSL profile. This works for the current servers linked to the VS but the new pool I want to add does not use HTTPS. The pool member is using a non standard port over the HTTP protocol so when the BIG-IP device is establishing its connection to the pool member it obviously does not work since it's communicating over HTTPS. I have been trying to turn off the Server SSL profile by using iRules but I don't seem to get it to work. I have used the examples found in the SSL::disable article and I have the following examples that I have tried: Example:1 when HTTP_REQUEST { if { [HTTP::host] equals "url.com"}{ SSL::disable serverside pool pool1 } } Example 2: when HTTP_REQUEST { if { [HTTP::host] equals "url.com"} { pool pool1 set usessl 0 } } when SERVER_CONNECTED { if { $usessl == 0 } { SSL::disable } } Example 3: when HTTP_REQUEST { if { [HTTP::host] equals "url.com"}{ pool pool1 } } when SERVER_CONNECTED { if { [PROFILE::exists serverssl] == 1} { set disable "SSL::disable serverside" } } I applied logging and I can at least see that the traffic is matching the iRule but I'm not entirely sure how I can add more logging to see everything that's happening. Example 3 will probably turn off ServerSSL entirely but either way it did not work. I'm starting to guess that the ProxyPass iRule is conflicting with my own iRule but I don't have enough iRule knowledge to determine that. Has anyone else tried to do the same? Do you guys have a suggestion on how to solve this without needing a new external IP address? Thanks in advance!
iRule proxypass with profilessl
hello, we are using proxypass irule to change pool when uri parameter change , so when user is hitting a.b.c.com/start it going to defined pool in datagroup and thats working fine. Now we deploy certificates on servers side to secure traffic between F5 and physcial servers, and unfortunately it doesnt work. We set on VIP SSL Profile (Server) as profilessl , we defined correctly in ProxyPassSSLProfiles datagroup : POOL -> profilessl , and during accessing a.b.c.com/test it response with : server doesnt send any data. It looks like loop , it finding rule but cannot proceed because we not receiving data. When we access server directly( avoiding VIP) it respond without issue. Below debugging from iRule.
Apache to F5 Configuration
Hi everyone, We are having trouble with our F5 Configuration.Here is the scenario: We are using Mobile application (from playstore) to access the server. It uses standard VS with port 443 and performing SSL offloading. Configuration is based from the Apache Server which is currently on production and no error. Single server is used to access using Web and Mobile Application, only uses different ports.Here is the config: ProxyPass /fo connectiontimeout=60 timeout=600 ProxyPassReverse / timeout=600 ProxyPass /mob connectiontimeout=60 timeout=600 ProxyPassReverse /mob timeout=600 Looking at the firewall, no other port being used by the client when accessing using application. we captured some pcap, based on it, F5 can receive the traffic and can exchange SSL. However, we cannot see that F5 is sending the traffic to the server.It seems that there is configuration error with the virtual server. We tried changing the type to Performance L4 but SSL-offloading is removed. we also changed the protocol to All protocol, but still, SSL-offloading is removed. Is there a way to have All protocol type of VS but with SSL-offloading? If this can be done via irule. If not, does anyone experienced the same problem (using mobile application passing thru F5). Thank you all for the response.
ProxyPass iRule with regular expressions
Hi, I have been asked to migrate the ProxyPass and ProxyPassReverse rules from the Apache to the BigIP. I found the following iRule here at DecCentral. https://devcentral.f5.com/wiki/iRules.proxypassv10.ashx The issue is that its matching on simple rules like /foo/bar but not on regular expressions like ^(/(?:[a-zA-Z]{2}/[a-zA-Z]{2}|[a-z]{2})/fooo*.baar) that should match /SE/sv/fooo.baar and /se/fooo.baar ltm virtual /PRD_www/andreas-www { destination /PRD_www/192.168.80.3:80 ip-protocol tcp mask 255.255.255.255 pool /PRD_www/test profiles { /Common/http { } /Common/oneconnect { } /Common/tcp { } } rules { /PRD_www/logging /PRD_www/ProxyPass } source 0.0.0.0/0 translate-address enabled translate-port enabled vlans-disabled } ltm data-group internal /PRD_www/ProxyPass { records { "^(/(\?:\[a-zA-Z]{2}/\[a-zA-Z]{2}|\[a-z]{2})/fooo\*\\.baar)" { data "http://test-www.baar.com$1 systst2-ext" } /foo/bar/ { data "http://test-www.baar.com/foo/bar/ systst2-ext" } } type string } output from log is: May 13 11:18:50 andreas info tmm[9337]: Rule /PRD_www/ProxyPass : VS=/PRD_www/andreas-www, Host=192.168.80.3, URI=/se/fooo.baar: No rule found, using default pool /PRD_www/test and exiting May 13 11:49:36 andreas info tmm[9337]: Rule /PRD_www/ProxyPass : VS=/PRD_www/andreas-www, Host=192.168.80.3, URI=/foo/bar/: Using parsed pool systst2-ext (make sure you have OneConnect enabled) Regards AndréasConverting NGINX proxypass rule to iRule
Hi, I have following nginx rule which I need to convert to F5 rule. I am very new to F5. It would great if someone can help me or give good pointer to some examples. upstream x1{ server server1:8080; server server28080; } location /uri1/uri2/api/ { proxy_pass_header Set-Cookie; proxy_pass http://x1/myuri/api } Thanks in advance Cheers, KandarpHost rewrite with SSL offloading
Hello, Am trying to accomplish the following task, that looks very easy, but currently cannot figure out/find out on devcentral or kb. I would like to use my BIG-IP with LTM as a reverse proxy replacement with SSL offloading towards internet, i.e.: External application: https://app.external.com Internal application: http://app.internal.com Everything appended after the URL should be kept as it is (no URI rewrite), means: https://app.external.com/a ----->http://app.internal.com/a https://app.external.com/b ----->http://app.internal.com/b so basically, I only want the host name rewritten, as we are using IIS host headers to bind on a single IP multiple websites. In order to accomplish that, I have setup a VS with client SSL profile, and applied ProxyPass iRule. Nevertheless, I can see that when the server response is on http, the client get the http URL, than the HTTPS back and this trows a client error. ProxyPass log is: Rule /Common/ProxyPass : VS=/Common/test_vs_https_app.external.com, Host=app.external.com, URI=/a/: Changing response header Location: http://app.internal.com/a/login.do with http://app.external.com/a/login.do As you can see, the response back to client is in http, rather than https, and this obviously generates an error. Can you please help me in obtaining such objective?ProxyPass iRule failing reading content on data group
The ProxyPass ver 10.9 has issues on retrieving the information stored on the data groups I got this error when trying to load the iRule (in the GUI the iRule loads but when I try the command tmsh load sys config not): Code[root@asmjs2:Active:Standalone] config zmore /var/log/ltm* | grep missing Code Jan 15 14:37:18 asmjs2 err mcpd[7566]: 01070151:3: Rule [/Common/rule_proxypass] error: /Common/rule_proxypass:79: error: [parse error: missing close-bracket][[URI::basename [virtual name]" if { $static::ProxyPassDebug > 1 } { log local0. "[virtual name]: [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]" }] Code[root@asmjs2:Active:Standalone] config The line 75 has this command: Code set serverside [string trimleft [getfield $ppass " " 2 ] "{" ]
rewite host in web reply header and body
Hello, I'm trying to use the ProxyPass iRule to rewrite host in links when the server responses to the client. Right now I've got it working to I've got it working for pages on the same server, but links to other servers break. Example Clients requests abc.xyz.com and this is changed to abc.xyz.internal.com. - this works The problem arises when the server responds with a link to def.xyz.internal.com. Ideally what I need is any request from external to be updated with the internal domain and any replies (including links in pages) from the servers to have the internal domain removed.
ProxyPass Appending "/" to URI 404 Error
Hey All, Need a bit of assistance here, thinking this should be an easy fix but I can't figure it out. Testing out the ProxyPass iRule so that when the end users enters a URL they get redirected but the URL remains the same from their perspective. ProxyPass is working but it's appending a "/" at the end of the URI and that path isn't on the server. Here are the debug logs: Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : devpasswordreset.environment.dev_443: 10.10.10.10:55759 -> 172.30.25.84:443 Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Found Rule, Client Host=devpasswordreset.environment.dev, Client Path=, Server Host=devpasswordreset.environment.dev, Server Path=/rdweb/pages/en-us/devpassword.aspx Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Using default pool devpasswordreset.environment.dev_80 Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: New Host=devpasswordreset.environment.dev, New Path=/rdweb/pages/en-us/devpassword.aspx/ Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Removed Accept-Encoding header Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: 404 response from devpasswordreset.environment.dev_80 172.30.26.98 80 Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: $stream_expression_cmd: STREAM::expression "@devpasswordreset.environment.dev/rdweb/pages/en-us/devpassword.aspx@devpasswordreset.environment.dev@ @/rdweb/pages/en-us/devpassword.aspx@@", $stream_enable_cmd: STREAM::enable Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Successfully configured and enabled stream filter Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Checking Location=, $protocol= Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Checking Content-Location=, $protocol= Mar 6 22:51:39 local/tmm info tmm[4929]: Rule devpasswordreset.environment.dev : VS=devpasswordreset.environment.dev_443, Host=devpasswordreset.environment.dev, URI=/: Checking URI=, $protocol= Here's a packet capture of the server side: Is there anything I need to tweak to keep this from happening? Thanks, Brian
