Enhancing the F5 DoD Banner with EU CAPTCHA (Myra) & Sideband Validation
Features & Security Hardening (v1.3) Besides the frontend EU CAPTCHA integration, this iRule introduces several security hardening measures (P3–P9): Strict POST Enforcement: Banner acceptance is strictly limited to POST requests. Content-Security-Policy (CSP): Implements restrictive HTTP headers tailored to safely allow the CAPTCHA's verify.js script to execute. Overview and Benefits of Myra EU CAPTCHA Myra EU CAPTCHA is a bot protection solution developed in Germany. It is positioned as a sovereign, European, and 100% GDPR-compliant alternative to traditional American providers (such as Google reCAPTCHA or Cloudflare Turnstile, which are subject to the CLOUD Act). Key Features: Seamless User Experience (Zero-Click): Verification is performed automatically in the background using cryptographic calculations. The user does not need to take any action (no visual puzzles to solve, no traffic lights to identify). The system is therefore completely accessible and barrier-free. Privacy by Design: The solution operates entirely without cookies and does not use any persistent storage in the browser (meaning you do not need to add a cookie consent banner). Furthermore, no personal data is stored, and any potentially identifying metadata is anonymized using a hashing system. Security and Sovereignty: Built on Myra Security technology, the solution relies on the analysis of over 100 billion daily CDN signals. Customers benefit from a certified sovereign technology (ISO 27001, BSI C5, PCI DSS) and can mandate that data processing takes place exclusively in data centers located in Germany or within the European Union. https://www.eu-captcha.eu/ https://docs.eu-captcha.eu/integration/frontend/html-integration/ Implementation Steps 1. Configure the Internal Sideband Virtual Server The iRule requires an internal Virtual Server to route API traffic to Myra. Create a file named eucaptcha-sideband-vs.conf in /var/tmp/ on your BIG-IP with the following content: ltm node /Common/node-api.eu-captcha.eu { fqdn { autopopulate enabled interval ttl name api.eu-captcha.eu } } ltm monitor https /Common/hm_myra_eucaptcha_https { adaptive disabled defaults-from /Common/https destination *:* interval 20 ip-dscp 0 recv HTTP/1 recv-disable none send "GET / HTTP/1.1\r\nHost: api.eu-captcha.eu\r\nConnection: close\r\n\r\n" time-until-up 0 timeout 21 } ltm pool /Common/pool_eucaptcha_api { members { /Common/node-api.eu-captcha.eu:https { } } monitor /Common/hm_myra_eucaptcha_https } ltm profile server-ssl /Common/server-api.eu-captcha.eu { app-service none defaults-from /Common/serverssl server-name api.eu-captcha.eu sni-default true } ltm virtual /Common/vs_dod_eucaptcha_sb { destination 10.10.10.8:webcache ip-protocol tcp mask 255.255.255.255 pool /Common/pool_eucaptcha_api profiles { /Common/http { } /Common/server-api.eu-captcha.eu { context serverside } /Common/tcp { } } serverssl-use-sni enabled source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled } Note: This configuration creates the necessary node, pool, Server SSL profile (with SNI enabled), and the internal Virtual Server vs_dod_eucaptcha_sb Merge this configuration into your BIG-IP via tmsh: tmsh load sys config merge file /var/tmp/eucaptcha-sideband-vs.conf 2. Generate Your Local HMAC Key To ensure the integrity of the banner acceptance cookie, generate a robust random string on your BIG-IP bash shell: openssl rand -hex 32 3. Deploy the iRule Create a new iRule on your BIG-IP and paste the source code. You must update the RULE_INIT block with your specific values: when RULE_INIT { set static::dod_banner_ttl 600 set static::dod_banner_hmac_key "PASTE_YOUR_OPENSSL_HEX_KEY_HERE" set static::eucaptcha_sitekey "YOUR_EUCAPTCHA_SITEKEY" set static::eucaptcha_secret "YOUR_EUCAPTCHA_SECRET" set static::eucaptcha_sideband_vs "vs_dod_eucaptcha_sb" # Trusted proxy CIDRs (empty = IP::client_addr only). Ex. : list "10.0.0.0/8" set static::dod_banner_trusted_proxy_cidrs [list] # Max acceptations / IP / window (seconds) set static::dod_banner_accept_rate_limit 10 set static::dod_banner_accept_rate_window 60 } Note: The HTML payload is embedded in the iRule and handles the frontend display and token submission. 4. Attach to your Virtual Server Attach the iRule to the public-facing Virtual Server protecting your application. Validation & Testing Open an Incognito/Private browsing window and navigate to your application. You should be intercepted by the DoD warning banner containing the EU CAPTCHA widget. Solve the challenge. The "I Accept" (J'ai pris connaissance et j'accepte) button will enable. Submit the form. The BIG-IP will validate the token via sideband, generate an HMAC-signed _si_gate cookie, and redirect you to the application. Refresh the page; the banner should be bypassed as long as the cookie remains valid (default 600 seconds). Credits Special thanks to Eric Haupt for the original repository that made this possible: https://github.com/hauptem/F5-LTM-iRule-based-DoD-Banners
Form Based Authentication with external SOAP web services
Problem this snippet solves: 1- You need to authenticate users against an external authentication system relying on SOAP calls. 2- The session identifier must be provided by an external third party system. How to use this snippet: Installation Files You need to upload an html login page using ifiles. You need to upload the SOAP body of the external web service using ifiles. irule You need to install the irule on your Virtual Server you need to protect. Variables set static::holdtime 3600 # session timeout set static::login_url "/login" # login url set static::sideband_vs "VS_EXTERNAL_AUTH_PROVIDER" # Virtual Server that publish the web service Features Version 1.0 Form based login (provided by a custom ifile) Authentication against an external SOAP web service Manage Session timeout Backlog Improve logging Allow 2-factor authentication (Challenge) Encrypt Session cookie Provide internal mecanism to generate a session cookie accept Basic Authentication External links Github : https://github.com/e-XpertSolutions/f5 Code : when RULE_INIT { set static::holdtime 3600 set static::login_url "/login" set static::sideband_vs "VS_EXTERNAL_AUTH_PROVIDER" } when HTTP_REQUEST { if { [HTTP::cookie exists SessionCook] and [table lookup -subtable "active_sessions" [HTTP::cookie SessionCook]] != "" } { return } else { if { [HTTP::path] eq $static::login_url } { if { [HTTP::method] eq "POST" } { if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } if { $content_length > 0} { HTTP::collect $content_length } } else { HTTP::respond 200 content [ifile get login.html] "Cache-Control" "no-cache, must-revalidate" "Content-Type" "text/html" } } else { HTTP::respond 302 noserver "Location" $static::login_url "Cache-Control" "no-cache, must-revalidate" Set-Cookie "SessionCook=$result;domain=[HTTP::host];path=/" } } } when HTTP_REQUEST_DATA { set payload [HTTP::payload] set username "" set password "" regexp {Login1\%3AtxtUserName\=(.*)\&Login1\%3AtxtPassword\=(.*)\&Login1\%3AbtnSubmit\=(.*)} $payload -> username password garbage if {[catch {connect -timeout 1000 -idle 30 -status conn_status $static::sideband_vs} conn_id] == 0 && $conn_id ne ""}{ log local0. "Connect returns: $conn_id and conn status: $conn_status" } else { log local0. "Connection could not be established to sideband_virtual_server" } set content [subst -nocommands -nobackslashes [ifile get soap_body]] set length [string length $content] set data "POST /apppath/webservicename.asmx HTTP/1.1\r\nHost: www.hostname.com\r\nContent-Type: text/xml; charset=utf-8\r\nContent-Length: $length\r\nSOAPAction: http://schemas.microsoft.com/sqlserver/2004/SOAP\r\n\r\n$content" set send_bytes [send -timeout 1000 -status send_status $conn_id $data] set recv_data [recv -timeout 1000 $conn_id] # parse response to retrieve the authentication result, it gives 0 if authentication failed or a session_id if it succeed regexp { (.*) (.*)} $recv_data -> result garbage unset content unset length unset data unset recv_data close $conn_id # add a custom alert notification to the login page if { $result == 0 } { set alert " Invalid credentials. " HTTP::respond 200 content [subst -nocommands -nobackslashes [ifile get login.html]] "Cache-Control" "no-cache, must-revalidate" "Content-Type" "text/html" Set-Cookie "SessionCook=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" } else { HTTP::respond 302 noserver "Location" "/" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "SessionCook=$result;domain=[HTTP::host];path=/" # save the cookie value in a cache for fast checking table add -subtable "active_sessions" $result $username indef $static::holdtime } } Tested this on version: 11.5
sideband call to external URL
Hey all, I am trying to see whether I can make a sideband call to an external URL and parse the response. I've looked at the various 'official' examples I could find: https://devcentral.f5.com/wiki/iRules.SIDEBAND.ashx http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086484/v11-iRules-Intro-to-Sideband-Connections.aspx and elsewhere on the 'web, but I'm not seeing exactly what I want - almost everyone is calling a virtual server via an IP address/port. Basically, can I make a call (in an HTTP_REQUEST) to a URL and receive a response? Is there an example of calling e.g. http://api.example.com/getExperiment/123,456,789 and then receive the response and create a cookie (ignore whether the cookie needs to be created in the HTTP_REQUEST or HTTP_RESPONSE at this point)...
iRules LX Sideband Connection
Problem this snippet solves: Sideband connections in traditional TCL iRules can be large, complex and difficult to support. Additionally doing something with the information retrieved (such as JSON) may require the use of regular expressions to parse the content before it can be used, something to be avoided if at all possible due to the performance overhead. Using the inbuilt capabilities of Node.js, sideband calls in iRules LX are much easier to implement and with a range of inbuilt as well as NPM packages, the possibilities are endless. To make the external request, the example uses 'https' package from the standard library, however many more are available via NPM such as 'request' which is much simpler to use and doesn't need to chuck the response. The advantage of using the standard library in this instance is this can be done 'out of the box' and doesn't require the use of NPM. In this simple example, a traditional iRule requests the object 'title', which is a JSON object from a publicly available API (https://jsonplaceholder.typicode.com/). { "userId": 1, "id": 1, "title": "delectus aut autem", "completed": false } iRules LX will, make the call using the standard 'https' library, parse the JSON data and return the value for 'title' to the calling iRule, which will be then returned to the user as an HTTP response How to use this snippet: Add the following iRule to yout iRules LX Workspace. This will make an RPC call to iRules LX, using the plugin 'ilx_pl' and the extension 'ilx_ext' You can however call this what you like providing your update the ILX::init command to reflect this. when HTTP_REQUEST { # pass argument to ILX in form of a requested JSON object: # {"userId": 1,"id": 1,"title": "delectus aut autem","completed": false} set arg title set ilx_handle [ILX::init "ilx_pl" "ilx_ext"] if {[catch {ILX::call $ilx_handle "httpRequest" $arg} result]} { log local0.error "Client - [IP::client_addr], ILX failure: $result" HTTP::respond 400 content "<html>There has been an error.</html>" return } HTTP::respond 200 content $result log local0. "retrieved parsed JSON value for $arg: $result" } Use the iRules LX code below for the index.js file, within your workspace Code : var https = require("https"); var f5 = require("f5-nodejs"); var ilx = new f5.ILXServer(); function httpRequest (req, res) { https.get('https://jsonplaceholder.typicode.com/todos/1', function (resp) { var data = ''; // A chunk of data has been recieved. resp.on('data', function (chunk) { data += chunk; }); // The whole response has been received. Parse JSON resp.on('end', function () { res.reply(JSON.parse(data).title); }); }).on("error", function (err) { console.log("Error: " + err.message); }); } ilx.addMethod('httpRequest', httpRequest); ilx.listen(); Tested this on version: 12.1Sideband Irule optimization timeout
Dear All, I have a sideband call which is used in the Access Profile handling and references the Irule attached to the virtual server, which is all working well, we send the request and receive the server response data. The problem is the peek status timeout is causing unnecessary delay. The question is how could we speed up the retrieval of data by forcing the F5 irule script to process the response immediately and not having to wait for the configured peek timeout to pass? We tested also witout the peek timeout but by default it causes more than ten second delay, if you configure it too low then it could not always retrieve the server response payload. Isnt there are smarter way to not introduce this fixed delay for the sideband data retreival to be processed immediatly when data is received? proc sidebandCall { Cred } { set oauthResp "" if {[catch {connect -protocol TCP -timeout 5000 -idle 5 -status oconn_status 10.10.10.10:80} oserver] == 0 && $oserver ne "" } { ## create GET request set odata "GET / HTTP/1.1\r\nHost: 10.10.10.10:80\r\nAppid: appid\r\n\Accept:application/json\r\n\Authorization: Basic $Cred\r\n\r\n" log local0. "GET / HTTP/1.1;Host: 10.10.10.10.80;Authorization: Basic $Cred;Accept:application/json;Connection: Close" ## send the request send -status osend_status -timeout 5000 $oserver $odata log local0. "request sent" ## recieve the response set Resp [recv -peek -status orecv_status -timeout 1500 $oserver] log local0. "server resp: $Resp" } return $Resp }
Does SideBand handle sending Soap with MTOM attachments?
I have a usecase to use Sideband to intercept SOAP over HTTP requests sent to our F5 device and replicate those messages off to a testing environment that needs to get the same steady stream of data for regression testing. My design is using an iRule added to the Virtual Server that uses Sideband to open a connection to a new Virtual Server that controls what Server Pool to route the requests to based on the http::uri. I have Sideband working great except for one request that is different because it is sending SOAP with an MTOM attachment. I am monitoring the backend traffic and the requests look good at a cursory level but it's hard to verify since it's binary. The first step in my backend app is to validate the SOAP request against an XSD schema to ensure everything is correct. The requests without MTOM work just fine but the ones with MTOM attachments fail stating the attachment isn't GZIP. I have altered my configs to point Sideband at multiple servers to ensure that the backend servers are configured just like the primary feed servers and they are all correct. So I have narrowed it down to the Sideband logic must be corruption the attachment when I create the $Data for the connection. Here is the snippet from my iRule where the connections are made and sent (minus all my logging statements): Connect to an external host with a connection timeout of 1000ms and an idle timeout of 30 seconds set Iconn [connect -timeout 1000 -idle 30 -status Iconn_status $Isb_vserver] set Iconn_info [connect info -idle -status $Iconn] set Irequest [HTTP::request] set Idata "$Irequest[HTTP::payload]\r\n\r\n" set Isend_info [send -timeout 3000 -status Isend_status $Iconn $Idata] close $Iconn I am guessing that the HTTP::payload variable doesn't include the MTOM attachments or corrupts them somehow but I can't find any evidence to support my theory. My backend server contains binary data that looks like it could be the attachment and the headers show the appropriate types for a binary payload. Any help is greatly appreciated. Steve
Sideband connectivity issues
Hello Friends, I have a mobile application that was not designed for OTP. Now as per the new initiative, we are including the OTP feature. Mobile User -> F5 -> Middleware (application server integration with mobile webservice) ->Application server. We have SSL traffic from the mobile device till the middleware, with SSL passing the traffic with client and server SSL profiles. When user starts the mobile app, he will be prompted for the username and password from the application server (the login page is sent from the middleware). After successful authentication, the middleware sends a page for OTP (Application server is not aware of this. When the user enters the OTP, APM is only enabled now. I capture the username and OTP via irules, and authenticate them with my OTP server that is integrated with APM. Till now everything goes well. But as the data transfer is complete, APM does not send any data to the middleware which is waiting for the OTP data. I have duplicated the HTTP request with the OTP data in json payload and send it to the server via sideband connection. As the sideband requires an HTTP VS, I have configured an HTTP VS for this purpose with server SSL profile enabled as well. As I was not able to make any successful connectivity (SSL negotiation fails... I have copied the same cipher values as that of the server to the SSL server profile) using the sideband configuration, I installed the HTTP-Super-SIDEBAND irule as per the below link. https://devcentral.f5.com/wiki/iRules.HTTP-Super-SIDEBAND-Requestor-Client-Handles-Redirects-Cookies-Chunked-Transfer-APM-Access-etc.ashx When I use the vs-HSSR-helper, I get a server connectivity failure error from LB_FAILED event of the HSSR-helper irule. When I use my actual HTTP VS (which was configured for the sideband connectivity), I see the connection getting established, and the json payload also gets transferred. Now the issue is that the client IP shows 127.1.1.1, and hence the middleware is not able to process the request correctly. Unfortunately I will be able to insert the client IP only with the HSSR-helper VS. But HSSR-helper VS fails to connect to my HTTP or HTTPS middleware VS. I am struck now. Request your help.
2 Way SSL and SIDEBANDS usage in iRules
I have a use case where we want to do client certificate authentication on the a Big-IP that is running as a stand alone ASM. Once we validate the certificate we want to have the Big-IP reach out and talk to a web authentication server and grab a token to insert in the HTTP packet to be able to send down to the application. I am trying to figure out the best method to manage all this. My first thought would be to use an iRule and SIDEBANDS to talk to the web server to get the token. I do not have any experience using this though and have pretty much stuck to fairly simple iRules up to this point. I would appreciate any thoughts on this or other ideas on how to accomplish this. We are already using proxy SSL for some other application but with restriction to RSA key exchanges only and some other issues it causes us down in the web server tiers it is not an option we want to pursue going forward.Irule - Destination mismatch for clone traffic
Hi, Im working on a solution to use clone pool to forward traffic to another server but it reject the traffic due to destination IP address mismatch. Is there any irule that can be worked out to change the destination IP address for the cloned traffic or is there any other solution in Version 11 ? I saw reference in regards to "sideband" but not sure how to implement this. Please help if anyone have solved this situation. we are running Version 11Sideband : Scope for asynchronous requests
Just starting with IRules and got to know of sidebands. So my requirement is that I do not want to block the actual http request till the time request from Sideband finishes. Instead I just want to use http request as a trigger for sideband to be kicked in (based on certain conditions) and execute more in asynchronous way (or background job). The http request should be allowed to go through without causing any extra delays. Is this possible currently ? Is there any other strategy I can use ?
