sideband
9 TopicsSideband connectivity issues
Hello Friends, I have a mobile application that was not designed for OTP. Now as per the new initiative, we are including the OTP feature. Mobile User -> F5 -> Middleware (application server integration with mobile webservice) ->Application server. We have SSL traffic from the mobile device till the middleware, with SSL passing the traffic with client and server SSL profiles. When user starts the mobile app, he will be prompted for the username and password from the application server (the login page is sent from the middleware). After successful authentication, the middleware sends a page for OTP (Application server is not aware of this. When the user enters the OTP, APM is only enabled now. I capture the username and OTP via irules, and authenticate them with my OTP server that is integrated with APM. Till now everything goes well. But as the data transfer is complete, APM does not send any data to the middleware which is waiting for the OTP data. I have duplicated the HTTP request with the OTP data in json payload and send it to the server via sideband connection. As the sideband requires an HTTP VS, I have configured an HTTP VS for this purpose with server SSL profile enabled as well. As I was not able to make any successful connectivity (SSL negotiation fails... I have copied the same cipher values as that of the server to the SSL server profile) using the sideband configuration, I installed the HTTP-Super-SIDEBAND irule as per the below link. https://devcentral.f5.com/wiki/iRules.HTTP-Super-SIDEBAND-Requestor-Client-Handles-Redirects-Cookies-Chunked-Transfer-APM-Access-etc.ashx When I use the vs-HSSR-helper, I get a server connectivity failure error from LB_FAILED event of the HSSR-helper irule. When I use my actual HTTP VS (which was configured for the sideband connectivity), I see the connection getting established, and the json payload also gets transferred. Now the issue is that the client IP shows 127.1.1.1, and hence the middleware is not able to process the request correctly. Unfortunately I will be able to insert the client IP only with the HSSR-helper VS. But HSSR-helper VS fails to connect to my HTTP or HTTPS middleware VS. I am struck now. Request your help.599Views0likes4Commentssideband call to external URL
Hey all, I am trying to see whether I can make a sideband call to an external URL and parse the response. I've looked at the various 'official' examples I could find: https://devcentral.f5.com/wiki/iRules.SIDEBAND.ashx http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086484/v11-iRules-Intro-to-Sideband-Connections.aspx and elsewhere on the 'web, but I'm not seeing exactly what I want - almost everyone is calling a virtual server via an IP address/port. Basically, can I make a call (in an HTTP_REQUEST) to a URL and receive a response? Is there an example of calling e.g. http://api.example.com/getExperiment/123,456,789 and then receive the response and create a cookie (ignore whether the cookie needs to be created in the HTTP_REQUEST or HTTP_RESPONSE at this point)...444Views0likes1CommentSideband Irule optimization timeout
Dear All, I have a sideband call which is used in the Access Profile handling and references the Irule attached to the virtual server, which is all working well, we send the request and receive the server response data. The problem is the peek status timeout is causing unnecessary delay. The question is how could we speed up the retrieval of data by forcing the F5 irule script to process the response immediately and not having to wait for the configured peek timeout to pass? We tested also witout the peek timeout but by default it causes more than ten second delay, if you configure it too low then it could not always retrieve the server response payload. Isnt there are smarter way to not introduce this fixed delay for the sideband data retreival to be processed immediatly when data is received? proc sidebandCall { Cred } { set oauthResp "" if {[catch {connect -protocol TCP -timeout 5000 -idle 5 -status oconn_status 10.10.10.10:80} oserver] == 0 && $oserver ne "" } { ## create GET request set odata "GET / HTTP/1.1\r\nHost: 10.10.10.10:80\r\nAppid: appid\r\n\Accept:application/json\r\n\Authorization: Basic $Cred\r\n\r\n" log local0. "GET / HTTP/1.1;Host: 10.10.10.10.80;Authorization: Basic $Cred;Accept:application/json;Connection: Close" ## send the request send -status osend_status -timeout 5000 $oserver $odata log local0. "request sent" ## recieve the response set Resp [recv -peek -status orecv_status -timeout 1500 $oserver] log local0. "server resp: $Resp" } return $Resp }423Views0likes0CommentsSideband request with Helper Virtual for SSL
Hi, i am doing a sidebanding-request to an external host with ssl. I know that for SSL i need to use a helper virtual server. Now, i have a helper virtual server which has a client- and server-ssl profile assigned. As soon as this virtual has a clientssl profile, the sidebanding request fails with "Connection error: ssl_passthru:2761: not SSL (71)". Is it somehow possible to work around this and enable the sideband request to connect to the virtual through http even if there is a clientssl profile assigned? The funny thing is, this worked some weeks ago, and i guess there has been some configuration on the http-profiles or anywhere else that now doesnt let my sideband request through... Thanks in advance, Rene409Views0likes2Comments2 Way SSL and SIDEBANDS usage in iRules
I have a use case where we want to do client certificate authentication on the a Big-IP that is running as a stand alone ASM. Once we validate the certificate we want to have the Big-IP reach out and talk to a web authentication server and grab a token to insert in the HTTP packet to be able to send down to the application. I am trying to figure out the best method to manage all this. My first thought would be to use an iRule and SIDEBANDS to talk to the web server to get the token. I do not have any experience using this though and have pretty much stuck to fairly simple iRules up to this point. I would appreciate any thoughts on this or other ideas on how to accomplish this. We are already using proxy SSL for some other application but with restriction to RSA key exchanges only and some other issues it causes us down in the web server tiers it is not an option we want to pursue going forward.299Views0likes2CommentsSideband : Scope for asynchronous requests
Just starting with IRules and got to know of sidebands. So my requirement is that I do not want to block the actual http request till the time request from Sideband finishes. Instead I just want to use http request as a trigger for sideband to be kicked in (based on certain conditions) and execute more in asynchronous way (or background job). The http request should be allowed to go through without causing any extra delays. Is this possible currently ? Is there any other strategy I can use ?261Views0likes1CommentDoes SideBand handle sending Soap with MTOM attachments?
I have a usecase to use Sideband to intercept SOAP over HTTP requests sent to our F5 device and replicate those messages off to a testing environment that needs to get the same steady stream of data for regression testing. My design is using an iRule added to the Virtual Server that uses Sideband to open a connection to a new Virtual Server that controls what Server Pool to route the requests to based on the http::uri. I have Sideband working great except for one request that is different because it is sending SOAP with an MTOM attachment. I am monitoring the backend traffic and the requests look good at a cursory level but it's hard to verify since it's binary. The first step in my backend app is to validate the SOAP request against an XSD schema to ensure everything is correct. The requests without MTOM work just fine but the ones with MTOM attachments fail stating the attachment isn't GZIP. I have altered my configs to point Sideband at multiple servers to ensure that the backend servers are configured just like the primary feed servers and they are all correct. So I have narrowed it down to the Sideband logic must be corruption the attachment when I create the $Data for the connection. Here is the snippet from my iRule where the connections are made and sent (minus all my logging statements): Connect to an external host with a connection timeout of 1000ms and an idle timeout of 30 seconds set Iconn [connect -timeout 1000 -idle 30 -status Iconn_status $Isb_vserver] set Iconn_info [connect info -idle -status $Iconn] set Irequest [HTTP::request] set Idata "$Irequest[HTTP::payload]\r\n\r\n" set Isend_info [send -timeout 3000 -status Isend_status $Iconn $Idata] close $Iconn I am guessing that the HTTP::payload variable doesn't include the MTOM attachments or corrupts them somehow but I can't find any evidence to support my theory. My backend server contains binary data that looks like it could be the attachment and the headers show the appropriate types for a binary payload. Any help is greatly appreciated. Steve229Views0likes1CommentIrule - Destination mismatch for clone traffic
Hi, Im working on a solution to use clone pool to forward traffic to another server but it reject the traffic due to destination IP address mismatch. Is there any irule that can be worked out to change the destination IP address for the cloned traffic or is there any other solution in Version 11 ? I saw reference in regards to "sideband" but not sure how to implement this. Please help if anyone have solved this situation. we are running Version 11175Views0likes0Comments