iRule to Change HTML "Name" Attribute in VPE
I am attempting to have an iRule that will change the HTML while in the VPE. We have an application that uses SAML and is looking for the "name" attribute to be "user," but our SAML IdP's name attribute is "username." This is important because the application allows credential caching, but it is hard coded to only allow caching for that specific value. I've been reading up on the STREAM expression to do this, but can't seem to figure out how to have the F5 do it since it is redirecting to the IdP. We were able to do this with IIS, but would rather have the F5 handle it. The other thought was to create a custom login screen on the F5 that would have the name attribute set correctly, but I can't figure out how to post to our ADFS SAML IdP. Update: I've been looking into the STREAM expressions, but apparently those have a bug when being used by APM as described in https://support.f5.com/csp/article/K12558. It doesn't appear that we have LTM installed on the same machine as APM because we don't have the option for "Host" in the destination box. When I log into the local (non-DMZ) LTM, it does have that option available. I've also tried using HTML_TAG_MATCHED, but it appears to only trigger the iRule AFTER the submit button is clicked on the form. From the documentation, it doesn't sound like that should be the way it happens - the example shows replacing jpg images with png, so it would need to happen on page load unless I am misunderstanding it. https://devcentral.f5.com/wiki/iRules.HTML-tag-attribute.ashx https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-4-0/9.html Thanks!
STREAM::expression and "thread safety"
Hi, I don't think "thread safety" is the right term here, but kinda helps explain my question. STREAM::expression can be changed in an iRule, and the documentation says it affects "this connection only": https://devcentral.f5.com/wiki/irules.stream__expression.ashx What happens if I'm changing this in HTTP_RESPONSE and there's multiple requests / responses on the same TCP connection? Will the STREAM::expression set in one HTTP_RESPONSE pollute the value set in another? Do multiple HTTP_REQUESTs and HTTP_RESPONSEs happen at the same time if there's many concurrent requests from the same browser? Likewise, for STREAM::enable. I've already come across the issue where enabling STREAM::enable in one HTTP_RESPONSE causes other HTTP requests to also get processed. I think this is because the stream processing is enabled for a connection. I now use the pattern: when HTTP_REQUEST { STREAM::disable } when HTTP_RESPONSE { if {some condition holds} { STREAM::enable } } This means that the STREAM processing is disabled at the beginning of every request. However, does this lead to a race condition if there are multiple requests executing in parallel? If response enables the stream, is it visible to other responses on the same connection? i.e. REQUEST 1 REQUEST 2 HTTP_REQUEST (disable stream) HTTP_REQUEST (disable stream) HTTP_RESPONSE condition is true: (enable stream) (stream processing occurs) HTTP_RESPONSE condition is false: (leave stream as-is) (stream processing occurs anyway)
Log the count of the STREAM hits
I'm trying to figure out how it will be possible, how many times a STREAM::expression is being executed. when HTTP_RESPONSE { if { $http_host equals "avv.com" or $http_host equals "acc.com" }{ STREAM::expression "@aa@bb@" STREAM::expression "@rr@ff" STREAM::expression "@gg@qaqa@" STREAM::enable log local0. "RESPONSE: $http_host to IP: [IP::client_addr]" } } So in the log i want to see like: Total STREAM hit 80 (40aa - 20rr - 20gg)iRule to count individual STREAM::expression hits
Problem this snippet solves: Hi Folks, the provided iRule below can be used to count and analyse individual STREAM::expression hits. Imagine you have some more of less interesting HTML content that needs several content rewrites... "On the Insert tab, the galleries include items that are designed to coordinate with the overall look of your document. You can use these galleries to insert tables, headers, footers, lists, cover pages, and other document building blocks. When you create pictures, charts, or diagrams, they also coordinate with your current document look." -MSOffice ... and you apply a STREAM::expression with lots of individual translations to it... STREAM::expression @a@A@@b@B@@c@C@@d@D@@e@E@@f@F@@g@G@@h@H@@i@I@@j@J@@k@K@@l@L@@m@M@@n@N@@o@O@@p@P@@q@Q@@r@R@@s@S@@t@T@@u@U@@v@V@@w@W@@x@X@@y@Y@@z@Z@ ... then you could use the iRule below to [log] which individual expression has been triggered how many times on which ressource. Thu Sep 8 16:07:43 CEST 2016 debug f5-02 tmm[16579] STREAM hits on URL /stream: 271 ( Pattern:p = 2 | ( Pattern:a = 18 | ( Pattern:r = 21 | ( Pattern:b = 4 | ( Pattern:c = 13 | ( Pattern:s = 19 | ( Pattern:d = 12 | ( Pattern:t = 28 | ( Pattern:u = 12 | ( Pattern:e = 36 | ( Pattern:f = 2 | ( Pattern:v = 2 | ( Pattern:w = 2 | ( Pattern:g = 6 | ( Pattern:h = 12 | ( Pattern:y = 4 | ( Pattern:i = 15 | ( Pattern:k = 3 | ( Pattern:l = 14 | ( Pattern:m = 5 | ( Pattern:n = 15 | ( Pattern:o = 26 ) Cheers, Kai How to use this snippet: Attach the provided iRule to your Virtual Server which performs [STREAM] operations Request the streamed content as usual. Take a look to your LTM logfile. Code : when STREAM_MATCHED { set stream_result(path) $http_path if { [info exists stream_result(Pattern:[STREAM::match])] } then { incr stream_result(Pattern:[STREAM::match]) } else { set stream_result(Pattern:[STREAM::match]) 1 } } when HTTP_REQUEST { set http_path [HTTP::path] if { [info exists stream_result(path)] } then { set stream_result(match_total) 0 foreach stream_result(pattern) [array names stream_result Pattern:*] { incr stream_result(match_total) $stream_result($stream_result(pattern)) append stream_result(match_detailed) "( $stream_result(pattern) = $stream_result($stream_result(pattern)) | " } log -noname local0.debug "STREAM hits on URL $stream_result(path): $stream_result(match_total) [string trimright $stream_result(match_detailed) " |"] )" unset -nocomplain stream_result } } when CLIENT_CLOSED { if { [info exists stream_result(path)] } then { set stream_result(match_total) 0 foreach stream_result(pattern) [array names stream_result Pattern:*] { incr stream_result(match_total) $stream_result($stream_result(pattern)) append stream_result(match_detailed) "( $stream_result(pattern) = $stream_result($stream_result(pattern)) | " } log -noname local0.debug "STREAM hits on URL $stream_result(path): $stream_result(match_total) [string trimright $stream_result(match_detailed) " |"] )" unset -nocomplain stream_result } } Tested this on version: 12.0
