how to redirect from port to another port and to hide the port from the url of client side?
client should type abc.xyz , should be redirected to https://abc.xyz, however server is listening to abc.xyz:9000, client shouldn't see port 9000. so how to redirect http to https with adding port a hidden port 9000?
Basic HTTP Stream Profile
Hi all, I basicly try to use the stream profile to replace the http:// string of my server side response data with https:// and just changed my custom stream profile as below : But though I simply click the http://192.168.50.111/ into my web browser, it just keeps load balancing and retrieves a pool member with a HTTP 200 OK code. Isn't it expected that it must show me https://192.168.50.111 instead of http? In my research, it says if the web page returns 302, 303 or 307 status codes, we can see a Location Header which can show the replaced URL as https://blabla in the captured packets (collected with Wireshark) or sth else. Is there any other configuration in F5 menu to apply the stream profile correctly? I want to only use the Stream Profile, not an iRule. However iRule didn't work either. I really don't know why. Here's the curl command result : Thank you.
Fixing Incomplete SAML SP Initiated Login
This is not really a question, because I already know the answer. I spent a fair amount of time and received awesome help from a few people on this forum. I wanted to post this here so others can avoid the same headache. Specific Issue: Service Provider sends what they call a "Partial SP Initiated Authentication." What really happens is that they perform a 302 Location redirect and have both SAMLRequest and RelayState parameters in the URL. However, SAMLRequest= is blank. They have neglected to deflate, 64-bit encode, and URL encode a SAML Request in their redirect. Fixing Missing SAML Request: Since the Service Provider is not sending a SAMLRequest, the F5 has to trigger an IdP initiated login, and this can be done with an iRule attached to the webtop Virtual Server. However, this will only get you connected to the landing page and does not take into account the RelayState parameter sent in the 302 Location redirect. Fixing the RelayState: The way this was accomplished was by creating back-to-back virtual servers, using cookies to pass the appropriate RelayState URI, and a Stream profile to modify the SAML Response on its way back to the user's web browser. Front-end Virtual Server: The front-end virtual server has 2 responsibilities. The first is to forward all traffic through from the user's web browser on to the webtop virtual server. This is a simple iRule. The second responsibility is to use a Stream profile to modify the SAML Response and append the missing RelayState information appropriately. Back-end Virtual Server: The back-end virtual server is for hosting the Access Policy and an iRule that catches the request, initiates an unsolicited IdP SAML Response, and passes the RelayState back to the front-end virtual server via a http cookie. Note: I took a shortcut on setting up the RelayState form element by pre-populating the SP connector with an "/" in the RelayState field. Front-end iRule to redirect all traffic to back-end virtual server: when HTTP_REQUEST { virtual /Common/VS_Portal log local0. "Forwarded to Portal" } Back-end iRule to initiate SAML Response and pass RelayState via cookie: when ACCESS_POLICY_COMPLETED { if { [string tolower [ACCESS::session data get session.server.landinguri]] contains "apps" } { if { [ACCESS::session data get session.server.landinguri] == "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } else { set relaystatevalue "[string map {"%2f" "/" "%3f" "?" "%3d" "="}[URI::query [ACCESS::session data get session.server.landinguri] "RelayState"]]" ACCESS::respond 302 Location "https://go.domain.com/saml/idp/res?id=/Common/SAML_APP" log local0. "IDP initiated SAML detected, sending redirect [URI::query [ACCESS::session data get session.server.landinguri] "RelayState"]" HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" return } } ` } **Front-end iRule to modify return traffic SAML Response and modify RelayState:** when HTTP_REQUEST { `set relaystatesetter 0 set relaystatevalue 0 set relaystateexists 0 if {[HTTP::cookie exists "RelayState"]}{ set relaystateexists 1 set relaystatevalue "[HTTP::cookie RelayState]" } log local0. "iRule Logger - HTTP_REQUEST Starting hostname=[HTTP::host];uri=[HTTP::uri]" if {[HTTP::uri] contains "RelayState"}{ log local0. "iRule Logger - HTTP_REQUEST RelayState Store Cookie hostname=[HTTP::host];uri=[HTTP::uri]" set relaystatesetter 1 set relaystatevalue "[string map {"%2f" "/" "%3f" "?" "%3d" "="}[URI::query [HTTP::uri] RelayState]]" log local0. "iRule Logger - RelayState is $relaystatevalue;relaystatesetter=$relaystatesetter" HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" } ` } when HTTP_RESPONSE { ` if {$relaystatesetter==1}{ HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" } log local0. "iRule Logger - HTTP_RESPONSE Triggered - relaystate=$relaystatevalue" if {$relaystateexists==1}{ log local0. "iRule Logger - HTTP_RESPONSE Triggered - relaystateexists=$relaystateexists" STREAM::expression "@@@" STREAM::enable } }Understanding STREAM expression and Compression
Hello - I have a question to try and confirm my understanding around using STREAM and compression. I'm aware of the need to disable compression so STREAM is able to inspect the payload, but after the STREAM expression has done it's replacing, is or can, the content be compressed to improve performance or is this lost? In our set-up, we have physical LTMs that handle SSL offloading (part of the cloud solution we use) and virtual LTMs that we configure for service specific iRules etc. So on the physical LTM with SSL offload, there is STREAM (blank) and iRule to replace http:// with https:// on the response with the following: when HTTP_REQUEST { PHYSICAL LTM WITH SSL OFFLOAD tell server not to compress response HTTP::header remove Accept-Encoding disable STREAM for request flow STREAM::disable } when HTTP_RESPONSE { catch and replace redirect headers if { [HTTP::header exists Location] } { HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]] } only look at text data if { [HTTP::header Content-Type] contains "text" } { create a STREAM expression to replace any http:// with https:// STREAM::expression {@http://@https://@} enable STREAM STREAM::enable } } On the virtual LTM, we have a similar entry in the iRule: when HTTP_REQUEST { VIRTUAL LTM tell server not to compress response HTTP::header remove Accept-Encoding disable STREAM for request flow STREAM::disable } when HTTP_RESPONSE { catch and replace redirect headers if { [HTTP::header exists Location] } { HTTP::header replace Location [string map {"://internal.url" "://external.url"} [HTTP::header Location]] } only look at text data if { [HTTP::header Content-Type] contains "text" } { create a STREAM expression to replace any http:// with https:// STREAM::expression {@://internal.url@://external.url@} enable STREAM STREAM::enable } } So in this set-up, we we loose the benefit of HTTP compression? Thanks
Remove Whitespace from HTTP Response Payload
Problem this snippet solves: Summary: Strip extraneous white space from HTML in the HTTP response payload Here is a simple iRule which uses a stream filter and STREAM::expression based iRule to two or more consecutive whitespace characters with a space. It hasn't been tested in production so try it on a test virtual server or test unit first! Code : when HTTP_REQUEST { # Prevent server compression HTTP::header remove "Accept-Encoding" # Disable the stream filter by default STREAM::disable } when HTTP_RESPONSE { # Check if server response is text based if { [HTTP::header Content-Type] contains "text" }{ # Set the stream expression to match two or more consecutive whitespace characters # Replace them with a single space STREAM::expression @\s+@ @} STREAM::enable } }
Masking URL on browser
I have a VIP, which runs an https page and calls other 8 VIPs. And that 8 VIPs redirect this https page, add port numbers and also load balances 8 servers with 8 different port numbers. For example, the end user types “abc.myportal.com” and that link is redirected to “https://abc.myportal.com:9460/xyz/login” or “https://abc.myportal.com:9461/xyz/login” or other ports. Now, i want to mask some parts of the URL from the end user. (e.g: port numbers). I dont want to redirect or translate URL. When i did it, the page didnt run. The link must run with port numbers but i only want to hide the port numbers from end user. They should see on the URL “https://abc.myportal.com/xyz/login” when they typed “abc.myportal.com”. But behind the scene, the link with port numbers must run. May be this is not possible. Anybody can help ? When i all read the other questions, i found “redirect, translate URL etc” but they didnt work. Thanks&Regards
