stream
35 TopicsNeed help with URL re-write without a redirect
I have virtual server on F5 with an iRule and want to add a condition for a new re-write. I have to re-write complete URL without redirecting or changing the URL in client's browser. Tested the below but client browsers keeps getting a reset. Below is my existing iRule and the syntax i have tried for re-write. Also attached few logs which show that traffic is matching the condition and re-writing the URL but fails. Browser URL: "abc.domain.com/uri/path" Backend URL: "abc4.domain4.com/file.html" when HTTP_REQUEST { set doStream 0 switch [HTTP::host] { "abc.domain.com" { if {[HTTP::path] contains "/abc/abc" && [HTTP::query] contains "location="} { HTTP::respond 301 "Location" "https://[HTTP::host]/abc/[string tolower [findstr [HTTP::query] "location=" 9]]" pool xyz_pool } elseif {[string tolower [HTTP::host]] starts_with "abc.domain.com" && [HTTP::path] eq "/uri/path"} { HTTP::header replace Host "abc4.domain4.com" HTTP::uri "/file.html" set doStream 4 log local0. "[HTTP::host][HTTP::uri] Changed rewrite" pool test-pool } elseif {[class match [HTTP::path] equals "url_redirect_list"]} { set newURL [class match -value -- [HTTP::uri] equals "url_redirect_list"] log local0. "NEW Redirect URI is [HTTP::uri]" HTTP::respond 301 "Location" $newURL } elseif {[class match [HTTP::path] equals "url_explicit_list"]} { log local0. "[HTTP::path]: Explicit URL path goes to [LB::server] with cookie value [HTTP::cookie value "cookie"]" HTTP::header replace Host "abc1.domain.com" set doStream 1 log local0. "[IP::client_addr]:[TCP::client_port]: [LB::server] Request with persistence cookie [HTTP::cookie value "cookie"] to [HTTP::uri]" pool explicit_pool } elseif {[class match [HTTP::path] starts_with "url_wildcard_list"]} { log local0. "[HTTP::path]: Wildcard URL path goes to [LB::server]" HTTP::header replace Host "abc1.domain.com" set doStream 1 #log local0. "[HTTP::path]: Wildcard URL path goes to [LB::server]" } elseif { [string tolower [HTTP::uri]] ne "/autodiscover" } { log local0. "[IP::client_addr]:[TCP::client_port]: [LB::server] Request with persistence cookie [HTTP::cookie value "cookie"] to [HTTP::uri]" pool backend_pool persist cookie insert "cookie" } else { drop } } } } when HTTP_RESPONSE { switch $doStream { 0 { return } 1 { STREAM::expression {@http://abc1.domain.com@https://abc.domain.com@} STREAM::enable } 4 { STREAM::expression {@https://abc4.domain4.com/file.html@https://abc.domain.com/uri/path@} STREAM::enable } } } /var/log/ltm.1:Apr 14 13:44:55 info tmm1[17567]: Rule /Common/POOL_SELECTION_IRULE <HTTP_REQUEST>: abc4.domain4.com/file.html Changed rewrite /var/log/ltm.1:Apr 14 13:44:55 info tmm[17567]: Rule /Common/POOL_SELECTION_IRULE <HTTP_REQUEST>: abc4.domain4.com/file.html Changed rewrite /var/log/ltm.1:Apr 14 13:45:04 info tmm[17567]: Rule /Common/POOL_SELECTION_IRULE <HTTP_REQUEST>: abc4.domain4.com/file.html Changed rewrite /var/log/ltm.1:Apr 14 13:45:05 info tmm1[17567]: Rule /Common/POOL_SELECTION_IRULE <HTTP_REQUEST>: abc4.domain4.com/file.html Changed rewrite /var/log/ltm.1:Apr 14 13:45:05 info tmm[17567]: Rule /Common/POOL_SELECTION_IRULE <HTTP_REQUEST>: abc4.domain4.com/file.html Changed rewrite /var/log/ltm.1:Apr 14 13:50:05 info tmm[17567]: Rule /Common/POOL_SELECTION_IRULE <HTTP_REQUEST>: abc4.domain4.com/file.html Changed rewrite /var/log/ltm.1:Apr 14 14:00:06 info tmm[17567]: Rule /Common/POOL_SELECTION_IRULE <HTTP_REQUEST>: abc4.domain4.com/file.html Changed rewrite /var/log/ltm.1:Apr 14 15:42:37 info tmm1[17567]: Rule /Common/POOL_SELECTION_IRULE <HTTP_REQUEST>: abc4.domain4.com/file.html Changed rewrite Any help is appreciated. ThanksSolved2.4KViews0likes6Commentshow to redirect from port to another port and to hide the port from the url of client side?
client should type abc.xyz , should be redirected to https://abc.xyz, however server is listening to abc.xyz:9000, client shouldn't see port 9000. so how to redirect http to https with adding port a hidden port 9000?1.4KViews0likes11CommentsSTREAM profile (HTTP > HTTPS) with host exception
Hello guys, I do need to add a exception into the default stream irule (HTTP to HTTPS) to bypass the www.w3.orgdomain: I got this iRule: when HTTP_REQUEST { STREAM::disable HTTP::header remove "Accept-Encoding" } when HTTP_RESPONSE { if {[HTTP::header value Content-Type] contains "text"}{ STREAM::expression {@http:(?!//www\.w3\.org)@https://@} STREAM::enable } } however.. through this regular expression the virtual server is resetting the connections.. have any ideas how to do it in other way? Thanks 🙂Solved1KViews0likes4CommentsBasic HTTP Stream Profile
Hi all, I basicly try to use the stream profile to replace the http:// string of my server side response data with https:// and just changed my custom stream profile as below : But though I simply click the http://192.168.50.111/ into my web browser, it just keeps load balancing and retrieves a pool member with a HTTP 200 OK code. Isn't it expected that it must show me https://192.168.50.111 instead of http? In my research, it says if the web page returns 302, 303 or 307 status codes, we can see a Location Header which can show the replaced URL as https://blabla in the captured packets (collected with Wireshark) or sth else. Is there any other configuration in F5 menu to apply the stream profile correctly? I want to only use the Stream Profile, not an iRule. However iRule didn't work either. I really don't know why. Here's the curl command result : Thank you.999Views0likes5CommentsFixing Incomplete SAML SP Initiated Login
This is not really a question, because I already know the answer. I spent a fair amount of time and received awesome help from a few people on this forum. I wanted to post this here so others can avoid the same headache. Specific Issue: Service Provider sends what they call a "Partial SP Initiated Authentication." What really happens is that they perform a 302 Location redirect and have both SAMLRequest and RelayState parameters in the URL. However, SAMLRequest= is blank. They have neglected to deflate, 64-bit encode, and URL encode a SAML Request in their redirect. Fixing Missing SAML Request: Since the Service Provider is not sending a SAMLRequest, the F5 has to trigger an IdP initiated login, and this can be done with an iRule attached to the webtop Virtual Server. However, this will only get you connected to the landing page and does not take into account the RelayState parameter sent in the 302 Location redirect. Fixing the RelayState: The way this was accomplished was by creating back-to-back virtual servers, using cookies to pass the appropriate RelayState URI, and a Stream profile to modify the SAML Response on its way back to the user's web browser. Front-end Virtual Server: The front-end virtual server has 2 responsibilities. The first is to forward all traffic through from the user's web browser on to the webtop virtual server. This is a simple iRule. The second responsibility is to use a Stream profile to modify the SAML Response and append the missing RelayState information appropriately. Back-end Virtual Server: The back-end virtual server is for hosting the Access Policy and an iRule that catches the request, initiates an unsolicited IdP SAML Response, and passes the RelayState back to the front-end virtual server via a http cookie. Note: I took a shortcut on setting up the RelayState form element by pre-populating the SP connector with an "/" in the RelayState field. Front-end iRule to redirect all traffic to back-end virtual server: when HTTP_REQUEST { virtual /Common/VS_Portal log local0. "Forwarded to Portal" } Back-end iRule to initiate SAML Response and pass RelayState via cookie: when ACCESS_POLICY_COMPLETED { if { [string tolower [ACCESS::session data get session.server.landinguri]] contains "apps" } { if { [ACCESS::session data get session.server.landinguri] == "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } else { set relaystatevalue "[string map {"%2f" "/" "%3f" "?" "%3d" "="}[URI::query [ACCESS::session data get session.server.landinguri] "RelayState"]]" ACCESS::respond 302 Location "https://go.domain.com/saml/idp/res?id=/Common/SAML_APP" log local0. "IDP initiated SAML detected, sending redirect [URI::query [ACCESS::session data get session.server.landinguri] "RelayState"]" HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" return } } ` } **Front-end iRule to modify return traffic SAML Response and modify RelayState:** when HTTP_REQUEST { `set relaystatesetter 0 set relaystatevalue 0 set relaystateexists 0 if {[HTTP::cookie exists "RelayState"]}{ set relaystateexists 1 set relaystatevalue "[HTTP::cookie RelayState]" } log local0. "iRule Logger - HTTP_REQUEST Starting hostname=[HTTP::host];uri=[HTTP::uri]" if {[HTTP::uri] contains "RelayState"}{ log local0. "iRule Logger - HTTP_REQUEST RelayState Store Cookie hostname=[HTTP::host];uri=[HTTP::uri]" set relaystatesetter 1 set relaystatevalue "[string map {"%2f" "/" "%3f" "?" "%3d" "="}[URI::query [HTTP::uri] RelayState]]" log local0. "iRule Logger - RelayState is $relaystatevalue;relaystatesetter=$relaystatesetter" HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" } ` } when HTTP_RESPONSE { ` if {$relaystatesetter==1}{ HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" } log local0. "iRule Logger - HTTP_RESPONSE Triggered - relaystate=$relaystatevalue" if {$relaystateexists==1}{ log local0. "iRule Logger - HTTP_RESPONSE Triggered - relaystateexists=$relaystateexists" STREAM::expression "@@@" STREAM::enable } }718Views0likes1CommentSTREAM::expression Not Replacing Multiple Expresions
Hello - Hope you can help me. I'm using STREAM in an iRule to replace internal server names with external ones using vars and also to change http to https. It works if I using either one of the elements by themselves, but if I put them together in a single STREAM expression, only the http replacement works. Here is the iRule: when CLIENT_ACCEPTED { set sINTERNAL_URL "internal.server" set sEXTERNAL_URL "external.com" } when HTTP_REQUEST { STREAM::disable } when HTTP_RESPONSE { if { [HTTP::header Content-Type] starts_with "text/" }{ STREAM::expression "@://${sINTERNAL_URL}@://${sEXTERNAL_URL}@ @http://@https://@" STREAM::enable } } Any ideas? ThanksSolved623Views0likes4CommentsUnderstanding STREAM expression and Compression
Hello - I have a question to try and confirm my understanding around using STREAM and compression. I'm aware of the need to disable compression so STREAM is able to inspect the payload, but after the STREAM expression has done it's replacing, is or can, the content be compressed to improve performance or is this lost? In our set-up, we have physical LTMs that handle SSL offloading (part of the cloud solution we use) and virtual LTMs that we configure for service specific iRules etc. So on the physical LTM with SSL offload, there is STREAM (blank) and iRule to replace http:// with https:// on the response with the following: when HTTP_REQUEST { PHYSICAL LTM WITH SSL OFFLOAD tell server not to compress response HTTP::header remove Accept-Encoding disable STREAM for request flow STREAM::disable } when HTTP_RESPONSE { catch and replace redirect headers if { [HTTP::header exists Location] } { HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]] } only look at text data if { [HTTP::header Content-Type] contains "text" } { create a STREAM expression to replace any http:// with https:// STREAM::expression {@http://@https://@} enable STREAM STREAM::enable } } On the virtual LTM, we have a similar entry in the iRule: when HTTP_REQUEST { VIRTUAL LTM tell server not to compress response HTTP::header remove Accept-Encoding disable STREAM for request flow STREAM::disable } when HTTP_RESPONSE { catch and replace redirect headers if { [HTTP::header exists Location] } { HTTP::header replace Location [string map {"://internal.url" "://external.url"} [HTTP::header Location]] } only look at text data if { [HTTP::header Content-Type] contains "text" } { create a STREAM expression to replace any http:// with https:// STREAM::expression {@://internal.url@://external.url@} enable STREAM STREAM::enable } } So in this set-up, we we loose the benefit of HTTP compression? Thanks599Views0likes1CommentRemove Whitespace from HTTP Response Payload
Problem this snippet solves: Summary: Strip extraneous white space from HTML in the HTTP response payload Here is a simple iRule which uses a stream filter and STREAM::expression based iRule to two or more consecutive whitespace characters with a space. It hasn't been tested in production so try it on a test virtual server or test unit first! Code : when HTTP_REQUEST { # Prevent server compression HTTP::header remove "Accept-Encoding" # Disable the stream filter by default STREAM::disable } when HTTP_RESPONSE { # Check if server response is text based if { [HTTP::header Content-Type] contains "text" }{ # Set the stream expression to match two or more consecutive whitespace characters # Replace them with a single space STREAM::expression @\s+@ @} STREAM::enable } }546Views0likes1CommentMasking URL on browser
I have a VIP, which runs an https page and calls other 8 VIPs. And that 8 VIPs redirect this https page, add port numbers and also load balances 8 servers with 8 different port numbers. For example, the end user types “abc.myportal.com” and that link is redirected to “https://abc.myportal.com:9460/xyz/login” or “https://abc.myportal.com:9461/xyz/login” or other ports. Now, i want to mask some parts of the URL from the end user. (e.g: port numbers). I dont want to redirect or translate URL. When i did it, the page didnt run. The link must run with port numbers but i only want to hide the port numbers from end user. They should see on the URL “https://abc.myportal.com/xyz/login” when they typed “abc.myportal.com”. But behind the scene, the link with port numbers must run. May be this is not possible. Anybody can help ? When i all read the other questions, i found “redirect, translate URL etc” but they didnt work. Thanks&Regards534Views0likes6Comments