Need a redirect and a stream profile
I am trying to do something that I think is pretty simple. Strangely enough I have what I'm trying to do working just fine on one F5, but the behavior isn't replicating when I move it to another F5. I suspect it has something to do with sequencing. This is what I need to do. I have two Virtual Servers. Both are listening on 443. Virtual Server 1 has backend servers listening on port 80. Virtual Server 2 has backend servers listening on port 10108. My first requirement is that when users go to virtual server 1 with a blank URI that they get redirected to /gohere. I do that with an irule: when HTTP_REQUEST { if {[HTTP::path] eq "/"}{ HTTP::redirect https://[HTTP::host]/gohere } } ...and that works just fine. Now, when the user is logged into virtual server 1 they run a report that essentially provides them a link that tells is to go to virtual server 2. B/c virtual server 2 is listening (the actual servers) on 10108 it sends the URL as . I want to take that response and change it to: ...at first I just added an empty stream profile and the irule that Kevin Steward created, when HTTP_REQUEST { tell server not to compress response HTTP::header remove Accept-Encoding disable STREAM for request flow STREAM::disable } when HTTP_RESPONSE { catch and replace redirect headers if { [HTTP::header exists Location] } { HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]] } only look at text data if { [HTTP::header Content-Type] contains "text" } { create a STREAM expression to replace any http:// with https:// STREAM::expression {@http://@https://@} enable STREAM STREAM::enable } } and it started working just fine. However, now when I tried to build that same environment in production it's not working. With both irules applied I get nothing. When I remove the stream profile and the stream irule I get redirected correctly. However when I put the stream profile back on and add the irule it breaks again. For troubleshooting I tried to put both irules into one irule (combining them). That worked...initially, but then stopped working. I have tried to use the priority command to put a priority of 100 on the redirect irule and left the stream at default (500)...but that doesn't work either. I feel like this should be fairly simple, I can't figure out why it works in my test environment but not in production. Any assistance would be appreciated.
Issues modifying XML content with stream profile & iRule
I've taken an iRule from another DevCentral post and modified it to fit my application. when HTTP_REQUEST { Disable the stream filter for all requests STREAM::disable LTM does not uncompress response content, so if the server has compression enabled and it cannot be disabled on the server, we can prevent the server from sending a compressed response by removing the compression offerings from the client HTTP::header remove "Accept-Encoding" } when HTTP_RESPONSE { Check if response type is text if {[HTTP::header value Content-Type] contains "text/xml"}{ Replace http:// with https:// STREAM::expression {@http:\\/\\/applicationdomain@https:\\/\\/applicationdomain@} Enable the stream filter for this response only STREAM::enable } } The stream profile is successfully replacing the HTTP: with HTTPS:, but is also including the additional backslash and a Silverlight (smh) error pops up When I remove the second backslash in the iRule, the HTTP: is no longer replaced with HTTPS:, and I'm back to square one. Any ideas on what I might be doing wrong? Thanks in advance!
Log the count of the STREAM hits
I'm trying to figure out how it will be possible, how many times a STREAM::expression is being executed. when HTTP_RESPONSE { if { $http_host equals "avv.com" or $http_host equals "acc.com" }{ STREAM::expression "@aa@bb@" STREAM::expression "@rr@ff" STREAM::expression "@gg@qaqa@" STREAM::enable log local0. "RESPONSE: $http_host to IP: [IP::client_addr]" } } So in the log i want to see like: Total STREAM hit 80 (40aa - 20rr - 20gg)Trying to make irule Stream replace with carriage returns..
Hello folks, I'm hoping for some help with forming the regex to match the following: and replace it with: However, everthing I've found on Stream replace is only for single lines. I am using the default template from https://devcentral.f5.com/wiki/iRules.STREAM__expression.ashxSharepoint SEO / Lowercase URLs
I have a Microsoft Sharepoint environment which is published to the internet. One of my on-going headaches is the analytics report separates pages which have different case as unique. For example a URI path of /myDirectory/Page.html != /mydirectory/page.html . Is there a sed equivalent for performing the sed string: %s/.*/\L&/g in stream expression to rewrite the URL provided from the server to lowercase? I know that I need to act on the HTTP_RESPONSE{} and rewrite the response of the server back to lowercase. All of the documentation I am reading about streams, is replace A with B. The documentation is very terse referencing the capabilities of stream expressions. What I can't wrap my head around is [HTTP::uri] or [HTTP:path] are not valid in RULE_INIT{} or HTTP_RESPONSE{} . I am at a loss on how to pull in the response from the answering server to rewrite the request. Using URLRewrite 2.0 from testing scenarios broke sharepoint publishing sites. If you or someone you know are using it for such a purpose, suggested setup would be greatly appreciated. Any suggestions are welcome. References: SOL7027, iRules Set URI To Lower Case, Forcing Lowercase Only Works The First Time, URL Rewrite MultipleStream expression for TCP payload
So I have been trying to find the most efficient way to detect string patterns within HTTP payloads. I have found out the best way to tackle this (from what I know so far) is to use a stream profile within a HTTP_RESPONSE event and specify a reg expression. So for my test, I wanted to capture alpha numeric string between 13-16 characters long. I was specifically looking for the value AAAFFFggg12345 and was successful. I did return other values but thats beside the point I'm getting to. This is how I approached it a stream profile within a HTTP_RESPONSE event. when HTTP_REQUEST { STREAM::disable if { [HTTP::header value "Host"] equals "winweb1.clearshark.net"} { set host [HTTP::header value "Host"] HTTP::header remove "Accept-Encoding" } } when HTTP_RESPONSE { if {[info exists host]} { if {$host equals "winweb1.clearshark.net"} { STREAM::expression {@[a-zA-Z0-9]{13,16}@} STREAM::enable } } } when STREAM_MATCHED { log local0. "Stream matched [STREAM::match]" } Now... I want to do the same exact thing, but not within an HTTP_RESPONSE event. Essentially I want to just look within a TCP payload and find the same string. I have tried the following but have had no success. when CLIENT_ACCEPTED { STREAM::disable } when SERVER_CONNECTED { TCP::collect if {[IP::client_addr] equals "172.16.211.103"} { log local0. "Stream enabled" STREAM::expression {@[a-zA-Z0-9]{13,16}@} STREAM::enable } } when STREAM_MATCHED { log local0. "[IP::client_addr]:[TCP::local_port] : Matched : [STREAM::match]" } I am not seeing the string value AAAFFFggg12345 in my logs like I did when triggering within a HTTP_RESPONSE event. I know this seems like a quirky use case but this is simply for a proof of concept for a client. If I can successfully make this happen, I'll branch off to other tests. But I need to make sure this works first before I move forward. I appreciate any and all help!
Fixing Incomplete SAML SP Initiated Login
This is not really a question, because I already know the answer. I spent a fair amount of time and received awesome help from a few people on this forum. I wanted to post this here so others can avoid the same headache. Specific Issue: Service Provider sends what they call a "Partial SP Initiated Authentication." What really happens is that they perform a 302 Location redirect and have both SAMLRequest and RelayState parameters in the URL. However, SAMLRequest= is blank. They have neglected to deflate, 64-bit encode, and URL encode a SAML Request in their redirect. Fixing Missing SAML Request: Since the Service Provider is not sending a SAMLRequest, the F5 has to trigger an IdP initiated login, and this can be done with an iRule attached to the webtop Virtual Server. However, this will only get you connected to the landing page and does not take into account the RelayState parameter sent in the 302 Location redirect. Fixing the RelayState: The way this was accomplished was by creating back-to-back virtual servers, using cookies to pass the appropriate RelayState URI, and a Stream profile to modify the SAML Response on its way back to the user's web browser. Front-end Virtual Server: The front-end virtual server has 2 responsibilities. The first is to forward all traffic through from the user's web browser on to the webtop virtual server. This is a simple iRule. The second responsibility is to use a Stream profile to modify the SAML Response and append the missing RelayState information appropriately. Back-end Virtual Server: The back-end virtual server is for hosting the Access Policy and an iRule that catches the request, initiates an unsolicited IdP SAML Response, and passes the RelayState back to the front-end virtual server via a http cookie. Note: I took a shortcut on setting up the RelayState form element by pre-populating the SP connector with an "/" in the RelayState field. Front-end iRule to redirect all traffic to back-end virtual server: when HTTP_REQUEST { virtual /Common/VS_Portal log local0. "Forwarded to Portal" } Back-end iRule to initiate SAML Response and pass RelayState via cookie: when ACCESS_POLICY_COMPLETED { if { [string tolower [ACCESS::session data get session.server.landinguri]] contains "apps" } { if { [ACCESS::session data get session.server.landinguri] == "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } else { set relaystatevalue "[string map {"%2f" "/" "%3f" "?" "%3d" "="}[URI::query [ACCESS::session data get session.server.landinguri] "RelayState"]]" ACCESS::respond 302 Location "https://go.domain.com/saml/idp/res?id=/Common/SAML_APP" log local0. "IDP initiated SAML detected, sending redirect [URI::query [ACCESS::session data get session.server.landinguri] "RelayState"]" HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" return } } ` } **Front-end iRule to modify return traffic SAML Response and modify RelayState:** when HTTP_REQUEST { `set relaystatesetter 0 set relaystatevalue 0 set relaystateexists 0 if {[HTTP::cookie exists "RelayState"]}{ set relaystateexists 1 set relaystatevalue "[HTTP::cookie RelayState]" } log local0. "iRule Logger - HTTP_REQUEST Starting hostname=[HTTP::host];uri=[HTTP::uri]" if {[HTTP::uri] contains "RelayState"}{ log local0. "iRule Logger - HTTP_REQUEST RelayState Store Cookie hostname=[HTTP::host];uri=[HTTP::uri]" set relaystatesetter 1 set relaystatevalue "[string map {"%2f" "/" "%3f" "?" "%3d" "="}[URI::query [HTTP::uri] RelayState]]" log local0. "iRule Logger - RelayState is $relaystatevalue;relaystatesetter=$relaystatesetter" HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" } ` } when HTTP_RESPONSE { ` if {$relaystatesetter==1}{ HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" } log local0. "iRule Logger - HTTP_RESPONSE Triggered - relaystate=$relaystatevalue" if {$relaystateexists==1}{ log local0. "iRule Logger - HTTP_RESPONSE Triggered - relaystateexists=$relaystateexists" STREAM::expression "@@@" STREAM::enable } }Understanding STREAM expression and Compression
Hello - I have a question to try and confirm my understanding around using STREAM and compression. I'm aware of the need to disable compression so STREAM is able to inspect the payload, but after the STREAM expression has done it's replacing, is or can, the content be compressed to improve performance or is this lost? In our set-up, we have physical LTMs that handle SSL offloading (part of the cloud solution we use) and virtual LTMs that we configure for service specific iRules etc. So on the physical LTM with SSL offload, there is STREAM (blank) and iRule to replace http:// with https:// on the response with the following: when HTTP_REQUEST { PHYSICAL LTM WITH SSL OFFLOAD tell server not to compress response HTTP::header remove Accept-Encoding disable STREAM for request flow STREAM::disable } when HTTP_RESPONSE { catch and replace redirect headers if { [HTTP::header exists Location] } { HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]] } only look at text data if { [HTTP::header Content-Type] contains "text" } { create a STREAM expression to replace any http:// with https:// STREAM::expression {@http://@https://@} enable STREAM STREAM::enable } } On the virtual LTM, we have a similar entry in the iRule: when HTTP_REQUEST { VIRTUAL LTM tell server not to compress response HTTP::header remove Accept-Encoding disable STREAM for request flow STREAM::disable } when HTTP_RESPONSE { catch and replace redirect headers if { [HTTP::header exists Location] } { HTTP::header replace Location [string map {"://internal.url" "://external.url"} [HTTP::header Location]] } only look at text data if { [HTTP::header Content-Type] contains "text" } { create a STREAM expression to replace any http:// with https:// STREAM::expression {@://internal.url@://external.url@} enable STREAM STREAM::enable } } So in this set-up, we we loose the benefit of HTTP compression? Thanks
