F5 AWAF with HTTP/2, MRF and Websocket profiles
Good day all, I have F5 Big-IP AWAF's (version 16.1.4.3) and I am trying to configure HTTP/2 with MRF. My colleague and I discovered that Websocket profiles on the Virtual Server don't play well when enabling MRF. Is there a way to enable a "hybrid" configuration using websocket and HTTP/2 with MRF? I value and appreciate your time and energy and look forward to hearing from you. Thank you.
Issues with reverse proxying the application using socket.io and Secure Websockets
Hello, I am trying to setup a reverse proxy for the application written with socket.io which tries to upgrade the connection to Secure Websockets. Looking at the docs WSS should be supported in BIG-IP 11.5.4, however I am getting some connection errors as per below (trace from the Firebug): The connection to wss://host.example.com/launchpad/socket.io/?EIO=3&transport=websocket&sid=GTQLD62vWeuwQwIzAAIp was interrupted while the page was loading. socket.io.js (line 3, col 1049) Are there any limitations known when using LTM and WSS ? In my existing lab configuration I am using both rewrite rules and stream profiles to rewrite URLs. Thanks a lot for any comments Regards
using websocket via ASM
Hi all. I'm testing about ASM v11.4.1 and a website using websocket. I wonder ASM can support websocket. In my test, LTM can support websocket but ASM can't support it. When apply ASM policy to VirtualServer, I can't show websocket part. So I made a iRule, that is below: when CLIENT_ACCEPTED { HTTP::enable } when HTTP_REQUEST { if { ([string tolower [HTTP::header value Upgrade]] equals "websocket" ) && ([string tolower [HTTP::header value Connection]] equals "upgrade" ) } { log local0. "HTTP Disable" ASM::disable } } In this iRule, when websocket traffic is come, it disable ASM and pass to LTM. But it means, if some web attacks are come through websocket, ASM can't block attacks. In addition, if i change iRule from ASM::disable to HTTP::disable, page loading is slowed. Does any solution using with ASM and websocket?
Websocket iRule
Hello everybody, hope you could help me with this , my thinking is this needs custom iRule . We are using Mango Automation system , and when we put it behind F5 LTM some parts (like gauges etc.) stop to function. I see these are websocket connections? Does anybody have experience with this ? They even have some documentation for Apache rev. proxy here in the link: https://docs-v4.mango-os.com/proxy thanks DamirHTML5 WebSocket rewriting
I am having an issue with rewriting my WebSocket connection. Let me explain my scenario, and then I will explain the issue I am experiencing. On my Internal network (192.168.252.x) I have a HTML5 gateway device(252.100), that is used to establish an HTML5 RDP session. This component is setup correctly, from the internal network I am able to log into the web based interface and successfully establish an HTML5 based RDP connection from my HTML5 gateway device (252.100) to my target machine 252.101. What I am trying to accomplish is to do this HTML5 RDP connection going through the F5. From the webtop, my user will click on a portal access link. This portal access link takes the user to the web based front-end of my HTML5 gateway device via and https webpage. My user is able to successfully go through the webtop, and log into my web front end. The issue occurs when starting the HTML5 RDP session from the webtop. My HTML5 proxy machine is throwing an error saying Websocket closed. Tracing the network traffic between all components, there is no traffic flow from the HTML gateway and the Target machine, and no traffic flows into the HTML gateway. This is due to the fact that the Websocket is not being rewritten by the F5. I will try to attach an image with the Chrome dev console that shows this websocket address: In short: when a new websocket is created I get the following: WebSocket connection to 'wss://192.168.252.100/myservice?mypage.hsl_mode=DIRECT&servicename_name=encodedlinkname failed: Error in connection establishment net::ERR_CONNECTION_TIMED_OUT. What I would expect to see is not the direct Internal IP address of the HTML5 gateway but some External IP from the F5 since the websocket should be rewritten by F5. My External net address is 192.168.210.x. I am testing from 192.168.210.100 and my F5 External self IP is 192.168.210.22. So I would expect to see that the websocket address would the External SelfIP. I have attempted playing around with the HTTP profile, Redirect Rewrite settings (None, All, Matching, and Nodes). But this didn't seem to help. I have also tried creating a WebSocket profile and tested all the Masking settings, (Preserve, Unmask, Selective, and Remmask) Also no dice. I have tested quite a few settings on the other profiles as well without any luck. Any suggestions would be helpful. As a side note: I was able to get this successfully running on Big-ip 11.4. With the same configuration, I am not able to get this working on our newer 12.1 implementation. I am also currently unable to observe the 11.4 websocket creation behavior as this VE install has eaten itself while trying to do a version update.. But that is another story.
LTM/ASM 11.5.4 websocket
We are running an LTM unit with ASM license version 11.5.4. There is a virtual server configured with one real server running the application. Somewhere in the conversation a websocket connection is setup. This connection fails. I have been checking the different F5 sites for possible solutions or explanations but get more confused by the minute. Going to Fast-L4 is not an option because ASM needs the clientSSL and serverSSL. The iRule in which the HTTP and ASM are disabled should no longer be needed because of version higher than 11.4.0 supports websocket. Is there someone that can tell me if it is possible to use websocket through LTM/ASM and how to configure it in 11.5.4 ?
