Geo Fence in ASM through irule for URI
I have ASM with Geo fence enabled where I added multiple country as denied but I want to add one URI from only one country rest all should denied for that uri /CKYC*. Apart from this uri all other uri should work as added geo fence. tried below irule but its not working. when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/CKYC*" && [whereis [IP::client_addr] country] ne "IN" } { drop } }Solved24Views0likes5CommentsURL rewrite
I'm trying to figure out how to write a policy or iRule that will modify a URL For an example, a number of URLs (url1.mycompany.com, url2.mycompany.com, url3.mycompany.com, etc) point to a virtual server on our F5. I would like to create an iRule or Policy that will modify or rewrite the URL before routing the traffic to the nodes in the Pool to be (url1.ce2.mycompany.com, url2.ce2.mycompany.com, url3.ce2.mycompany.com, etc). In other words I need an iRule or policy that rewrites *.mycompany.com to *.ce2.mycompany.comSolved82Views0likes5CommentsIrule Check payload contains
Hi Everyone, i have a request payload like this: POST /webconsole/api/security/auth/login HTTP/1.1 Host: Connection: keep-alive Content-Length: 58 sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122" Accept: application/json, text/plain, */* Content-Type: application/json sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 ( OrganizationID: sec-ch-ua-platform: "Windows" Origin: Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: {"UserName":"test.org\\secadm01","Password":***************} I want to create an irule to check with this URI: /webconsole/api/security/auth/login and client IP address is not X.X.X.X and the user login with user secadm will be blocked. other users with usernames not contain "secadm" would be ok. But this does not work. Please help advise I write an irule as below: when HTTP_REQUEST { if { [HTTP::path] equals "/webconsole/api/security/auth/login"} { if { [IP::addr [IP::client_addr] != 10.168.17.127] } { if { [HTTP::payload] contains "secadm" } { drop } } } }58Views0likes2CommentsiRule - Using GeoIP to block/allow externally, and allow internal 10.0.0.0/8 subnets.
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals allowed_internal_subnets] } { log local0. "Internal Clients allowed: \ [IP::client_addr]" pool MY_POOL } } when FLOW_INIT { set ipaddr [IP::client_addr] set fromCountry [whereis $ipaddr country] if {! [class match $fromCountry equals allowed_geoip_datagroup]}{ drop } } ltm data-group internal allowed_internal_subnets]{ records { 10.0.0.0/8 { } } type ip } ltm data-group internal allowed_geoip_datagroup { records { EU { } US { } } type string } Hi everyone! Need some help here from all the smart people on this forum. We are trying to create an Irule to block all countries not in the data group using the BigIP GeoIP database and lookup...however, we still have users within the 10.0.0.0/8 internal subnets needing to connect. When they connect to the VIP, their source address is in the 10.0.0.0/8 range, however, they get dropped by the FLOW_INT match for some reason....what am I doing wrong and how do I fix this? Here is what it should happen.... All external internet users coming from US/EU (using the bigip geoip lookup database) should be allowed, otherwise all countries not matching this should be dropped...this seems to be working.. All internal users coming from the 10.0.0.0/8 or RFC 1918 should be allowed and not dropped. How do I add both logic together in one flow? This irule is dropping the internal users for some reason...how do we allow all internal users in also, while dropping external users not matching the GeoIP logic? Thanks again...90Views0likes4CommentsRate limiting per IP and URI
Customer application is been flooded of client HTTP POST requests on every minute. I need to come up with a solution for rate limiting on a VS in our LTM-VE so a source IP will be limited for specified URI's with 1 requests per 10 minutes. During validation test we see the irule logs under /var/log/ltm: Feb 28 20:23:48 lb01-mgmt info tmm1[17492]: Rule /LB1_VRF2/NGSC_Err429 <HTTP_REQUEST>: 191.44.3.193%2 exceeded max HTTP requests per second Feb 28 20:23:48 lb01-mgmt. info tmm7[17492]: Rule /LB1_VRF2/NGSC_Err429 <HTTP_REQUEST>: 201.79.26.68%2 exceeded max HTTP requests per second Feb 28 20:23:48 lb01-mgmt info tmm7[17492]: Rule /LB1_VRF2/NGSC_Err429 <HTTP_REQUEST>: 200.165.153.27%2 exceeded max HTTP requests per second but client is not receiving HTTP 429 after two retries within 10 minutes We create the following irule, could you guys see any error on the irule? # Function : RateLimit HTTP POST requests per IP, for NGSCserver when RULE_INIT { set static::maxRate 1 set static::windowSecs 600 } when HTTP_REQUEST { if { ([HTTP::method] eq "POST") and [HTTP::uri] contains "/NGSCserver/"} { # set variables set limiter [string tolower [HTTP::host]] set clientip_limitervar [IP::client_addr]:$limiter set get_count [table key -count -subtable $clientip_limitervar] # main condition if { $get_count < $static::maxRate } { incr get_count 1 table set -subtable $clientip_limitervar $get_count $clientip_limitervar indefinite $static::windowSecs } else { HTTP::respond 429 content "Request blockedExceeded requests/sec limit." log local0. "[IP::client_addr] exceeded max HTTP requests per second" drop return } } }19Views0likes0CommentsAPM inactivity timeout redirect or notification page for LTM + APM connections
Background on this: Have a customer that is publishing a Microsoft CRM instance behind APM and doing KCD with smart card auth. Access policy works fine, KCD works fine, web app works fine. The only problem we have is the inactivity timeout setting. Once the limit has been reached, the session is removed and content is no longer sent to the user in a very abrupt fashion. This is a problem because ALOT of the page is cached on the clients workstation and all they see is broken JPEGs and incomplete web content. Once they click around they are re authenticated but it is not pretty. I want to find a way to notify the user they have been inactive for a certain amount of time, send a HTTP 200 response with content notifying them with a link to click on to re authenticate. The option of increasing the inactive timeout is not an option due to their access session license limit. There would be alot of abandoned sessions that would aggregate potentially going over this limit. I know with webtop and ssl vpn, you get a notification that you are about to be logged out due to inactivity but this doesn't seem to be available for LTM + APM policies. This is what I have so far, there has to be a more efficient way of doing this though. when ACCESS_SESSION_STARTED { set ::EXPIRE "false" } when ACCESS_SESSION_CLOSED { log local0. "Session has been closed" set ::EXPIRE "true" } when HTTP_RESPONSE { if {$::EXPIRE equals "true"} { HTTP::respond 200 content " You've Been Logged out due to inactivity You have been logged out due to inactivity Thanks for Using the application Click to log back in. " } }690Views0likes3CommentsLTM | Preserve Client IP Address in L3 Mode
TLDR; Is there any way to 'preserve original client source IP address' in the packets sent from LTM to the realserver? I am currently using a non-F5 SLB solution, looking to migrate to F5 LTM. But even before we begin to evaluate F5, we would like to get some feedback on the technical viability of one of my requirements because this is make or break for our consideration. We have a critical application load balanced in L2 bridge mode, because the application requires the original client IP in the packet. But I am tasked with getting rid of L2 mode and move the application to L3 load balanced mode. I have looked at DSR and SNAT, but they're not feasible for our environment.37Views0likes2CommentsIrule Table lookup
when http request{ set tls_cache_table "tls_cache_[virtual name]_[IP::client_addr]_[SSL::sessionid] [table lookup $tls_cache_table] == 1 }{ set tlsenforce_allow 1 } i have not posted the complete URL i suppose the output for set would be tls_cache_example_vs_192.168.1.100_abcd1234. but in next line i could see we have a lookup for the above output with value = 1. what does it meanSolved33Views0likes2Commentsirule to Redirect client from specific Public IP to a specific node
Hello, I have a virtual server that is accessible by users on the internet with one pool. This pool has 2 nodes. I have a scenario where I need users coming from a specific PUBLIC IP to go to a specific node in the pool. All other clients should always go to the other node. I have tried a number of variations of irules but I am not getting consistent results. It doesn't matter where the client is coming from, they end up accessing both nodes eventually. The f5 is performing SSL offloading to port 80 on both nodes. Can someone help me figure out where I am going wrong with this irule? when CLIENT_ACCEPT { if { [IP::addr [IP::client_addr] equals XXX.XXX.XXX.XXX] } {node 10.10.1.1 80 } else { node 10.10.1.2 80 } } Thanks for any help that can be provided.Solved120Views0likes2CommentsNeed a redirect and a stream profile
I am trying to do something that I think is pretty simple. Strangely enough I have what I'm trying to do working just fine on one F5, but the behavior isn't replicating when I move it to another F5. I suspect it has something to do with sequencing. This is what I need to do. I have two Virtual Servers. Both are listening on 443. Virtual Server 1 has backend servers listening on port 80. Virtual Server 2 has backend servers listening on port 10108. My first requirement is that when users go to virtual server 1 with a blank URI that they get redirected to /gohere. I do that with an irule: when HTTP_REQUEST { if {[HTTP::path] eq "/"}{ HTTP::redirect https://[HTTP::host]/gohere } } ...and that works just fine. Now, when the user is logged into virtual server 1 they run a report that essentially provides them a link that tells is to go to virtual server 2. B/c virtual server 2 is listening (the actual servers) on 10108 it sends the URL as . I want to take that response and change it to: ...at first I just added an empty stream profile and the irule that Kevin Steward created, when HTTP_REQUEST { tell server not to compress response HTTP::header remove Accept-Encoding disable STREAM for request flow STREAM::disable } when HTTP_RESPONSE { catch and replace redirect headers if { [HTTP::header exists Location] } { HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]] } only look at text data if { [HTTP::header Content-Type] contains "text" } { create a STREAM expression to replace any http:// with https:// STREAM::expression {@http://@https://@} enable STREAM STREAM::enable } } and it started working just fine. However, now when I tried to build that same environment in production it's not working. With both irules applied I get nothing. When I remove the stream profile and the stream irule I get redirected correctly. However when I put the stream profile back on and add the irule it breaks again. For troubleshooting I tried to put both irules into one irule (combining them). That worked...initially, but then stopped working. I have tried to use the priority command to put a priority of 100 on the redirect irule and left the stream at default (500)...but that doesn't work either. I feel like this should be fairly simple, I can't figure out why it works in my test environment but not in production. Any assistance would be appreciated.281Views0likes1Comment