Revocation Status in HTTP Request Header
I'm setting up a web app that will use the EDIPI to validate my user's accounts. I think I have a working udnerstanding of how that'll work--I'm going to be setting up a iRule to forward the users EDIPI to the server. (see here) It dawned on me that I'm not really sure how that process works with the revokation status. If their CAC is revoked will CLIENTSSL_HANDSHAKE or HTTP_REQUEST_RELEASE fire? I'm picturing still getting their EDIPI off the CAC and setting that in the header, but also getting their revocation status and putting a yes/no in the header for "x-revoked". I could easily then check that in my server code. I believe that's how that works with Cloud 1. Is that the way I'd do that, or would the best practice be to just not send their request at all somehow?Solved464Views0likes2CommentsICAP with iRule Response Page without ASM
Hello, We are running on Big IP 13.1.1.4 TMOS code and set up Content Adaptation for HTTP request to check files uploaded through one our Website using ICAP. It's working fine but in case any virus is detected the ICAP server modify the response and show it's own response. But we would like to redirect the end-user to a dedicated and corporate web page of our website. I prepared the below Irule but it's now working. when ADAPT_REQUEST_RESULT { if { ([ADAPT::result] contains "respond") } { log local0. "ICAP Response is [ADAPT::result], let's customized reject page" set response { <html> <head> <title>Virus Detected</title> <meta http-equiv="refresh" content="0;URL='https://int-www-01.citizensfla.com/virus-test'" /> </head> </html> } HTTP::header remove Content-Length #HTTP::payload replace 0 [HTTP::payload length] "" HTTP::payload replace 0 0 $response } } How we could redirect the POST of the user to a dedicated page within our website if a virus is found using ICAP internal VS. Many thanks in advance for any help on this matter. Regards Vijay934Views0likes3CommentsPersistence: HTTP 200 OK to client hangs when server sends HTTP responses with Transfer-Encoding: chunked
All my problems come because I need an irule to persist sessions based on an specific field that goes through inside an HTTP packet. First the client need to do a Login and with the response we persist the session_id. HTTP POST HTTP 200 OK (session_id) HTTP GET (session_id) With the following irule i'm able to do that if the response comes with the header content-length. The problem is that we discovered that if the 200 OK from Login comes with Transfer-Encoding: chunked the 200 OK is received by F5 but the 200 OK that has to be sent to the client not. Bigip persists the connection but the connection between bigip and the client hangs and we are not sending the 200 OK to the client till the client closes the connection (tcp), after 60 seconds we saw the FIN,ACK and then the bigip sends the 200 OK to the client. 😞 when HTTP_REQUEST { log local0. "HTTP_REQUEST" if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } if { $content_length > 0} { HTTP::collect $content_length } } when HTTP_REQUEST_DATA { set SessionId [findstr [HTTP::payload] "SessionId>" 10 "<"] if { not ([string length $SessionId] == 0) } { log local0. "Persist in HTTP_REQUEST_DATA for not login operations $SessionId" persist uie $SessionId 300 } } when HTTP_RESPONSE { if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048577}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048577 } if { $content_length > 0} { HTTP::collect $content_length } } when HTTP_RESPONSE_DATA { set SessionId [findstr [HTTP::payload] "sessionId>" 10 "<"] if {[HTTP::payload] contains "Login"} { log local0. "Persist in HTTP_RESPONSE_DATA for login $SessionId" catch { persist add uie $SessionId 300 } } } ` This is the configuration of the rest of the elements. `ltm virtual /Common/VS_TEST { destination /Common/10.105.108.5:8998 ip-protocol tcp mask 255.255.255.255 persist { /Common/sessionid_profile { default yes } } pool /Common/OPCO1_INT_PROV_AGENT_Pool profiles { /Common/http { } /Common/oneconnect { } /Common/tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled } I tried also changing the http profile, but it didn't solve my problem. Best Regards and Thanks in advance. Victor Jori397Views0likes1CommentXML : Modifiy SOAP header
Hello, I need a to modify the soap header in order to add a specific parameter. After the tag " " i should be adding the parameter " soap:mustUnderstand="1" " but the data contained in the tag should not be modified. The soap envelope is like this : [DATA] Then soap envelope should like this : [DATA] I know that i need to use the function stream in order to make it work but i need guidance on this one. What should i put in the iRule in order to just add this parameter ? Thank you for your help246Views0likes1CommentNot able to set response when using HTTP::Retry
I am trying to set up a simple Virtual Server in BigIP LTM that takes an HTTP request and sends it to all members in the pool assigned to it. My understanding is that HTTP:retry is, more or less, the only way to do so. I have written the following iRule when RULE_INIT { Log debug locally to /var/log/ltm? 1=yes, 0=no set static::debug 1 } when HTTP_REQUEST { log local0. "Entering HTTP Request" if { [HTTP::method] eq "GET"}{ set request_headers [HTTP::request] if { $static::debug }{ log local0. "Saving HTTP request headers: $request_headers" } } } when HTTP_RESPONSE { set response "Node request status" set curr_node_ip [LB::server addr] set curr_node_port [LB::server port] set node_status [HTTP::status] append response "$curr_node_ip:$curr_node_port$node_status" foreach member_node [active_members -list [LB::server pool]] { scan $member_node {%[^ ] %d} node_ip node_port if { $node_ip == $curr_node_ip and $node_port == $curr_node_port }{ if { $static::debug }{ log local0. "Skipping already collected data for $node_ip:$node_port" } } else { if { $static::debug }{ log local0. "Sending request to $node_ip:$node_port" } pool [LB::server pool] member $node_ip $node_port HTTP::retry request_headers set node_status [HTTP::status] log local0. "$node_ip:$node_port sent answer $node_status" append response "$node_ip:$node_port$node_status" } } append response "" log local0. "$response" HTTP::respond 200 content $response "Content-Type" "text/html" } The problem is that I keep getting the following error when I run it Illegal argument. Can't execute in the current context. (line 1) invoked from within "HTTP::respond 200 content $response "Content-Type" "text/html"" Not having the HTTP:Retry call gets rid of the error but ofc breaks the whole point of the rule. Not having the HTTP::respond seems to allow the rule to run with retry in place however the client connection hangs and gets no response I am using BigIP 10.0.10.4 Most of my research shows that people have been doing the same thing and able to use HTTP::retry together with HTTP::respond in that way however I cannot understand why it does not work here. Am I missing something?175Views0likes0Commentssession variable not being substituted?
As a second check to VPN access, I need to check the mac address of the machine against a database we have. I've set up an AAA HTTP server with a form-based http get that works when I specify an absolute value. the url I use is http://server.full.name/infoserv/cgi-bin/computing/database/hardware/vpn/MacValid.asp?MacAddress=00:00:00:00:00:00 but when I change it to http://server.full.name/infoserv/cgi-bin/computing/database/hardware/vpn/MacValid.asp?MacAddress=%{session.machine_info.net_adapter.list.[0].mac_address} the session variable is NOT substituted but passed to our web server as "%{session.machine_info.net_adapter.list.[0].mac_address" I've also tried %{session.client.mac_address} with the same result. Is there some trick to getting session variables to work in the "form action" field? thanks282Views0likes3CommentsSharePoint HTTP 200 embedded script rewrite
Hi all, I am running into the issues with SharePoint behind APM, where at one single instance site returns HTTP 200 with script embedded into the body which make client to request resource using SharePoint's internal host name. Client then attempts to request that resource and comes to stand still not being able to resolve the name. Here is the response in question: HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 SPRequestGuid: c0f4406f-9fcd-4c1d-be09-8c4cdbd9fbad X-SharePointHealthScore: 1 MicrosoftSharePointTeamServices: 14.0.0.7015 X-MS-InvokeApp: 1; RequireReadOnly X-Frame-Options: SAMEORIGIN Date: Wed, 16 Mar 2016 14:34:40 GMT Vary: Accept-Encoding Content-Length: 2413 Processing... Processing... User information updated successfully You will be redirected shortly. How can I catch and rewrite the internal hostname? When sent to the client it needs to look something like this: publicname.mycompany.com instead of mysite.mydomain.mycompany.root:14775 Can this be done using Stream profile triggered on HTTP Response? Thanks in advance...275Views0likes2CommentsWarning when using the reset-Option in HTTP::respond
Hi everyone, I´m having trouble using the reset-Option of HTTP::respond in the following line in my iRule: HTTP::respond -reset 404 -version 1.1 noserver When I safe the iRule, I´m getting this warning in the LTM-Log warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "-reset is invalid integer"1096 47][HTTP::respond -reset 404 -version 1.1 noserver] I really can´t see the difference between my line and the one in the DevCentral-Page (https://devcentral.f5.com/wiki/iRules.HTTP__respond.ashx) I´m using BIG-IP 12.1.1. Any help is welcome. Mike250Views0likes1CommentiRule - Adding a cookie based on Geo-IP , without breaking everything
Hi all, First post on DevCentral, i've done a handful of iRules but not great at them. I have a case where we have a website with multiple language/country versions. I have been asked to be able to change a resource on the site based upon the clients US State. At the moment, we are just targeting Florida. The logic on the server side is setup and works, so if cookie "uslocation" has value "florida" the logo changes. The problem is, the logo wont change without me adding the cookie to the HTTP_RESPONSE And i suspect i'm not doing the HTTP_RESPONSE correctly, because it fails to load everything that isnt in the /usa/ path, and if the cookie isn't present, the connection is dropped. when HTTP_REQUEST { if { [string tolower [HTTP::host]] equals "mywebsite.com" && [HTTP::path] eq "/usa" }{ Parse the client IP from the header supplied set client_ip [HTTP::header value "X-Forwarded-For"] log local0. " Staging - XFF ... incoming connection from $client_ip " if { $client_ip eq "" }{ The header was empty/did not exist, so use the actual client IP log local0. "Staging - XFF Header was empty so using actual IP - $client_ip" set client_ip [IP::client_addr] } set state [string tolower [whereis $client_ip state]] log local0. " Staging - incoming connection from $client_ip detected state as $state" if { $state eq "florida" } { log local0. " Staging - .. $state.. " set cookie_insertion 1 HTTP::cookie insert name "uslocation" value $state path "/usa" domain "mywebsite.com" } log local0. "Cookies = [HTTP::cookie uslocation] " } else { pool POOL-STAGING-HTTP } } when HTTP_RESPONSE { if { $cookie_insertion > 0 }{ log local0. " RESPONSE - Adding cookie to response Staging - ... $state.. " HTTP::cookie insert name "uslocation" value $state path "/usa" domain "mywebsite.com" log local0. "RESPONSE - Cookies = [HTTP::cookie uslocation] " } } Any help would be hugely appreciated258Views0likes1CommentProper syntax for using quotes in monitors send/recv?
For http monitors, we generally look at our application's status page. This returns the output from various tests, with both the test name and result surrounded by quotes. It's my understanding that quotes need to be prefaced with a backslash in order for them to be properly processed. I didn't have any problems with this until I tried "load sys config" from TMSH, and realized it's not liking the syntax: (Active)(/Common)(tmos) create ltm monitor http MyMon send 'GET /MyApp/Status\r\n' recv '\"httpStatus\":\"OK\"' (Active)(/Common)(tmos) load sys config Loading configuration... /config/bigip_base.conf /config/bigip_user.conf /config/bigip.conf 01070642:3: Monitor /Common/MyMon parameter contains unescaped " escape with backslash. Unexpected Error: Loading configuration process failed.451Views0likes4Comments