iRule resulting in too many redirects
I have two requirements with my virtual server. 1. A redirect to /pc/service/SSOLogin 2. 24 hour persistence based on the JSESSIONID cookie in the request header. The first one was accomplished early on with a policy that redirects to location '/pc/service/SSOLogin' at request time. This has worked without any issues until I tried to implement the JSESSIONID persistence. To accomplish the second, I created an iRule to be used with the Universal persistence profile. When I implemented this persistence profile, the redirect policy no longer worked. My assumption was that the iRule and the policy were conflicting with each other. To resolve this, I created a single iRule to handle both of these requirements. Now, I am getting too many redirects. The iRule is below. when HTTP_RESPONSE { ## PERSISTENCE # If the JSESSIONID exists, we'll pass the cookie along if { [HTTP::cookie exists "JSESSIONID"] } { persist add uie [HTTP::cookie "JSESSIONID"] 86400 } } when HTTP_REQUEST { ## PERSISTENCE # If the JSESSIONID exists, we'll maintain that persistence if { [HTTP::cookie exists "JSESSIONID"] } { persist uie [HTTP::cookie "JSESSIONID"] } ## REDIRECT # This grabs the base url from the incoming request # For Example, https://my.site.com/some/path the base_url is set to https://my.site.com set base_url "https://[HTTP::host]" # Defining the new path set new_path "/pc/service/SSOLogin" # Construct the new URL # For example, https://my.site.com/pc/service/SSOLogin set new_url "$base_url$new_path" # Redirect to the new URL HTTP::redirect $new_url }When F5OS r2800 appliance reboots, interfaces configured at tenant level for VLAN are lost
Hello Everyone, I'm currently facing a weird issue on both r2800 series. A single tenant is configured on both r2800 series and whenever there is a power outage and the system reboots, all the interfaces are detached from the VLANs on the tenant. So we build a script for a workaround to automatically attach the VLAN to its respective interface when the system starts up. Reference: https://my.f5.com/manage/s/article/K11948 #!/bin/bash # Filename: /config/startup_custom_vlancreation_script.sh source /usr/lib/bigstart/bigip-ready-functions wait_bigip_ready # Here you could perform customized command(s) after MCPD is found running when the BIG-IP system starts up. # Customized startup command(s) can be added below this line. tmsh modify /net vlan VLAN-162 interfaces replace-all-with { 1.5 { tagged }} tag 162 tmsh modify /net vlan VLAN-163 interfaces replace-all-with { 1.6 { tagged }} tag 163 tmsh modify /net vlan VLAN-164 interfaces replace-all-with { 1.5 { tagged }} tag 164 tmsh modify /net vlan VLAN-165 interfaces replace-all-with { 1.5 { tagged }} tag 165 tmsh save /sys config # Customized startup command(s) should end above this line. # End of file /config/startup_custom_vlan_creation_script.sh ------ # # NOTE: # This file will be installed in /config/startup and it will # be called by /etc/rc.local. # # - /config/startup is for customer config additions and # will be saved in UCS # # - /etc/rc.local should *not* be used by customers and # can/will be changed by F5 # /config/startup_custom_vlan_creation_script.sh & Then, we tested on one of the r2800 series instances: When the tenant is rebooted, the script works in the startup and attaches the VLAN to its respective interface on the tenant. However, when the F5OS hardware device is rebooted, all the attached VLAN to its interface on the tenant are lost and even the script does not work (I believe F5 OS is different than the old tmsh shell) which might be the reason behind the failure of script when the F5OS hardware reboots. Is there any way to resolve this issues of losing attached VLAN on the interface and has anyone faced such before?
iControl for Gtm wideip
i am using iControl Rest 2.4 downloaded from https://pypi.org/project/iCR/. while using wideips = bigip.getlarge("gtm/wideip/a", xxx) , where xxx is the size of chunk, i would like to understand the limit of chunk size. if i use wideips = bigip.get("gtm/wideip/a") , it works if i have 200-300 hundred wideips, but in case you have +10k wideips it gives you Error 500, AsyncContext timeout. what is the best way to download via api the /mgmt/tm/gtm/wideip/a ?
Portal Access to HTTPS resources slow
Hey all, Wanted to reach out to see if anyone has dealt with Portal Access and performance issues for resources in the backend that use HTTPS. I'm on version 15.x, recently upgraded to v15.1.10.3, and the issue persists. I also have the iRule to patch issues with Chrome 122+. On the client-side, only HTTPS is permitted. If the backend app is allowed to use HTTP then it works well. But having backend traffic use HTTPS in some instances makes the app nearly unusable. And in the cases where the backend tries to enforce a http-to-https redirect effectively "blocks" the access. Trying to change a number of options has yielded little results. I do have a case open with F5 and captures provided. Thanks in advance... Josh Becigneul
Block CBC
Hi there, I'm having a challenge on Blocking entirely the CBC cipher. The ciphers I'm using are: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305-SHA256 ECDHE-RSA-CHACHA20-POLY1305-SHA256 ECDHE-ECDSA-AES128-SHA256 The problem is that even the above ciphers are selected, the testing shows that the F5 can communicate with CBC. Any further configuration needed here Thank you A
rewrite Azure AD response for portal access via web portal
Hi All, I have a web portal where access to it is done via SAML authentication with AzureAD. I have a portal access called VIP_Maintenance configured on this we portal, the APP VIP_Maintenance is a web site on this web server (mywebserver.xyz.com) which also configured for SAML authentication. This web server hosts multiple web sites, so the one for VIP_Maintenance is (mywebserver.xyz.intra/azure). Other resource is /signin-wsfederation, this is where I should land after the successful authentication with Microsoft. So when I try to access to the web portal using my user name and password, F5 sends the request to AzureAD and I receive a code on my cell phone which I enter and access is granted. Now when I click on the portal access icon (VIP_maintenance), the web portal rewrites the request to this: https://web-portal-azuread.viarail.ca/f5-w-68747470733a2f2f7669706d6e74632e746573742e696e747261$$/azure then I see my browser communicating with Microsoftonline for authentication and I see the reply from AzureAD like this: https://login.microsoftonline.com/007eae9f-b0c2-4137-a710-16d67a6568a1/wsfed?wtrealm=https%3A%2F%2Fvipmntc.test.intra%2F&wctx=WsFedOwinState%3DaQm7wom_iiDcspTp4F75-SNiAH6ulYFzgGdxezLukSK9-twIS0gTcgMY7dprTnf7OmROGo1XmkiLAbaVs4L8ISgubrF5FaUtbeIdn7ywnn0JvUYlwclAR1V3GwiWN9VkfNE5hThiW2bzM1tV1arZ6IahGZgjBiVVLSCn2BzTdFdu73Ck709An2sk1IVDfV-26FbvGHbUJyYjK-fnc5iiCw&wa=wsignin1.0&wreply=https%3A%2F%2Fvipmntc.test.intra%2Fsignin-wsfederation right after, the url changes to this: https:// mywebserver.xyz.intra/signin-wsfederation, and I get an error this this page cannot be reached which is understood as mywebserver.xyz.intra is not exposed to internet. Now, what I need to do is to make F5 rewrite the response from Microsoft in to this url: https://web-portal-azuread.viarail.ca/f5-w-68747470733a2f2f7669706d6e74632e746573742e696e747261$$/ signin-wsfederation , instead of https:// mywebserver.xyz.intra/signin-wsfederation. Any Idea how I can achieve that? Your help is highly appreciated. regards,
