Creating iRule for Persistence Profile
Dear Community, Could you assist me in creating an iRule for a Persistence Profile requirement related to an SSO application? When users access our application via desktop, they are presented with a QR code for scanning through a mobile app to authenticate and gain access. The issue arises when, after browsing the website from the desktop (with the session routed to one node via F5 LTM), another request from the mobile app after scanning the QR code is routed to a different node. Ideally, both requests should be directed to the same node. To resolve this, the iRule needs to compare the var topic parameter with the QR_AUTHENTICATION_CHANNEL_ID from the mobile request and ensure both are directed to the same node attached is the screenshot of the code and HTML code of the website /*<![CDATA[*/ var endpoint = "\/qr-websocket"; var topic = "80f95f6f-cecf-4ab6-a70b-1196194e4baa"; var prefix = "\/qrtopic"; var stompClient = null; $(function () { var socket = new SockJS(endpoint); stompClient = Stomp.over(socket); stompClient.connect({}, function (frame) { stompClient.subscribe(prefix + '/' + topic + '/verify', function (result) { console.log(result.body); let body = JSON.parse(result.body); if (body.error) { $("#qrerror").show(); } else if (body.success) { stompClient.disconnect(); $("#qrerror").hide(); $("#qrform #token").val(body.token); $("#qrform #deviceId").val(body.deviceId); $("#qrform").submit(); } }); }); }); /*]]>*/ Regards Omran Mohamed14Views0likes0CommentsTCP::collect and large TLS v1.3 client hello packets
Is anyone using iRules successfully to parse SNI names from the new TLS 1.3 hybridized Kyber client hello packets? The problem is the these packets are larger than MTU(?) size, around ~1800 bytes. Normal hello packets are ~500 bytes. I'm using TCP profile for which iRule parses SNI name to pass the connection as is to correct destination pool. How to reproduce: when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { # [TCP::payload length] shows only 1352, rest of packet missing, CLIENT_DATA is never called again } It only ever gets the first ~1352 bytes from packet, CLIENT_DATA is only called once, seems there is no way to get rest of the packet. If I add argument to collect length >1500 with "TCP::collect 1600", then it will read the whole ~1800 byte packet in first CLIENT_DATA. But this will break all connections that send normal small ~500 byte hello packets, as it just keeps on waiting for data indefinitely. Is there any workaround? BIG-IP version 16.1.4.1.Solved59Views0likes4CommentsiRule - redirection and capturing a string value
Looking for suggestions regarding the capture of a value and injecting that into a new URL / URI (the value below (3745) is dynamic. https://www.site1.com/aaaa/sc-dsp.jsp?rc=3745&lang=eng Redirects to: https://www.site2.com/en/Office?posui=374523Views0likes1CommentiRule not working for URI Block
I have a virtual server www.xyz.com hosted on LTM for HTTPS service and i'm looking to block (403 response) one of the application URI which is https://www.xyz.com/MW/entryPoint.htm I tried below irule but its not working . when HTTP_REQUEST { if { [HTTP::has_responded] } { return } if {[string tolower [HTTP::host]] contains "www.xyz.com" && [string tolower [HTTP::uri]] eq "/MW/entryPoint.htm" } { HTTP::respond 403 return } } Any suggestions appreciated. Thanks.23Views0likes1CommentAdvice to partial rename uri path
Hi there masters! I would like to ask for advice. Is there a possibility that after I redirect an URL I can partial rename the 1st two paths in the redirected URI path? So, for example: when client requested our main page... "https://companyA.com/" I will redirect this to a path of "https://companyA.com/room/desktop/r/Home".. Then, I will hide/or rename the 1st two paths and this will appear on client's browser as "https://companyA.com/bed/table/r/Home". /bed/table uri path are strings not location or directory. Would this be plausible? I really just want to change their strings. I tried to code it but only the redirect is successful except for the changing of the names of the two paths: When HTTP_REQUEST{ if {([HTTP::host] equals "companyA.com" and [HTTP::uri]equals "/")}{ HTTP::redirect "https://[HTTP::host]/room/desktop/r/Home" } } When HTTP_RESPONSE { if {[HTTP::header exists "Location"]}{ HTTP::header replace "Location" [string map {"/bed/table" "/room/desktop"} [HTTP::header "Location"]] } } Can you help me on this? Thanks! Regards, ZeigSolved88Views0likes8CommentsiRule - XFF different case based on direction
I have an issue with Bitbucket versions where XFF is sent differently depending on the direction of traffic between versions. I am sure other apps have this issue as well. Bitbucket versions ( v7.2.5 --> v8.19.3 ) Can the XFF type case-sensitivity be controlled based on direction. (Right side is a mixed up standard and all upper-case versus the left side is all lower-case.33Views0likes2CommentsiRule to extract SNI and forward to Virtual Server
Hey guys, Currently I use traffic policies on a frontside VS to inspect the SNI and forward the traffic to a backside VS properly. I tried to use an iRule instead because sometimes traffic policies are a bit nasty to configure. Anyways, I deployed this simple iRule when CLIENTSSL_CLIENTHELLO priority 100 { set sni [SSL::extensions -type 0] log local0. "Client SNI: $sni" if { $sni equals "fqdn.com" } { virtual vs-https443-fqdn.com } else { drop } } The log says this <CLIENTSSL_CLIENTHELLO>: Client SNI: �����������fqdn.com The forwarding does not work. I think it's binary. I was able to trim away these characters set sni [string range [SSL::extensions -type 0] 9 end] and the forwarding worked out. I thought I had to trim 10 characters (indexing starts with 0, not 1) but I had to use 9 because the first character of the FQDN has been removed. Any ideas on this? However, it works. What would be your approach to solve this? And lastly is there a possibility to decode the binary stuff?Solved65Views0likes6CommentsLoad Balance 4 URI over 2 IPs and rewrite http response location
I have been struggling with this and I hope someone can assist. The challenge is twofold: 1. Need Virtual Server to load balance between 4 URIs which are spread over 2 Nodes. 2. When the webservers respond, they respond with a location which points to itself instead of the FQDN the client specified I have tried solving with numerous variations of below iRules, but fail when the client receives the Nodes http://hostname:portnumber/URi/web2.exe (which isn't reachable from client network). @1:Irule to load balance between 4 URIs: Virtual Server name: vs_example.com IP: 172.16.0.1 b. Pools: pool_example1-uri-1_81 - node_01_10.0.0.1:81 pool_example1-uri-2_81 - node_01_10.0.0.1:81 pool_example2-uri-3_81 - node_02_10.0.0.2:81 pool_example2-uri-4_81 - node_02_10.0.0.2:81 c. iRule: when HTTP_REQUEST { # Check if the requested URI is either / or /CAisd/pdmweb.exe if { [HTTP::uri] eq "/" or [HTTP::uri] eq "/CAisd/pdmweb.exe" } { # Define the possible URIs and corresponding pools set uri_pool_map { /URi/web1.exe pool_example1-uri-1_80 /URi/web2.exe pool_example1-uri-2_80 /URi/web3.exe pool_example1-uri-3_80 /URi/web4.exe pool_example1-uri-4_80 } # Initialize a list of available pools set available_uri_pool_list {} # Check the availability of each pool and add to the list if available for {set i 0} {$i < [llength $uri_pool_map]} {incr i 2} { set pool_name [lindex $uri_pool_map [expr {$i + 1}]] if {[active_members $pool_name] > 0} { lappend available_uri_pool_list [lindex $uri_pool_map $i] $pool_name } else { log local0. "Pool $pool_name is not available" } } # If no pools are available, send an error response if {[llength $available_uri_pool_list] == 0} { HTTP::respond 503 content "Service Unavailable - No available pools" return } # Select the next URI and corresponding pool in a round-robin fashion from available pools set index [expr {[clock clicks -milliseconds] % ([llength $available_uri_pool_list] / 2)}] set next_uri [lindex $available_uri_pool_list [expr {$index * 2}]] set next_pool [lindex $available_uri_pool_list [expr {$index * 2 + 1}]] # Log the selected URI and pool for troubleshooting log local0. "Selected URI: $next_uri, Pool: $next_pool" # Replace the URI with the selected one HTTP::uri $next_uri # Select the corresponding pool pool $next_pool } } @2. iRule to replace location in HTTP Response when HTTP_RESPONSE_RELEASE { if { [HTTP::header exists "Location"] } { set location [HTTP::header "Location"] log local0. "Original Location header: $location" # Modify the Location header if it contains the internal server reference if { $location starts_with "http://webserver1" || $location starts_with "http://webserver2" } { set new_location [string map { "http://webserver1:81" "https://172.16.0.1" "https://webserver1:81" "https://172.16.0.1" "http://webserver2:81" "https://172.16.0.1" "https://webserver2:81" "https://172.16.0.1" } $location] HTTP::header replace "Location" $new_location log local0. "Modified Location header: $new_location" } } }53Views0likes1Commentirule for DNS traffic
Hei We have to setup a DNS pointer in F5 for our web. User need to get the IP as per the region they login, if the login IP from Japan , they should get nearest loc IP. Please help to get a valid irule , pls? i tried so much, but nothing working as expected Tomi40Views0likes3CommentsF5 iRule to route traffic based on AS2 headers doesnt work
We are testing iRule on our F5 load balancer to route traffic based on the AS2 headers to different internal servers. We have created below iRule that inspects the HTTP headers and to directs the traffic accordingly. But we dont see traffic come to new pool member but goes to the existing pool member. can anyone help on this, this is a new requirement for our client. when HTTP_REQUEST { # Check if the AS2 header exists if { [HTTP::header exists "AS2-From"] } { # Get the value of the AS2 header set as2_from [HTTP::header "AS2-From"] # Route based on the AS2 header value switch $as2_from { "INTGHXCOMS" { pool pool_partner1 } "INTGHXEUCOMS" { pool pool_partner2 } default { # Default pool if the AS2 header value does not match any known values pool pool_default } } } else { # Default pool if the AS2 header does not exist pool pool_default } }41Views0likes1Comment