Forum Discussion

NaydenDunkov_27's avatar
NaydenDunkov_27
Icon for Nimbostratus rankNimbostratus
Jun 22, 2016

External Monitor for checking proxy authentication and Internet access

Hello Experts,

We are load balancing 3 proxy servers and we are trying to construct an external monitor that both checks if an user can authenticate to the proxy and access the internet.

So far we've managed to get the following script working when run from the F5 CLI:

    !/bin/sh
    
     (c) Copyright 1996-2007 F5 Networks, Inc.
    
     This software is confidential and may contain trade secrets that are the
     property of F5 Networks, Inc.  No part of the software may be disclosed
     to other parties without the express written consent of F5 Networks, Inc.
     It is against the law to copy the software.  No part of the software may
     be reproduced, transmitted, or distributed in any form or by any means,
     electronic or mechanical, including photocopying, recording, or information
     storage and retrieval systems, for any purpose without the express written
     permission of F5 Networks, Inc.  Our services are only available for legal
     users of the program, for instance in the event that we extend our services
     by offering the updating of files via the Internet.
    
     @() $Id: http_monitor_cURL+GET,v 1.0 2007/06/28 16:10:15 deb Exp $
     (based on sample_monitor,v 1.3 2005/02/04 18:47:17 saxon)
    
     these arguments supplied automatically for all external monitors:
     $1 = IP (IPv6 notation. IPv4 addresses are passed in the form
                             ::ffff:w.x.y.z
                             where "w.x.y.z" is the IPv4 address)
     $2 = port (decimal, host byte order)
    
     Additional command line arguments ($3 and higher) may be specified in the monitor template
     This example does not expect any additional command line arguments
    
     Name/Value pairs may also be specified in the monitor template
     This example expects the following Name/Vaule pairs:
      URI  = the URI to request from the server
      RECV = the expected response (not case sensitive)
    
     remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
    IP=`echo ${1} | sed 's/::ffff://'`
    PORT=${2}
    PIDFILE="/var/run/`basename ${0}`.${IP}_${PORT}.pid"
     kill of the last instance of this monitor if hung and log current pid
    if [ -f $PIDFILE ]
    then
       echo "EAV exceeded runtime needed to kill ${IP}:${PORT}" | logger -p local0.error
       kill -9 `cat $PIDFILE` > /dev/null 2>&1
    fi
    echo "$$" > $PIDFILE

     send request & check for expected response

    STATUS=`curl -s -o /dev/null -w '%{http_code}' -H 'Cache-Control: no-cache' http://www.google.com --proxy $IP:$PORT -U username@ourdomain:strongpassword --proxy-ntlm`

    if [ "$STATUS" -eq "200" ]
     then
     rm -f $PIDFILE
     echo "UP"

    else
      rm -f $PIDFILE
     echo "DOWN"

    fi

    exit

As here I have substituted the username, domain name and the password for obvious reasons.

Currently the username has no access to google.com (this is how it should be since it is not allowed access on the proxy) and when executed in CLI the script returns DOWN, as the http_code is 403 - Forbidden.

ANYWAY in the WEB interface it shows all nodes green, which should not be the case..

Any help is much appreciated.

Regards, Nayden

  • Can you please paste your pool config as returned by "tmsh list pool ?"
  • Hello all,

    We managed to get the things done by simple HTTP monitor.

    GET HTTP://www.google.com. HTTP/1.1\r\n Proxy-Authorization: Basic  \r\nHost: www.google.com.sg\r\nAccept: /\r\n
    

    And expecting

    HTTP/1.1 200 OK
    

    Cheers, Nayden