Re-execute iRule to read CN value of client cert, but after you know URI.
Hi We have been dealing with a new implementation where we need to either accept or reject access to a certain path/URI of a VIP based on the CN of the client cert.........and for other paths that either don't have a client cert or the CN of a client cert does not match our Data-group allow access to other URIs. We have a iRule below which works great, but it has to request a user for a client cert in which we only want to do when required to go to the target URIs. The only way we can get this to work is to have the "request" option enabled in the SSL client profile so it reads the subject under "when CLIENTSSL_CLIENTCERT' which obviously happens before we can read the path under "when HTTP_REQUEST" which is not great as it requests the client using a browser for a client certificate, which is what we want to avoid. What we want to do is renegotiate SSL when going to a certain path so only those trying to get to a special path get requested for a client cert and then the subject is read and decision made based on CN of cert as to whether they can get to that path We have tried to trigger a renegotiate ssl in a Proc, but the problem is we need to read the subject that you can only do in "when CLIENTSSL_CLIENTCERT" and don't know how to do that after a renegotiation ssl. We thought hat maybe we could restart the whole iRule again from the proc, but don't know how to do that. Maybe we could call another iRule, but it looks like that is just a proc too and we can't nest "when CLIENTSSL_CLIENTCERT" in anything. We have asked a TCL guru in our organisation and they are a little stumped too, so any help would be greatly appreciated. As far as we can tell that can't be nested in a proc or any other stanza. Maybe there is a better way or there is a simple line of code we are missing. Here is a our script that does everything we need , but requests human clients using a browser for a client cert. when RULE_INIT { set static::debug 1 } when CLIENTSSL_CLIENTCERT { # Check if client provided a cert if {[SSL::cert 0] eq ""}{ set subject_dn void log local0.info "NoCert: $subject_dn" } else { #Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith set subject_dn [X509::subject [SSL::cert 0]] set client_cert [SSL::cert 0] set ssl_client_cert_value [X509::whole $client_cert] set client_cert_validated 1 log local0.info "Client Certificate Accepted: [SSL::cert 0]" log local0.info "Client Certificate Received: $subject_dn" #Check if the client certificate contains the correct O and a CN from the list } } when HTTP_REQUEST { set httpUri [HTTP::uri] switch -glob [HTTP::uri] { "/BlahBlah" - "/YadaYada/*" { ##This is where we want to renegoiate a new SSL profile and read the client cert" if { [info exists client_cert_validated] and ([matchclass $subject_dn contains API-CN_List]) } { #Accept the client cert log local0.info "ClientCertAccepted: $subject_dn" return } else { log local0.info "nugh 2.1" ###Or here } } "/FreeForAll" - "/NoNeedForCertHere" { log local0.info "NoCertRequired" return } default { log local0.info "NoMatchingPath" reject return } } }56Views0likes2CommentsCreating iRule for Persistence Profile
Dear Community, Could you assist me in creating an iRule for a Persistence Profile requirement related to an SSO application? When users access our application via desktop, they are presented with a QR code for scanning through a mobile app to authenticate and gain access. The issue arises when, after browsing the website from the desktop (with the session routed to one node via F5 LTM), another request from the mobile app after scanning the QR code is routed to a different node. Ideally, both requests should be directed to the same node. To resolve this, the iRule needs to compare the var topic parameter with the QR_AUTHENTICATION_CHANNEL_ID from the mobile request and ensure both are directed to the same node attached is the screenshot of the code and HTML code of the website /*<![CDATA[*/ var endpoint = "\/qr-websocket"; var topic = "80f95f6f-cecf-4ab6-a70b-1196194e4baa"; var prefix = "\/qrtopic"; var stompClient = null; $(function () { var socket = new SockJS(endpoint); stompClient = Stomp.over(socket); stompClient.connect({}, function (frame) { stompClient.subscribe(prefix + '/' + topic + '/verify', function (result) { console.log(result.body); let body = JSON.parse(result.body); if (body.error) { $("#qrerror").show(); } else if (body.success) { stompClient.disconnect(); $("#qrerror").hide(); $("#qrform #token").val(body.token); $("#qrform #deviceId").val(body.deviceId); $("#qrform").submit(); } }); }); }); /*]]>*/ Regards Omran Mohamed31Views0likes0CommentsTCP::collect and large TLS v1.3 client hello packets
Is anyone using iRules successfully to parse SNI names from the new TLS 1.3 hybridized Kyber client hello packets? The problem is the these packets are larger than MTU(?) size, around ~1800 bytes. Normal hello packets are ~500 bytes. I'm using TCP profile for which iRule parses SNI name to pass the connection as is to correct destination pool. How to reproduce: when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { # [TCP::payload length] shows only 1352, rest of packet missing, CLIENT_DATA is never called again } It only ever gets the first ~1352 bytes from packet, CLIENT_DATA is only called once, seems there is no way to get rest of the packet. If I add argument to collect length >1500 with "TCP::collect 1600", then it will read the whole ~1800 byte packet in first CLIENT_DATA. But this will break all connections that send normal small ~500 byte hello packets, as it just keeps on waiting for data indefinitely. Is there any workaround? BIG-IP version 16.1.4.1.Solved77Views0likes4CommentsiRule - redirection and capturing a string value
Looking for suggestions regarding the capture of a value and injecting that into a new URL / URI (the value below (3745) is dynamic. https://www.site1.com/aaaa/sc-dsp.jsp?rc=3745&lang=eng Redirects to: https://www.site2.com/en/Office?posui=374524Views0likes1CommentiRule not working for URI Block
I have a virtual server www.xyz.com hosted on LTM for HTTPS service and i'm looking to block (403 response) one of the application URI which is https://www.xyz.com/MW/entryPoint.htm I tried below irule but its not working . when HTTP_REQUEST { if { [HTTP::has_responded] } { return } if {[string tolower [HTTP::host]] contains "www.xyz.com" && [string tolower [HTTP::uri]] eq "/MW/entryPoint.htm" } { HTTP::respond 403 return } } Any suggestions appreciated. Thanks.23Views0likes1CommentAdvice to partial rename uri path
Hi there masters! I would like to ask for advice. Is there a possibility that after I redirect an URL I can partial rename the 1st two paths in the redirected URI path? So, for example: when client requested our main page... "https://companyA.com/" I will redirect this to a path of "https://companyA.com/room/desktop/r/Home".. Then, I will hide/or rename the 1st two paths and this will appear on client's browser as "https://companyA.com/bed/table/r/Home". /bed/table uri path are strings not location or directory. Would this be plausible? I really just want to change their strings. I tried to code it but only the redirect is successful except for the changing of the names of the two paths: When HTTP_REQUEST{ if {([HTTP::host] equals "companyA.com" and [HTTP::uri]equals "/")}{ HTTP::redirect "https://[HTTP::host]/room/desktop/r/Home" } } When HTTP_RESPONSE { if {[HTTP::header exists "Location"]}{ HTTP::header replace "Location" [string map {"/bed/table" "/room/desktop"} [HTTP::header "Location"]] } } Can you help me on this? Thanks! Regards, ZeigSolved89Views0likes8CommentsiRule - XFF different case based on direction
I have an issue with Bitbucket versions where XFF is sent differently depending on the direction of traffic between versions. I am sure other apps have this issue as well. Bitbucket versions ( v7.2.5 --> v8.19.3 ) Can the XFF type case-sensitivity be controlled based on direction. (Right side is a mixed up standard and all upper-case versus the left side is all lower-case.35Views0likes2CommentsiRule to extract SNI and forward to Virtual Server
Hey guys, Currently I use traffic policies on a frontside VS to inspect the SNI and forward the traffic to a backside VS properly. I tried to use an iRule instead because sometimes traffic policies are a bit nasty to configure. Anyways, I deployed this simple iRule when CLIENTSSL_CLIENTHELLO priority 100 { set sni [SSL::extensions -type 0] log local0. "Client SNI: $sni" if { $sni equals "fqdn.com" } { virtual vs-https443-fqdn.com } else { drop } } The log says this <CLIENTSSL_CLIENTHELLO>: Client SNI: �����������fqdn.com The forwarding does not work. I think it's binary. I was able to trim away these characters set sni [string range [SSL::extensions -type 0] 9 end] and the forwarding worked out. I thought I had to trim 10 characters (indexing starts with 0, not 1) but I had to use 9 because the first character of the FQDN has been removed. Any ideas on this? However, it works. What would be your approach to solve this? And lastly is there a possibility to decode the binary stuff?Solved70Views0likes6CommentsLoad Balance 4 URI over 2 IPs and rewrite http response location
I have been struggling with this and I hope someone can assist. The challenge is twofold: 1. Need Virtual Server to load balance between 4 URIs which are spread over 2 Nodes. 2. When the webservers respond, they respond with a location which points to itself instead of the FQDN the client specified I have tried solving with numerous variations of below iRules, but fail when the client receives the Nodes http://hostname:portnumber/URi/web2.exe (which isn't reachable from client network). @1:Irule to load balance between 4 URIs: Virtual Server name: vs_example.com IP: 172.16.0.1 b. Pools: pool_example1-uri-1_81 - node_01_10.0.0.1:81 pool_example1-uri-2_81 - node_01_10.0.0.1:81 pool_example2-uri-3_81 - node_02_10.0.0.2:81 pool_example2-uri-4_81 - node_02_10.0.0.2:81 c. iRule: when HTTP_REQUEST { # Check if the requested URI is either / or /CAisd/pdmweb.exe if { [HTTP::uri] eq "/" or [HTTP::uri] eq "/CAisd/pdmweb.exe" } { # Define the possible URIs and corresponding pools set uri_pool_map { /URi/web1.exe pool_example1-uri-1_80 /URi/web2.exe pool_example1-uri-2_80 /URi/web3.exe pool_example1-uri-3_80 /URi/web4.exe pool_example1-uri-4_80 } # Initialize a list of available pools set available_uri_pool_list {} # Check the availability of each pool and add to the list if available for {set i 0} {$i < [llength $uri_pool_map]} {incr i 2} { set pool_name [lindex $uri_pool_map [expr {$i + 1}]] if {[active_members $pool_name] > 0} { lappend available_uri_pool_list [lindex $uri_pool_map $i] $pool_name } else { log local0. "Pool $pool_name is not available" } } # If no pools are available, send an error response if {[llength $available_uri_pool_list] == 0} { HTTP::respond 503 content "Service Unavailable - No available pools" return } # Select the next URI and corresponding pool in a round-robin fashion from available pools set index [expr {[clock clicks -milliseconds] % ([llength $available_uri_pool_list] / 2)}] set next_uri [lindex $available_uri_pool_list [expr {$index * 2}]] set next_pool [lindex $available_uri_pool_list [expr {$index * 2 + 1}]] # Log the selected URI and pool for troubleshooting log local0. "Selected URI: $next_uri, Pool: $next_pool" # Replace the URI with the selected one HTTP::uri $next_uri # Select the corresponding pool pool $next_pool } } @2. iRule to replace location in HTTP Response when HTTP_RESPONSE_RELEASE { if { [HTTP::header exists "Location"] } { set location [HTTP::header "Location"] log local0. "Original Location header: $location" # Modify the Location header if it contains the internal server reference if { $location starts_with "http://webserver1" || $location starts_with "http://webserver2" } { set new_location [string map { "http://webserver1:81" "https://172.16.0.1" "https://webserver1:81" "https://172.16.0.1" "http://webserver2:81" "https://172.16.0.1" "https://webserver2:81" "https://172.16.0.1" } $location] HTTP::header replace "Location" $new_location log local0. "Modified Location header: $new_location" } } }53Views0likes1Commentirule for DNS traffic
Hei We have to setup a DNS pointer in F5 for our web. User need to get the IP as per the region they login, if the login IP from Japan , they should get nearest loc IP. Please help to get a valid irule , pls? i tried so much, but nothing working as expected Tomi40Views0likes3Comments