F5 iRule to route traffic based on AS2 headers doesnt work
We are testing iRule on our F5 load balancer to route traffic based on the AS2 headers to different internal servers. We have created below iRule that inspects the HTTP headers and to directs the traffic accordingly. But we dont see traffic come to new pool member but goes to the existing pool member. can anyone help on this, this is a new requirement for our client. when HTTP_REQUEST { # Check if the AS2 header exists if { [HTTP::header exists "AS2-From"] } { # Get the value of the AS2 header set as2_from [HTTP::header "AS2-From"] # Route based on the AS2 header value switch $as2_from { "INTGHXCOMS" { pool pool_partner1 } "INTGHXEUCOMS" { pool pool_partner2 } default { # Default pool if the AS2 header value does not match any known values pool pool_default } } } else { # Default pool if the AS2 header does not exist pool pool_default } }
Redirect iRule differences...
We have a situation where we need to redirect users from one domain to another and had been using Method 1 ( shown below ) of redirection via iRule. It was recently brought to our attention by our web team that the way we were doing the redirects for one of their sites in particular was "really bad" for SEO and we ended up making them happy with doing it via Method 2 ( shown below ). While my team officially maintains our BIG-IP's, we are not network/web savvy and don't really understand the difference here. We have a new site that needs to be redirected and we are not sure which method to use. Would someone please explain in what cases you would use one over the other. Thanks. Method 1 when HTTP_REQUEST { if { [HTTP::host] eq "website1.com" } { HTTP::redirect https://websitesite2.com } } Method 2 when HTTP_REQUEST { if { ([string tolower [HTTP::host]] eq "website1.com")} { HTTP::respond 301 Location "http://website2.com" return } }APM combine check for ldap group plus IP ACL
Hi, A client wishes to create an APM policy that will, amongst other things, do the following - The client has a group of users that have to meet two conditions to access the resource. We need to check in combination that the user is both a member of an AD group and that the group also matches an IP ACL. Can this be done using only APM, and if so, how? Or do we need to combine an IRULE and if so, is there a simple way to do this? (we have 30 groups that need to be matched to ACLs). Thanks, Vered
Send Client HTTP Request to Pool And Send HTTP Response From BIG-IP to Client.
Good day everyone. We are starting a F5 XC POV and I'm currently focused on external logging to Graylog. XC is sending log messages via HTTPS to a BIG-IP VIP. Graylog doesn't support HTTP JSON messages. However we've configured a Raw/Plaintext TCP input and it is processing received messages great with the help of some pipeline rules. Graylog however isn't sending any HTTP response, which I understand why but that is what I'm trying to see if I can overcome. I am seeing XC repeatedly sending the same log messages. I'm assuming because it never receives a HTTP 200 response. Seems like reasonable behavior. So XC is sending messages properly and Graylog is consuming them properly. Because there isn't any option I can see to get Graylog to generate a HTTP response I am exploring options to get the BIG-IP to send the response with an iRule. I read to the following doc: https://clouddocs.f5.com/api/irules/HTTP__respond.html Snip from that: Generates a response to the client as if it came from the server. If the command runs on the client side, it sends the response to the client without any load balancing taking place. If the command runs on the server side, the content from the actual server is discarded and replaced with the information provided. I am hanging my hopes on getting the bold comment working. But I don't know if this requires a server-side response to behave properly. I started with following iRule: when HTTP_REQUEST_SEND { serverside { HTTP::respond 200 -version 1.1 noserver } } I'm POST'ing some JSON via cURL I've seen sent from XC. I see the log message in Graylog without the iRule in place and cURL eventually times out expected. When I put the above iRule in place and execute the same cURL test I get a HTTP 200 response from the BIG-IP however I don't see the log message in Graylog. I've verified with a server-side packet capture on the BIG-IP the HTTP post is never sent to Graylog. This obviously explains why I don't see it in Graylog. I've tried several variants of the above iRule. For example, I tried the clientside context even though the documentation clearly states I should get the behavior I'm seeing. I tried putting the HTTP::respond in different events, HTTP_RESPONSE for example. But I am not able to find the correct approach to get the BIG-IP to send the HTTP POST to Graylog and send the HTTP 200 to the client. I'm hoping someone is able to either confirm this is even possible or provide some guidance to get the BIG-IP to send the HTTP POST to Graylog and send the HTTP 200 to the client. Thank you kindly in advance.
VPN fragmented IP packets dropped
VPN fragmented IP packets being dropped by the Big-IP, because of 'tm.minipfragsize > default=552' (K52103592) TCPDump showed the ip packets arriving on the client-side and never being forwarded on the server-side. Any idea if an iRule could disregard 'tm.minipfragsize > default=552' for specific Virtual Servers, without affecting other Virtual Servers?
redirect not working
I have below scenario works without redirect if statement . when i add the if statement for uri redirect getting a reset. when HTTP_REQUEST { if { [HTTP::uri] starts_with "/" } { HTTP::redirect /testpage } #log local0. "Active members is [active_members pool1]" if { [active_members pool1] == 0 }{ if { ( ( [class match [IP::client_addr] eq "whitelist"] ) && ( [active_members pool2 ] > 0 ) ) } { pool pool2 } else { HTTP::respond 503 content [ifile get "applicationdown.html"] } } }