iRule resulting in too many redirects
I have two requirements with my virtual server. 1. A redirect to /pc/service/SSOLogin 2. 24 hour persistence based on the JSESSIONID cookie in the request header. The first one was accomplished early on with a policy that redirects to location '/pc/service/SSOLogin' at request time. This has worked without any issues until I tried to implement the JSESSIONID persistence. To accomplish the second, I created an iRule to be used with the Universal persistence profile. When I implemented this persistence profile, the redirect policy no longer worked. My assumption was that the iRule and the policy were conflicting with each other. To resolve this, I created a single iRule to handle both of these requirements. Now, I am getting too many redirects. The iRule is below. when HTTP_RESPONSE { ## PERSISTENCE # If the JSESSIONID exists, we'll pass the cookie along if { [HTTP::cookie exists "JSESSIONID"] } { persist add uie [HTTP::cookie "JSESSIONID"] 86400 } } when HTTP_REQUEST { ## PERSISTENCE # If the JSESSIONID exists, we'll maintain that persistence if { [HTTP::cookie exists "JSESSIONID"] } { persist uie [HTTP::cookie "JSESSIONID"] } ## REDIRECT # This grabs the base url from the incoming request # For Example, https://my.site.com/some/path the base_url is set to https://my.site.com set base_url "https://[HTTP::host]" # Defining the new path set new_path "/pc/service/SSOLogin" # Construct the new URL # For example, https://my.site.com/pc/service/SSOLogin set new_url "$base_url$new_path" # Redirect to the new URL HTTP::redirect $new_url }
Irule Check payload contains
Hi Everyone, i have a request payload like this: POST /webconsole/api/security/auth/login HTTP/1.1 Host: Connection: keep-alive Content-Length: 58 sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122" Accept: application/json, text/plain, */* Content-Type: application/json sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 ( OrganizationID: sec-ch-ua-platform: "Windows" Origin: Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: {"UserName":"test.org\\secadm01","Password":***************} I want to create an irule to check with this URI: /webconsole/api/security/auth/login and client IP address is not X.X.X.X and the user login with user secadm will be blocked. other users with usernames not contain "secadm" would be ok. But this does not work. Please help advise I write an irule as below: when HTTP_REQUEST { if { [HTTP::path] equals "/webconsole/api/security/auth/login"} { if { [IP::addr [IP::client_addr] != 10.168.17.127] } { if { [HTTP::payload] contains "secadm" } { drop } } } }iRule - Using GeoIP to block/allow externally, and allow internal 10.0.0.0/8 subnets.
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals allowed_internal_subnets] } { log local0. "Internal Clients allowed: \ [IP::client_addr]" pool MY_POOL } } when FLOW_INIT { set ipaddr [IP::client_addr] set fromCountry [whereis $ipaddr country] if {! [class match $fromCountry equals allowed_geoip_datagroup]}{ drop } } ltm data-group internal allowed_internal_subnets]{ records { 10.0.0.0/8 { } } type ip } ltm data-group internal allowed_geoip_datagroup { records { EU { } US { } } type string } Hi everyone! Need some help here from all the smart people on this forum. We are trying to create an Irule to block all countries not in the data group using the BigIP GeoIP database and lookup...however, we still have users within the 10.0.0.0/8 internal subnets needing to connect. When they connect to the VIP, their source address is in the 10.0.0.0/8 range, however, they get dropped by the FLOW_INT match for some reason....what am I doing wrong and how do I fix this? Here is what it should happen.... All external internet users coming from US/EU (using the bigip geoip lookup database) should be allowed, otherwise all countries not matching this should be dropped...this seems to be working.. All internal users coming from the 10.0.0.0/8 or RFC 1918 should be allowed and not dropped. How do I add both logic together in one flow? This irule is dropping the internal users for some reason...how do we allow all internal users in also, while dropping external users not matching the GeoIP logic? Thanks again...
Rate limiting per IP and URI
Customer application is been flooded of client HTTP POST requests on every minute. I need to come up with a solution for rate limiting on a VS in our LTM-VE so a source IP will be limited for specified URI's with 1 requests per 10 minutes. During validation test we see the irule logs under /var/log/ltm: Feb 28 20:23:48 lb01-mgmt info tmm1[17492]: Rule /LB1_VRF2/NGSC_Err429 <HTTP_REQUEST>: 191.44.3.193%2 exceeded max HTTP requests per second Feb 28 20:23:48 lb01-mgmt. info tmm7[17492]: Rule /LB1_VRF2/NGSC_Err429 <HTTP_REQUEST>: 201.79.26.68%2 exceeded max HTTP requests per second Feb 28 20:23:48 lb01-mgmt info tmm7[17492]: Rule /LB1_VRF2/NGSC_Err429 <HTTP_REQUEST>: 200.165.153.27%2 exceeded max HTTP requests per second but client is not receiving HTTP 429 after two retries within 10 minutes We create the following irule, could you guys see any error on the irule? # Function : RateLimit HTTP POST requests per IP, for NGSCserver when RULE_INIT { set static::maxRate 1 set static::windowSecs 600 } when HTTP_REQUEST { if { ([HTTP::method] eq "POST") and [HTTP::uri] contains "/NGSCserver/"} { # set variables set limiter [string tolower [HTTP::host]] set clientip_limitervar [IP::client_addr]:$limiter set get_count [table key -count -subtable $clientip_limitervar] # main condition if { $get_count < $static::maxRate } { incr get_count 1 table set -subtable $clientip_limitervar $get_count $clientip_limitervar indefinite $static::windowSecs } else { HTTP::respond 429 content "Request blockedExceeded requests/sec limit." log local0. "[IP::client_addr] exceeded max HTTP requests per second" drop return } } }
APM inactivity timeout redirect or notification page for LTM + APM connections
Background on this: Have a customer that is publishing a Microsoft CRM instance behind APM and doing KCD with smart card auth. Access policy works fine, KCD works fine, web app works fine. The only problem we have is the inactivity timeout setting. Once the limit has been reached, the session is removed and content is no longer sent to the user in a very abrupt fashion. This is a problem because ALOT of the page is cached on the clients workstation and all they see is broken JPEGs and incomplete web content. Once they click around they are re authenticated but it is not pretty. I want to find a way to notify the user they have been inactive for a certain amount of time, send a HTTP 200 response with content notifying them with a link to click on to re authenticate. The option of increasing the inactive timeout is not an option due to their access session license limit. There would be alot of abandoned sessions that would aggregate potentially going over this limit. I know with webtop and ssl vpn, you get a notification that you are about to be logged out due to inactivity but this doesn't seem to be available for LTM + APM policies. This is what I have so far, there has to be a more efficient way of doing this though. when ACCESS_SESSION_STARTED { set ::EXPIRE "false" } when ACCESS_SESSION_CLOSED { log local0. "Session has been closed" set ::EXPIRE "true" } when HTTP_RESPONSE { if {$::EXPIRE equals "true"} { HTTP::respond 200 content " You've Been Logged out due to inactivity You have been logged out due to inactivity Thanks for Using the application Click to log back in. " } }
LTM | Preserve Client IP Address in L3 Mode
TLDR; Is there any way to 'preserve original client source IP address' in the packets sent from LTM to the realserver? I am currently using a non-F5 SLB solution, looking to migrate to F5 LTM. But even before we begin to evaluate F5, we would like to get some feedback on the technical viability of one of my requirements because this is make or break for our consideration. We have a critical application load balanced in L2 bridge mode, because the application requires the original client IP in the packet. But I am tasked with getting rid of L2 mode and move the application to L3 load balanced mode. I have looked at DSR and SNAT, but they're not feasible for our environment.
