Intermittent Net::ERR_CONNECTION_RESET Error and Incomplete Loading over HTTPS
I have an F5 load balancing setup configured with two servers. My MVC web application, which incorporates Kendo UI, Jquery, and bootstrapping, is hosted on an IIS server with an SSL certificate. However, when accessing the application via HTTPS from outside the server, it often or sometimes results in a 'net::ERR_CONNECTION_RESET' error, with intermittent failures to load javascript and CSS files to the client browser. Strangely, upon reloading the page, the assets load properly, and the page functions as expected. This issue did not occur when the application was accessed via HTTP, where it worked properly without any issues. What could be the reason behind this problem?396Views0likes2CommentsLoadbalancing a 2-stage proxy environment - persistence problems
Hello fellow F5-experts, My situation: I try to loadbalance Web-Proxy traffic. In genenal it seems to work, but we've run into some problems relating to websites with weird session handling. I sketched up the environment in the following Image A clients uses VS-A as it's HTTP proxy. This VS loadbalances to two of our own proxies in Pool A. Those are not transparent, so outgoing traffic toward their upstream proxy (VS-B) will have the Pool A node's IP as source address. The Proxies use the HTTP: Connect method. VS-B on the other hand, has a Pool B attached with a lot (as in really a lot) other proxy servers, that are not under our control (but are trustworthy, and have to be used. No way around it). VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: none Default Persistence Profile: source_addr Pool A: LB Method: Fastest (node) VS-A: Type Standard HTTP-Profile: http-transparent (to be able to use LB method Fastest (node)) Source Address Translation: SNAT Default Persistence Profile: none Pool B: LB Method: Fastest (node) Problem: On some websites, people complain about loosing their sessions. I tracked it down to the VS-B, which can not persist connections to a website to the same node in Pool B. Since the VS-B does not see the original client IP, but only the 2 proxy IP's I have no idea how to establish a propper persistence. For a very important website, i wrote an iRule that "hard-binds" to a single Node in Pool B, based on the HTTP:URI. My question: Is my config any viable? Or what should I change? I read a lot of article here, but I never had the feeling, that those met my situation with the "2-stage" proxy environment. I was thinking about adding a http header with the original client IP by an iRule in VS-A so I have something to make a persistence decision in VS-B, but I'm not sure how to do that. I also often read about applying the OneConnect profile combined with proxy loadbalancing, but I don't think I really understood the reason and/or benefit, nor do I know where to apply it in this environment. I hope I made it some kind of clear what I try to accomplish and where the problems are, since English is not my mother language and I'm a but rusted using it. Any help or hint is very much appreciated. Thanks in advance, ichnafi EDIT:(28th Feb) I just found out, that the desired website can be acquired from the HTTP::host header even by Vs-B. So would it be possible to establish a persinstence for the combination client IP and HTTP::host header? EDIT2: Possible Solution found (1st Mar) I currently endet up with an iRule creating a universal persistence based on the http::host header. the iRule is then bound to a universal Persistense-Profile. The iRule looks lilke this: when HTTP_REQUEST { persist uie [HTTP::host] } I'm thinking of maybe creating a custom header that contains a combination of client_ip and http:host value to get an even more definite persistence, but not quite sure about that. What do you guys think?788Views0likes12CommentsFTp proxy via iRule
Hello, I'm trying to do an anonymous ftp connection through an F5 irule. My logs of the irule look like this: Rule /Common/iRule_ftp_proxy <CLIENT_ACCEPTED>: client FTP accepted Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: client payload - USER anonymous@193.190.198.27 Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: sitename:193.190.198.27 - cmd:USER - uid:anonymous Rule /Common/iRule_ftp_proxy <CLIENT_DATA>: address 193.190.198.27 port 21 Rule /Common/iRule_ftp_proxy <SERVER_CONNECTED>: connected to server Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 220-Welcome to the Belnet public FTP server ftp.belnet.be !This server is located in Brussels, Belgium and operated by Belnet, the BelgianEducation and Research Network. If you have any problem, question or mirrorrequest, please send them to ftpmaint@belnet.be.This archive is available through the following means:RSYNC rsync://rsync.belnet.be (IPv4)HTTP http://ftp.belnet.be (IPv4 + IPv6)FTP ftp://ftp.belnet.be (IPv4 + IPv6) Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server found 220 ok Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payloadNote: opening too many parallel connections to this host is considered an abuse.All access is logged.Currently used storage capacity : 34T / 100T on /ftp220 193.190.198.27 FTP server ready Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 331 Anonymous login ok, send your complete email address as your password When I check with a wireshark capture on my client; the '331 Anonymous login ok, send your complete email address as your password' never reaches the client. Without the proxy, it does reach the client and filezilla knows how to deal with it. This is my server_data in the irule; when SERVER_DATA { if { $static::debug } { log local0. "server payload [TCP::payload]" } if { [TCP::payload] starts_with "220" }{ if { $static::debug } { log local0. "server found 220 ok" } TCP::respond "USER $uid\r\n" TCP::payload replace 0 [TCP::payload length] "" } TCP::release TCP::collect } I also tried modifying the rule like this: when SERVER_DATA { if { $static::debug } { log local0. "server payload [TCP::payload]" } if { [TCP::payload] starts_with "220" }{ if { $static::debug } { log local0. "server found 220 ok" } TCP::respond "USER $uid\r\n" TCP::payload replace 0 [TCP::payload length] "" } if { [TCP::payload] starts_with "331" }{ TCP::respond "PASS $uid@example.com\r\n" TCP::payload replace 0 [TCP::payload length] "" } TCP::release TCP::collect } This get's me one step further, but I'm still not able to connect. When I check with a wireshark capture on my client; the '331 Anonymous login ok, send your complete email address as your password' never reaches the client. Without the proxy, it does reach the client and filezilla knows how to deal with it. Rule /Common/iRule_ftp_proxy <SERVER_DATA>: server payload 230 Anonymous access granted, restrictions apply Why is the '331 server_data' not being forwarded to my client so it can respond to it, or is this the task of the proxy? And why is the '230 server data' not reaching the client? Cheers569Views1like0CommentsFTP proxy data connection
I've used this ftp proxy for ftp connection. https://devcentral.f5.com/codeshare/ftp-proxy-v10-and-up My iRule when CLIENT_ACCEPTED { TCP::respond "220 Welcome to the F5 FTP Proxy v10\r\n" log local0. "client accepted" TCP::collect } when CLIENT_DATA { set ftplogin [TCP::payload] log local0. "login is $ftplogin" if { $ftplogin starts_with "USER" } { You can set it up to use any DNS server you want. set dnslookup "10.191.31.60" set cuser [TCP::payload] scan $cuser {%[^@]@%s} garbage sitename scan $garbage %s%s cmd uid log local0. "$sitename" set ips [RESOLV::lookup @/OpusCapita/vs_dns_test -a $sitename] set ips $sitename if {$ips eq "" } { Input wasn't an IP address, take some default action? log local0. "$ips Input wasn't an IP address" reject } else { TCP::payload replace 0 [TCP::payload length] "" set ftp_serv "[lindex $ips 0]" node [lindex $ips 0] [TCP::local_port] log local0. "member adresa [lindex $ips 0] port [TCP::local_port]" } } TCP::release } when SERVER_CONNECTED { TCP::collect } when SERVER_DATA { set serv_data [TCP::payload] if { $serv_data contains "220" } { TCP::respond "USER $uid\r\n" log local0. "user= "USER $uid\r\n" " TCP::payload replace 0 [TCP::payload length] "" } TCP::release } User can connect to my FP proxy VIP and connect to dest ($sitename) server. At the moment donĀ“t use DNS. But when user try trasfer some data to FTP server. User see only timeout and no data sent. Can you please check where can be problem? my ftp profile Name proxy_ftp Parent Profile ftp ranslate Extended Enabled Inherit Parent Profile Enabled Data Port 0 And log from ftp server [Cway2:/home/jtoivola/TEMP] date ; ftp 82.180.230.19 121 Fri May 20 12:31:06 EEST 2016 Connected to 82.180.230.19. 220 Welcome to the F5 FTP Proxy v10 Name (82.180.230.19:jtoivola): cwjuha1@82.180.220.75 331 Password required for cwjuha1. Password: 230 User CWay2005Juha1 logged in. Remote system type is UNIX. ftp-child [32279] <05/20-12:37:47> TECH-DBG from Server-PI (3): '230 User CWay2005Juha1 logged in.' ftp-child [32279] <05/20-12:37:47> USER-INF 'SYST' from 82.180.230.19 ftp-child [32279] <05/20-12:37:47> TECH-DBG from Server-PI (3): '215 UNIX Cway' ftp-child [32279] <05/20-12:37:51> USER-INF 'PORT 82.180.230.19:51418' from 82.180.230.19 ftp-child [32279] <05/20-12:37:51> USER-INF 'STOR testi' from 82.180.230.19 ftp-child [32279] <05/20-12:37:51> TECH-DBG from Server-PI (3): '227 Entering Passive Mode (10,190,8,6,225,252)' ftp-child [32279] <05/20-12:37:51> TECH-DBG got SRV-PASV 10.190.8.6:57852 for 82.180.230.19:28912 ftp-child [32279] <05/20-12:37:51> TECH-INF 'STOR testi' sent for 82.180.230.19 ftp-child [32279] <05/20-12:37:51> TECH-DBG from Server-PI (3): '150 ASCII data connection for testi (82.180.220.75,36979).' ftp-child [32279] <05/20-12:37:55> USER-INF Transfer for 82.180.230.19 completed: STOR 'testi' read 0/4 byte/sec ftp-child [32279] <05/20-12:37:55> TECH-DBG from Server-PI (3): '552 testi: An invalid argument value was given.'570Views0likes1CommentWebsites do not load correctly when load balancing via proxy
We currently have a pair of BIG-IPs with 11.5 running in our DC. One of the services we want to load balance is a pair of Cisco WSAs (IronPort) which function as web proxies. When a client connects via the BIG-IP's VIP to access the Proxies we have the problem that not all of the content is loaded. This problem does not change if we take one of the WSAs out of the pool so that we can be sure we always go via the same proxy. It is also working fine when the clients go via one of the proxies directly. [UPDATE] The http-WSA-proxy profile is based obn the fastL4 but has XFF enabled. Does anyone have an idea what we are missing and why we are not receiving the complete page? High level traffic flow: Client <> BIG-IP Cluster <> Firewall <> 2x Cisco WSA Web Proxy <> Firewall <> Internet LTM config: ltm virtual vs_NAME { destination VIP%RD:webcache ip-protocol tcp mask 255.255.255.255 partition NAME persist { source_addr_mirror { default yes } } pool NAME profiles { /Common/fastL4 { } http-WSA-proxy { } } source 0.0.0.0/0 source-address-translation { type automap } vlans { NAME-VIPs } vlans-enabled vs-index 17 }452Views0likes5CommentsAny iRules that acts as Virtual Server for By-Pass Cert
F5 APM with SWG module, so this F5 acts as Proxy and Intercept Cert. I have a problem about intercept certificate some website cannot use it, then I solved that problem by create the new virtual machine and fixed the destination of each website's IP. (nslookup) But I think it's not a good solution, because If some website occurs like this problem more, I have to add more virtual server. So I try to use iRules to by-pass the destination by using iRules. when CLIENT_ACCEPTED { if { [ IP::Addr [IP::local_addr] equals "xxx.xxx.xxx.xxx" ] } { SSL::disable } } But it's did not work, please could you suggest me for the iRules command.190Views0likes1CommentHow to delete proxy sys db configurations on ASM?
Hello Everyone, I'm having an issue here where I'd like to totally remove the Proxy Configurations.As what happens here is that the ASM tries to resolve <null> as a domain so the update fails. We are using TMOS v14.1 Thanks in advance!Solved2.4KViews0likes5CommentsiRule for web proxy for only 2 address in internet
Hello, i create proxy by the manual https://community.f5.com/t5/technical-articles/configure-the-f5-big-ip-as-an-explicit-forward-web-proxy-using/ta-p/286647 After that i want create custom iRule or other solution for next task: source address - 5 servers in dmz zone destination address to inet only 2 addresses: https://login.microsoftonline.com https://graph.microsoft.com first of all i need to create data gorup list with string this url and attached to irule or all all the information only in irule? Pls can somebody you share manual or example for that solution.879Views0likes4CommentsProxyPass v10/v11 modifications - how to share?
I've just started using the ProxyPass v10/v11 iRule to move a number of Apache mod_proxy reverse proxies to our F5 HA pair. The first site moved was a simple HTTP clientside to HTTP serverside with no payload rewriting and it worked perfectly as documented. Then I started to see things that could be improved and a few things that didn't work and could be fixed. Localised Options The static::ProxyPassDebug and static::RewriteResponsePayload are inconvenient when the iRule is used by multiple virtual servers, so I've localised these for each virtual server in a new Data Group "ProxyPassOptionsVIRTUAL". Protocol Rewriting We offload SSL to some of our proxies so I found the request header and referer rewriting wasn't rewriting the protocol, resulting in the browser getting connection errors at least, I think, unless the virtual server accepts both HTTP and HTTPS in which case the iRule appears to trap the unchanged protocol in the new request and rewrites and redirects it back to itself. I have fixed this by inferring the serverside protocol for each pool from the ProxyPassSSLProfile information if it exists. There are a couple of assumptions/requirements supporting this method: 1. If any pool, default or alternative, requires SSL it must have a server profile entry in this data group. 2. The clientside protocol is detected via the CLIENTSSL_HANDSHAKE event. Response Payload Protocol Rewriting Payload rewriting doesn't rewrite the protocol. I have fixed this also following from previous item. Response Payload Rewriting Generally I think payload rewriting is incomplete if it only rewrites matching the current request URL components. That is, currently for a request rewrite e.g. "http://www.company.com/some/path" to "", the response payload will reverse only this URL. If the payload includes other absolute URLs e.g. "", this will be missed. So the iRule needs to be modified to rewrite just the "protocol://host_serverside" part for all URLs starting with that string, but it also needs to rewrite any path components that start with any path component in "ProxyPassVIRTUAL" that match the serverside host. For example, given the following "ProxyPathVIRTUAL": "www.company.com/some/path" := "backend.internal/other/path" "www.company.com/some/other/path" := "backend.internal/yet/another/path" Given a request "http://www.company.com/some/path", all of the following rewrites need to occur if found in the response payload: "http://backend.internal/other/path" -> "http://www.company.com/some/path" "http://backend.internal/yet/another/path" -> "http://www.company.com/some/other/path" "http://backend.internal/unchanged/path" -> "http://www.company.com/unchanged/path" "/other/path" -> "/some/path" "/yet/another/path" -> "/some/other/path" URL rewriting and Case (In)Sensitivity The original iRule assumes case sensitivity, which may be valid but is impractical. Unfortunately, we have a backend application running on Windows and the developers were arbitrary about case, hence an inbound request in lowercase will go through ok but response headers and payloads may contain the URL in uppercase. Apache mod_proxy appears, from our experience, to handle this somehow, I assume by checking each response URL against all paths listed for proxying. Our Apache reverse proxy lists each path as lower and upper case and we have not had a problem. This is the same problem as "Response Payload Rewriting Generally" applied to header rewriting. Current thinking is to add an option "ProxyPassURLDownCasing" to invoke down casing of all URL path elements before checking and rewriting. The option needs to be settable per pool, so the option value would probably be a list of pools. Code Sharing I haven't implemented the latter two items yet but I'm happy to provide the modified iRule code once I have if someone can tell me how I can upload it. I don't have any dev points to upload it directly and I tried posting the first three mods to this iRules forum but exceeded the word count and was rejected. Thanks.434Views0likes2CommentsImplement v2 of Proxy protocol based on TCP
One of our service hosted in the on-prem datacenter and it requires to forward the client IP address to the backend pool servers. So I would like to implement the v2 of proxy protocol based on TCP Layer 4 header using iRules. I went through this link but it has only v1 implementation: https://devcentral.f5.com/s/articles/proxy-protocol-initiator Appreciate the help in advance.725Views0likes0Comments