Skip to content

Archive

Category: F5

Cache-control

Some BAckground (taken from wikipedia) :-

HTTP header fields are components of the message header of requests and responses in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction. Cache-control is one of the HTTP header fields. And as F5 is taking care of the redirection , we need to take this field into account with IE 10 roll out.

General Format :-  The header fields are transmitted after the request or response line, which is the first line of a message. Header fields are colon-separated name-value pairs in clear-text string format, terminated by a carriage return (CR) and line feed (LF) character sequence. The end of the header fields is indicated by an empty field, resulting in the transmission of two consecutive CR-LF pairs. Long lines can be folded into multiple lines; continuation lines are indicated by the presence of a space (SP) or horizontal tab (HT) as the first character on the next line.

For more details :- Please visit.  http://en.wikipedia.org/wiki/List_of_HTTP_header_fields

 

Problem Description:-

With rollout of IE 10 to our project workstations we encounter a problem with redirection performed on F5 LTM. After opening website on one window when we open another tab , and type same website address Browser freezes and no redirection occurs.

Solution:-

After lots of investigation , talking to F5 and Microsoft experts , we finally agreed on the solution that to prevent this we need to add cache-control HTTP header to the redirection response with value “no-cache”.

Current Irule:

when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
“afrozahmad.com” {
HTTP::respond 301 “Location” “http://www.afrozahmad.com/en/Pages”
}
}
}

Modified Irule:- We have added  { cache-control “no-cache” } .

when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
“afrozahmad.com” {
HTTP::respond 301 “Location” “http://www.afrozahmad.com/en/Pages” Cache-Control “no-cache”
}
}
}

 

Useful Sites for more information:-

http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13244.html?sr=38385738 > Overview of RAM cache

http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10200.html?sr=38385738 > Clearing ram cache entries

http://www.mobify.com/blog/beginners-guide-to-http-cache-headers/  > A Beginner Guide to HTTP Cache headers

http://condor.depaul.edu/dmumaugh/readings/handouts/SE435/HTTP/node24.html  >

 

 

Recently i faced some challenges in creating “automatic backup script” for F5 LTM, the main reason for this was because i am not a regular scripting guy, and F5 TAC doesn’t support these kind of things. I was initially shocked when i heard from F5 TAC that they cannot do such scripting, and the only forum where i can get any help is F5 devcentral community. Although i have posted my query there and few people tried to help me ,however at last it was not fruitful at all. So, I thought of sharing my experience here, so that people can get benefited and not face any unnecessary hassle.

This Backup is used to recover the device from complete crash down situation.

These are the three kind of files you can get,with date appended after your device hostname , if you have successful running script.

Backup

Important points to consider when you make your own backup script :-

1.Do not use windows notepad to edit this script. You will end up messing lot of things. This script is a Shell script so i would suggest to use VI editor to edit anything in the script.

2.After editing , use WinSCP to upload or download anything to and from the F5 LTM device.

3.Transfer your script by WinSCP under “/etc/cron.daily” if you want daily backup, else select other folder available within the “/etc” folder starting from word “cron”.

4.Now login to F5 LTM CLI , and type in “cd /etc/cron.daily” to get into that folder. You can see all available files with “ll” command in that folder.

5.Issue “sh -x  backup_cron_scriptv10.sh” command to check for any errors, if any error found carefully read the output. If you want to change anything in script , simply type “vi backup_cron_scriptv10.sh” you will get into VI editor mode. You can find VI editor commands online by googling around. You can insert anything by “i” and quit by “:wq” command.

6.If script runs well, then you can see all three files inside your FTP server. Now make it run daily by “chmod 777 backup_cron_scriptv10.sh” command.

 

Below is the script, you only need to edit FTP ip address , username and password according to your environment:-

date
# Automatic Backup Script for F5 LTM V10″backup_cron_scriptv10.sh”
#Author “Afroz Ahmad”
b config save /var/tmp/BIG-IP_backup.ucs
export a=`date +”%y%m%d”`
export aa=”$HOSTNAME.$a.ucs”
export b=”/var/tmp/$aa”
mv /var/tmp/BIG-IP_backup.ucs $b

tar -cf /var/tmp/certs.tar /config/ssl
export ff=”$HOSTNAME.$a.certs.tar”
export f=”/var/tmp/$ff”
mv /var/tmp/certs.tar $f

export c=”$HOSTNAME.$a.crontab”
export cc=”/var/tmp/$c”
cp /etc/crontab $cc

export MName=192.168.0.1
export MDir=/F5/
export Log=/var/tmp/log.bigip

export UserName=admin
export UserPassword=password

export Machine1f2=$aa
export Machine1f3=$c
export Machine1f4=$ff

ftp -nvd ${MName} <<-END 1>&2 > ${Log}
user ${UserName} ${UserPassword}
bin
dir
put ${b} ${MDir}${Machine1f2}
put ${cc} ${MDir}${Machine1f3}
put ${f} ${MDir}${Machine1f4}
quit
END

rm -f ${b}
rm -f ${cc}
rm -f ${f}
RTN_CODE=$?

exit $RTN_CODE

 

Lets start with difference between URL and URI.

URL – http://afrozahmad.com/some/page.html

URI – /some/page.html

URL is the full way to identify any resource anywhere and can use different protocols like FTP, HTTP, SCP, etc.

URI is a resource on the current domain, so it needs less information to be found.

 

There are several methods of implementing URI redirection through IRULE, i have discussed three of them :-

1.  This method is widely used , although sometimes it doesn’t works , so try method 2 in that case.

when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::host]] {         
        “www.afrozahmad.com” {
            switch -glob [HTTP::uri] {
                “/colorctrl” {
                    HTTP::respond 301 “Location” “http://www.afrozahmad.com/en/services/Pages/default.aspx”
                    # log local0. “***[IP::client_addr]:[TCP::client_port]:[HTTP::host]:[HTTP::uri]***”
                        }                
                    }
                }
            }
        }  

 

2. This method seems more logical , as it has lots if strings to play with .

when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::host]] {         
        “afrozahmad.com” {
               if { [HTTP::uri] eq “/paper” } {     
                    HTTP::respond 301 “Location” “http://www.afrozahmad.com/paper”
                }
                if { [HTTP::uri] eq “/papers” } {     
                     HTTP::respond 301 “Location” “http://www.afrozahmad.com/papers”
                }
               else {
                    HTTP::respond 301 “Location” “http://www.afrozahmad.com”
                    }
                    #log local0. “***[IP::client_addr]:[TCP::client_port]:[HTTP::host]:[HTTP::uri]***”
        }
    }
}   

In above IRULE we have used “eq” OR “contains” for exact match, although we can use “starts_with”  to match words starting with particular letter.

3. In this method , instead of using  HTTP::respond 301 “Location”  we can use HTTP::redirect .

when HTTP_REQUEST {
  if { [HTTP::uri] contains “papers” } {
    HTTP::redirect https://[HTTP::host][HTTP::uri]
     }
}

Lets do some  SSL offload on F5 LTM.

SSL Offload

SSL offloading relieves a Web server of the processing burden of encrypting and/or decrypting traffic sent via SSL, the security protocol that is implemented in every Web browser. The processing is offloaded to a separate device designed specifically to perform SSL acceleration or SSL termination.

BIG-IP Local Traffic Manager with the SSL Acceleration Feature Module performs SSL offloading.

Introduction

The BigIP F5 provide 2 ways in which SSL is processed. These are :

Client SSL – F5 decrypts the encrypted traffic inbound from the client.
Server SSL – Traffic is re-encrypted by the F5 then routed onto the backend servers.

There are a number of advantages to SSL termination on the F5, which are :

  1. Allows iRules processing and cookie persistence.
  2. SSL Traffic offload from web servers
  3. SSL key exchange and bulk encryption is performed by a single piece of BigIP F5 hardware rather then needing (to install) additional hardware in each webserver.
  4. Centralized certificate management

Configuration

Client SSL

Configuring Client SSL comprises of 3 steps.

  1. Import or generate the SSL certificate and Key
  2. Configure the client ssl-client profile
  3. Configure the Virtual Server

1a. Certificate (Import)

  1. Goto ‘Local Traffic | SSL Certificates | Import’.
  2. Select Certificate as the Import Type.
  3. Configure the Certificate Name.
  4. Upload the certificate within the certificate source section.
  5. Click Import.

Note : Certificates should be in either Base-64 encoded or PEM format. It can also be in .crt format, especially when we are copying certificate from one F5 and installing on other F5.

Keys are also copied in the same way.

We only need to click on “Import Type” and select “Key “. And import key from local computer.
1b. Certificate  (Generate)  — This is for CSR generation purpose for CA or for self signed certificates.

  1. Go to ‘Local Traffic | SSL Certificates | Create’.
  2. Within the General Properties section enter the name and then complete the Certificate Property fields.
  3. Click finished.

Note : Certificates and keys are synchronized on redundant systems.
Note : The locations for the certificate/keys are:

Certificates: /config/ssl/ssl.cert
Keys:          /config/ssl/ssl.key

2. Configure Profile

Next we will need to configure the client ssl-client profile.

  1. Goto ‘Local Traffic | Profiles | SSL | Client | Create’
  2. Within the General Properties enter the Name and select the Parent Profile as clientssl and check mark Custom.
  3. Within the Configuration section select the Certificate and Key.
  4. Click Finished.

3. Configure the Virtual Server

  1. Within the necessary Virtual Server under SSL Profile (Client) select the previously created profile.
  2. Also choose HTTP Profile as “http”.
  3. Select “None” for ” SSL Profile (Server) “

Don’t skip this: Just because you have SSL termination enabled on this virtual server, you still need to point it at the correct location. If you’re editing an existing virtual machine, it is probably currently pointing at a pool of servers on port 443. In the case of Apache, it will throw an error page, refusing to serve insecure HTTP pages over a secure port (443). To fix this (or set it up if this is a new virtual machine), click the “Resources” tab on the new virtual machine.

Under the “Load Balancing” section, select the same “Default Pool” option as you are using for your HTTP virtual machine. This makes it so that both HTTP and traffic that was formerly HTTPS come into the same port on your backend servers.

Server SSL

If Server SSL is required then select the serverssl profile from the SSL Profile (Server) dropdown menu from within the Virtual Server.

Getting Started

I am doing F5 related tasks from a longtime however never put on my blog, now i have decided to place all my learnings of F5 inside separate category, that is F5.

F5’s BIG-IP product family comprises purpose-built hardware, modularized software, and virtualized solutions that run the F5 TMOS® operating system. Depending on the appliance selected, one or more BIG-IP product modules can be added to a BIG-IP device to deliver multiple networking functions on a single, unified platform.

In short , F5 BIG-IP LTM main task is,  when a server went down or became overloaded, it directs traffic away from that server to other servers that could handle the load plus lots of additional tasks. For those not familiar with a Big-IP load balancer’s administration, most of the configuration is done via a web interface, accessible via the device’s IP address (https://ipaddress).

F5

The Big-IP Administrative interface

The navigation for the site is located in the left-hand column.

As the title says , we are going to perform Http to https redirection .

Description:- Redirects all traffic to same hostname, same URI over https by issuing a redirect with status 301 (Moved Permanently). You can change the status code to a 302 to issue a non-cacheable redirect.

Apply to HTTP virtual server to redirect all traffic to same hostname (stripping port if it exists), same URI over HTTPS. (Do not apply to shared/wildcard virtual server responding to HTTPS traffic, or infinite redirect will occur. Create separate virtual servers on port 80 and port 443, and apply this iRule ONLY to the port 80 HTTP-only virtual server. No iRule is needed on the port 443 HTTPS virtual server.)

Lets start with creating our IRule first, IRule is tcl based language.

Here # means don’t execute the script , so that we can use for  description purpose.

 #

# sharepoint_apps

#

# Virtual Server: sharepoint_apps_http

#

# Forces users to use HTTPS instead of HTTP

#

# Created 20131220 by Afroz

#

when HTTP_REQUEST {

            switch -glob [string tolower [HTTP::host]] {

                        “afrozahmad.com” {

                                    HTTP::respond 301 “Location” “https://afrozahmad.com[HTTP::uri]”

                                    log local0. “***[IP::client_addr]:[TCP::client_port]:[HTTP::host]:[HTTP::uri]***”

                    }

                }

            }

 

The above Irule is simple , it instructs F5 to redirect traffic coming for http://afrozahmad.com  towards https://afrozahmad.com . Also “log local0” section refers to logging the activity based on ip address, tcp port, http host and uri.

Note:- We need to apply IRULE to virtual server in above case it should be applied to “http” virtual server. IRULE will not work unless applied to virtual server.