-
an example of a DNS external health monitor
Hi, Does anyone have an example of a DNS external health monitor? The monitor should query an A record and check the IP address and provide up/down status based on the IP address matching a given/set IP address. Thanks
-
Safari Prefetch
Is there a way to drop requests with the "Purpose: prefetch" header? These appear to be causing stale requests to iOS browsers.
-
aFlex for log mail from,to, on STARTTLS/TLS mails in ssl-proxy port
Hi, i'm new in this forum and with a10 aFlex. Device: A10 thunder 3030s Os: 2.7.2-P11(build: 77) I've configured a SMTP service in one VIP with two ports: 25 - SMTP 2530 - STARTTLS/TLS (port with ssl-client template in mode ssl-proxy) and (for GDPR law) need to log the ip, mail from, mail to, message id, ip from, vip,…
-
AD group membership determine single factor vs dual factor Auth
I have a site where Active Directory group membership should determine whether users are prompted for single-factor or two-factor authentication. GroupA (single factor) - Windows server group NTML GroupB (two-factor) - RADIUS: duo I imagine there is away with an aFlex script after primary authentication to query group…
-
slb.aflex.upload not working
Tried various ways with trying to call the api endpoint direct as well as Axios but I cannot update an Aflex rule programatically. I always get a JSON error ({"code": 1174, "msg": "Invalid JSON document."}}), c:/temp/1.file below is a basic iRule for which I've tried to save also in various encodings, ASCII, UTF-8 etc:…
-
Maintaining client Source ip using Source nat
Hi, Please bare with me i am new in aflex and need to know if it is possible to maintain the source ip address of the client in Proxy SG bluecoat using sourcenat. Any feedback is highly appreciated. Thanks!
-
Centralized web server log on AX
Posted by ddesmidt A customer just asked me today an interesting question: Instead of looking at the web logs individually on each server, why not using the AX to create the web logs and send these to an external centralized syslog server. Note: They used the w3c format, but actually as you know aFleX is pretty flexible…
-
outbound nat based on IP
I'm trying to configure LLB for ISP links and having some trouble with the outbound NAT. Basically when it goes out ISP1 it should default to NAT pool ISP_C for most users, but when it comes from one range (using individual IP in my testing) it needs to use NAT pool ISP_CTHSE Under my 0.0.0.0 VIP this aflex works: when…
-
Carrier LLB aFlex
Posted by a10jliu We are using AX 3200 for certain ISP as LLB solutions. For LLB we need NAT sticky functionality similar to LSN to make sure certain NAT used during client-> server connections. So we achieve this by define single IP nat pools and naming them accordingly. Code: when CLIENT_ACCEPTED { #Drop some packet…
-
SNI and AFLEX
Hi all, I have a problem with aflex configured on a VIP with a SNI template applied. On the VIP I have exposed application for domain1 (the default certificate in the SSL template) and 2 services for domain2. SNI template i sworking fine but now I need to add on the VIP an aflex like this: #Rewrite if {[HTTP::host] matches…
-
Load Balance ADFS Servers
I am struggling with the following. we have two adfs server adfs1.company.com.au and adfs2.company.com.au. if i access them externally via adfs1.company.com.au or adfs2.company.com.au I can get there. if try to use adfs.company.com.au externally and hit the service group of SG_ADFS (has adfs1 and adfs2 in it) it never gets…
-
Don't Allow a URL containing an MS-DOS device name
Hi! I would like to use our AX1030 and aFlex to make sure that "Microsoft ASP.NET MS-DOS Device Name DoS"-requests get a 404.5 response "Microsoft ASP.NET MS-DOS Device Name DoS"-request have one of the following as a sequence in the URL: AUX CON PRN NUL COM1 LPT1 LPT2 LPT3 COM2 COM3 COM4 Any suggested way to solve this in…
-
ax 2500 lb
Hey guys, Im a new user with the ax 2500 lb box. I have 2 of them in my company, already configured and everything. lately we needed to kill the power to move them to some other place and from that point one of the boxes became inaccessible, i cant login to it but i can use the strange ssh to login to it, currently i work…
-
AFLEX DEBUG
Hello, I'm working with AFLEX to set some attribute to cookie response, like HttpOnly and Secure. I've used Misha's work with some customization: # aFlex per HttpOnly e Secure # Basato su script di Mischa Peters <mpeters AT a10networks DOT com> # A10 Networks. # include esclusione di cookie per CSFR when RULE_INIT { set…
-
One VIP, several websites
Hi all, apologies for cross posting. I think this might get more luck in the AFlex forum rather than the General forum. can somebody please advise me on the best approaches for the following two scenarios? I can’t figure out whether aflex, http filters, WAF, or a combination of the three are the way to go. Scenario 1: One…
-
aFlex server selection by uri
Hi, I would need to do a aFlex script that would match www.domain.tld/test and then forward traffic only to one server ip-address, instead of loadbalancing with two servers. I have made the following aFlex script:# aFleX script for URL Rewrite# Direct /test to www1 10.0.01#when HTTP_REQUEST {if [HTTP::uri] contains…
-
aflex ip based traffic management
Hi, i'm having a problem with some (basic) aflex traffic redirection on a virtual server that I'm trying to use. I'm trying to match certain subnet ranges of users to a prioritised server pool (sg2-80), but to not prevent them from connectivity if that prioritised pool goes down for some reason, and send the majority of…
-
Cannot get a simple URI redirect working
Hi all, I've been searching through examples on here, the alfex github, the samples on the ACOS device, but just cannot get a simple redirect working with AFlex. Can somebody please point me in the right direction? I'm trying to do the following The user visits https://hostname.domain.com and the ACOS device redirects them…
-
Detect HTTPS traffic
Hi, I'm after a variable that can differentiate httpS traffic from http traffic. Is this possible with http::host or http::uri? Thanks, William
-
IP::addr and regex
is it possible to check against client IP using regex? basically trying to do an aflex ACL to limit IP's for SMTP connections something similar to this (this isn't working of course) when CLIENT_ACCEPTED { if { not [IP::addr [IP::client_addr] matches regex "^192\.168\.2\.(10[5-7])$"] } { drop } }
-
Using aFlex to generate custom redirect URI
Hello, I would like to use aFlex to re-write a URL redirect using the name of each server in a service group. For example, I have virtual_serverA and multiple serverX (server1, server2, server3, etc.) in a service group. The A10 is configured to actively check the health of these servers. When someone connects to…
-
count source IP with x-forwarded-for
Hi May I count source IP with x-forwarded-for filed by aflex? ex: if one the same source IP connection more then 1000 in one min or 5 min, then log in syslog. I have referred "rate-limit-connection-requests" tcl, like below: when RULE_INIT { set ::MAX_REQUESTS 1000 } when HTTP_REQUEST { if { [HTTP::header exists…
-
Redirect when HTTP_RESPONSE [HTTP::status] contains "200"
I need to set up a script that does redirection when there was status code 200 for the same page with dynamic context for example https://myURL.com/xtyfwdk I set the following script but has error Error : aFleX compile error : line 15: "command is invalid in current event context [ HTTP :: uri ]" used script When…
-
Restrict SMTP to list of allowed IPs
MS Exchange 2007 services under one VIP, on AX 3200-12's in one-arm mode. I want to restrict the SMTP service to allow only a predefined list of client IP addresses or networks to go through. This would match the allow list on the Exchange Server configuration. The reason for this is since the AX's are in one-arm mode…
-
aFLEX for SIP SLB on Code bases
Will this script load balance SIP traffic? If Code 900 send traffic to node x.x.x.17 If code 903 send traffic to node x.x.x.18 Load balance rest of the traffic. when SIP_REQUEST { if { [SIP::to] starts_with "<sip:900" } { node x.x.x.17 } } when SIP_REQUEST { if { [SIP::to] starts_with "<sip:903" } { node x.x.x.18 } }…
-
Reselect rserver depending of the server response URL after a 302
Hello We have a web server that is configured in a way that, if it detects an internal failure like in the DB, it returns a 302 code redirecting the request to a sorry page in a URL format http://<domain>/error I need to create an script or maybe a healthcheck that allows me to detect that response, and then reselect…
-
Control recursive DNS queries
Hi all, I'm wondering if/how in aFlex I might be able to allow or deny recursive DNS queries based off a source IP list. For example, if a remote IP not on the list has the recursive bit set in the query, the A10 will block the query outright instead of forwarding it to the DNS server.
-
Server response redirected to other port.
Our team is looking for an aflex code that can rewrite the server response. We want to achieve in this aflex is to redirect first the traffic response from the server to 192.168.10.1:3013 for authentication login then after user successfully login redirect again to the other port 192.168.10.1:2011 which is the main…
-
aFleX for cookies httponly with one exception
Hello, I need to make a script aFleX for cookies with flag HTTPonly with one exception for cookie with name LID. I tried to use aFleX like below: when HTTP_RESPONSE { if {([HTTP::header exists "Set-Cookie"] and [HTTP::cookie contains "LID"])} { set cookie_value [HTTP::cookie "TestCookie1"] HTTP::cookie remove "TestCookie1"…
-
Restrict Access to particular URLs
I am looking at the best way to only allow access to particular URLs on a VIP. One way I thought of was to use a aFlex script to allow/deny access. I have not found any specific scripts to do this, but I have found some for other providers. I am looking for the best most efficient way for latency/system resources to…
