-
Replace/Clear X-Forwarded-4 or insert if not existent
Hello, We're using the following script to insert an XFF header. when HTTP_REQUEST { HTTP::header insert "X-Forwarded-For" [IP::client_addr] } How do I change it to SET (not insert) a single header ? I mean if there is already an XXF, we want to clear it....before inserting our own. Thank you
-
SSL security and Service group selection
Hi, I am currently using an a script that redirects incoming requests to specific service groups based on the host and uri. This is used for various stages in our software testing and QA cycle, an excerpt of the script can be found below: # Provides Service Group Selection based on both Host and URI when HTTP_REQUEST {…
-
aFleX to send traffic to a multiple pool based on the hostname and redirect to U
How to send the traffic to multiple pools based on hostname and redirect URI to path I am trying below script but it is not working. Can some one tell me working script. when HTTP_REQUEST { if {[HTTP::host] matches "abc.in" and not ([HTTP::uri] starts_with "/abc-api") } { HTTP::redirect "http://abc.in/abc-api/login" pool…
-
aFleX - Request client certificate to authenticate .
It can request authentication key when the url https://meudominio.com/LoginCert or https://meudominio.com/RegisterCert is accessed ? Below is a sample configuration when CLIENTSSL_CLIENTCERT { set client_cert [SSL::cert 0] log local0. "[X509::whole $client_cert]" } when HTTP_REQUEST { if {([HTTP::uri] starts_with…
-
Source IP Load Balancing w/ class-list
################################################### aFleX script to provide Source IP load balancing# decision for a service-group.# (Currently this is not supported with bw-list in ADP)## The class-list for the IP list is called# "cl-ips" (default) and has# to contain the following data:# / # # For example:# 10.10.10.0…
-
Block Exchange ECP externally
I am trying to block Exchange ECP(2013)from external access. I am having issues with the aFlex rule below: when HTTP_REQUEST { if { HTTP::uri] starts_with "/ecp" } { drop } } In the GUI I get a Warning: aFlex syntax error:line 3;"syntax error in expression"Http::url]starts_with "/ecp" ":variable ref.."" What have done…
-
Edit aFlex redirect rule to play a bit nicer with URL
Hello, I am hoping there is an aFlex solution for what I'm trying to do - I currently have an aFlex rule that is: when HTTP_REQUEST { if { not([HTTP::host] equals "www.mydomain.com")} { HTTP::respond 301 "Location" "http://www.mydomain.com" } } Basically saying that if the user does not type www., a hard redirect will…
-
Can I refer to an ACL within an aFlex?
Hi there, I have two pools that should explicitely be used depending on the clients source IP-adresses, and this already seems to works with the following aFlex example: when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.0/24] } { pool POOL1 } else { pool POOL2 } } The problem is, that we have multiple…
-
Controlling against the specific DNS query
Hi All, I have one private DNS server in ineternal area and one ACOS device. All of traffic destined to ACOS device. I looking for how to control the DNS request query to the public DNS in the internet. Drop the query from internal to internet and then show the internal user the warning page or redirect the qurey to…
-
HTTPS Rewrite Failing
Hi, I'm trying to enable the following Aflex script to rewrite all HTTP responses from the web server to HTTPS. I keep getting a syntax error from the A10 on the line with "if {([HTTP::header "Location"] starts_with....". Can someone please help? when HTTP_REQUEST { # Force servers to not reply with compression…
-
Session Throttling / Bandwidth Limitting
Looking for some feedback on we can throttle sessions per source and at the same time control bandwidth per session. Here is what we are thinking.. Session Throttling / QoS (files.xyz.com) - (Bandwidth Pool) Limit bandwidth to 150Mbps all servers in group - (Per Session) Limit 2Mbps per session with burst to 5Mbps - (Per…
-
TCP redirect
Hi, Is it possible to perform a tcp port redirect? For example, traffic arrives at a VIP on port 80 and will then be redirected to the servers on port 10000? Can something like this be realised using aflex?
-
aFleX GitHub Repository
You can now also find aFleX example on GitHub. Which makes it even easier for you to use and add, just fork and pull! :)
-
Redirect HTTP to HTTPS and maintain original URL
Posted by kberton If you have a need to redirect all incoming HTTP requests to a Vport to HTTPS *and* also maintain the original URL info, then it can be done easily using aFlex. #redirect to HTTPS #maintain original host and uri when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
-
add URI to request
How do I add a URI suffex to an HTTPS request using aFlex? https://domain.com (add /page/page1.htm) https://domain.com/page.page1.htm
-
Copy X-Forwarded-For into custom header
Hi, Does anyone know if there is a way to copy the source ip from "X-Forwarded-For" into a customer header? We're trying to preserve the true source IP from users after traffic is sent to our A10 from a proxy firewall and our application uses a custom header for specific functionality. I'd imagine this is plausible with…
-
aFleX: Bruce Force Attack Protection
Hi A10 vADC Community, I would like to share to the A10 vADC community a custom aFleX script created by an A10 SE(Jose S.). This aFleX script mitigates and protects the A10 ADC from BruteForce attacks. This is a very useful script and customizable based on parameter preference. I strongly suggest to implement this script…
-
Force persistence to a server for testing
################################################# # # Test specific server in pool # (c) A10 Networks -- MP # v1 20140128 # ################################################# # # aFleX script that allows you to create easy # persistence to a specific server in a pool. # # To test: http:///test: # To stop: http:///notest # #…
-
making a http site https
Posted by jmaddox is there a "fill in the blank" aflex that can be used to rewrite hardcoded hrefs in ssl offloaded applications?
-
1 VIP to 15 Websites same ports
Currently in the process of implementing A10, to replace our ISA 2006 server. Currently we use 1 external ip address for all our reverse proxied websites. We want to setup one VIP for access to these internal websites. All of these websites go over port 443 or port 80 Some of the websites are on seperate servers but a few…
-
NTP Reflection Attack
Hello All, This aflex may be used to protect against a NTP Reflection Attack (CVE-2013-5211). Apply this to the virtual service for NTP, udp port 123. # This aFleX detects and drops the NTP Reflection attack -reject Monlists # Refer to https://www.us-cert.gov/ncas/alerts/TA14-013A when CLIENT_DATA { binary scan…
-
DNS NXDOMAIN Attack Aflex
All, this may be used as a template to protect against DNS NXDOMAIN attacks. The aFlex will dynamically build a table of FQDNs based on observed DNS replies that are 'NXDOMAIN'. Entries are stored for an hour (3600 seconds). Subsequent requests for these FQDNs are blocked. when RULE_INIT { set ::holdtime 3600 } when…
-
variable scopes only for one virtual sever or one request
Hello. I want to operate multiple stage environments(development, staging, production) in a partition. For those environments, I want to use same aflex policies as many as possible. I had looked for use following aflex policies. staging_env.tclwhen RULE_INIT { set ::global::target_service = "staging_service_80"}…
-
Simple Connection Rate Limit
I'm having some really odd results in using the following aFlex rule. I would expect that the logic would reject inbound requests for a period of 20 seconds following 10 consecutive bad requests. After 5 (not 10) I see the blocks and once the delay time has expired I see the requests fulfilled. However without sending any…
-
"Sorry page" and connection limits
Hello I've been looking into 2 things, the first being a sorry page for when our servers are down and I'd like to have my page in the loadbalancer. Is aflex the best solution to this? To do a simple check if our SGs are down, display sorry page instead? Can the LB display HTML only or is it possible to have an image in…
-
Using array of URLs to block access?
Hello I'm having issues with creating an aflex that has an array of urls that I want to block access to through the AX. I don't know how to handle the array correctly. I want to redirect to the site root whenever someone tries to access these urls. I've tried different variants of this script (that I tried to construct…
-
Selective debug
Hello, I wish to be able to make A10 add debug header informations in the response header when I add a certain header in the request. I dont want all the requests to be in debug mode, just the one I send. I ended up with this code : when HTTP_REQUEST { set ::DEBUG 0 # detection debug if { [HTTP::header exists "X-Debug"] }…
-
Determine Source IP and Port
I am totally new to aFlex so naturally, am totally lost. I have a VIP that I want to capture the sources IP and Port number. I have some success with the following: when HTTP_REQUEST { HTTP::header insert "X-Forwarded-For" [IP::client_addr] } This gives me the IP but only if it is http, not https (http_request error).…
-
Secure and HttpOnly Cookies
Below is a script to allow a general way to Secure and HttpOnly cookies. It looks at the incoming port and sets Secure & HttpOnly when it's 443 and HttpOnly when it's 80. ################################################### Secure and HttpOnly Cookies# (c) A10 Networks -- MP# v1…
-
Supporting multiple services selective client-ssl and server-ssl w/ single VIP
We have a need to support numerous services behind a single VIP. URL switching makes this fairly easy, however some sites use client-ssl, and other sites use client & server-ssl. What would an effective AFLEX look like to support this SSL-template selection based on specific header content?
