-
Supporting multiple services selective client-ssl and server-ssl w/ single VIP
We have a need to support numerous services behind a single VIP. URL switching makes this fairly easy, however some sites use client-ssl, and other sites use client & server-ssl. What would an effective AFLEX look like to support this SSL-template selection based on specific header content?
-
Supporting two services on same VIP and Host Port
Hello, I have a server running two web based services, both on port 443. I'm using host headers to differentiate between the two. We have a need to add a second server for redundancy purposes. I'm curious which of the following (or some other I'm not thinking of?) method would be better: A) Have both URLs go to one A10 VIP…
-
Multiple health-checks, compound with priority?
I would like to set up health-checks for several URLs per real-server, and I understand I can do this with compound checks. However, if one of the URLs fails on all real servers I don't want the entire website to go down. Is there some way to get one health-check per URL, and if one URL fails you lower the priority on the…
-
Routing in one-arm mode?
Hi folks. I have a couple of AX3200s in HA active-passive mode, with several partitions. In one partition "test" I want it to have a connection to two different VLANs - EG. VLAN1 10.0.1.0 and VLAN2 10.0.2.0. I added a default route for 0.0.0.0/0.0.0.0 to VLAN1 gateway 10.0.1.1. Should I add other specific routes for both…
-
Clearing sessions
Does anybody know how to clear sessions for a specific port on a server with in a service group?
-
CPU Monitoring with Collectd
Here is my collectd cfg to get cpu data of an ax. You can use it to graph it with graphite. my_types.db: a10_cpu lambda:GAUGE:0:100 a10-snmp.conf: # A10 CPU SNMP Checks # Type "cpu" Table false Instance "mgmt" Values "iso.3.6.1.4.1.22610.2.4.1.3.6.1.3.0.5" Type "cpu" Table false Instance "data_1" Values…
-
Inserting the client certificate in a header
When you need the client certificate on the real server: when CLIENTSSL_CLIENTCERT { set cert [SSL::cert 0] session add ssl [SSL::sessionid] $cert}when HTTP_REQUEST { set cert [session lookup ssl [SSL::sessionid]] regsub -all {([\\-]+(BEGIN|END) CERTIFICATE[\\-]+)|\n} [X509::whole $cert] {} chdr HTTP::header insert…
-
Certificate Selection with Class-List (Alternative to SNI)
Server Name Indication is a feature in 2.7 that allows you to simplify your config by defining only one HTTPS VIP, but serving multiple certificates for different domains from this same VIP address. SNI is not supported on older browsers however. An alternative to using SNI is to use multi-domain certificates, which have…
-
Sorry page based on number of users
In 2.7.0-P1 a new command has been introduced to aFleX persist size uie [global] If global is specified, the number of persistent entries in the entire partition is returned. This means you can for example generate a sorry page based on the max number of active users you want to allow. For example: when HTTP_REQUEST { set…
-
Generating an empty gif
When you have a need for an empty gif to be generated. Unfortunately I am not able to post the actual code, but you can find it here: http://high5.nl/paste/view/93274853
-
Block DNS queries with class-list
When you want to reject or drop queries to a certain domain. The class-list: class-list cl-dns string str .example.tld dropstr .example2.tld drop! The aFleX: when DNS_REQUEST {if {!([DNS::question name] equals ".")} { set fqdn .[DNS::question name]}if { [CLASS::match $fqdn ends_with cl-dns] } { drop log local0.INFO…
-
Form Authentication with class-lists
If you want to use aFleX for Authentication and have an external store for users. class-list passwords string str user1 d154c51df37bd33b29cec5aa51efd29f5a6a6f1e! when RULE_INIT { set ::AUTHENTICATED "no" set ::FORM_CONTENT "AuthenticationPlease AuthenticateUsername:Password: "}when HTTP_REQUEST { set client_ip…
-
Drop certain DNS queries (ANY and RD)
When you don't want to allow certain DNS queries to be send to the DNS server. when RULE_INIT { set ::DEBUG 0}when DNS_REQUEST { if { $::DEBUG == 1 } { log "Question: name: [DNS::question name] - type: [DNS::question type] - Query ID: [DNS::header id] - RD: [DNS::header rd]" } if { [DNS::question type] eq "ANY" } { if {…
-
Basic HTTP Authentication w/ class-list
################################################# # # aFleX script to provide Basic HTTP Authentication # without the need for an external database. # # The class-list for authentication is called # "cl-passwords" (default) of type "string" and has # to contain the following data: # str # # For example: # str user1…
-
Port translation for multiple hosts behind single VIP
################################################### aFleX script to provide API port translation.## Requires real servers en ports to be configured# and to be member of a service-group.# On the VIP it needs a VPORT 0 TCP##################################################when RULE_INIT { set ::DEBUG 0 set ::REALPORT…
-
Traffic Steering on Radius Attributes
################################################### aFleX script to provide Header Enrichment for# the purpose of policy based Traffic Steering. # # This comes in 2 parts.# 1) Script that is bound to a RADIUS VPORT.# 2) Script that is bound to a HTTP VPORT.#################################################### VPORT:…
-
Smart LB to Caches v2
################################################### aFleX script for host based cache selection.## Contents of the array ::CACHEURLS needs to be in# the form:# "" ""## For example:# "youtube.com" "cache_group2"##################################################when RULE_INIT { set ::DEBUG 0 array set ::CACHEURLS {…
-
Bash Hacking – F5 Nodes to A10
Here is my little script which is used to migrate a few hundred server from our f5 bigip's to a10. It's really simple and not very smart but it works for us. It doesn't care about the health check and just uses ping and it can't handle multiple ports... It also assumes that every server has a reverse lookup. If you don't…
-
Log HTTP Status Codes (for Example 404)
A little irule which is helping me spotting errors while migrating configs to a10. when HTTP_REQUEST { set object "[HTTP::host][HTTP::path]" } when HTTP_RESPONSE { if { [HTTP::status] eq "404" } { log local0. "404: ${object}" #Just to be sure.... unset object } }
-
LB decisions based on SSL CA and Common Name
################################################### aFleX script to make decisions based on the CA# and Common Name of a Client Certificate.##################################################when RULE_INIT { set ::DEBUG 0}when CLIENTSSL_CLIENTCERT { set CCcert [SSL::cert 0] set CCsubject [X509::subject $CCcert] if {…
-
Observium Module
One of our customers was kind enough to create an Observium module. You can find it at: http://jira.observium.org/browse/OBSERVIUM-452
-
Web re-direct on the AX3030
Hi all, We are trying to set up an application on two servers fronted by the A10. Everything functionally up but clients cannot access the web pages. As an example the VIP url is https://test.ntu.ac.uk. The DNS A record is 192.168.99.39. However, the actual page on the server is https://test.ntu.ac.uk/jukeboxdrm. Can this…
-
TCP port redirect
Aloha, I was wondering how to implement a TCP::remote_port redirect, as we are not using Layer 7 on the A10s. Example-> client connection -> VIP :80 -> aFlex -> service_group :443 I see some examples of TCP redirects, but wasnt sure on the correct usage/syntax, as it seems more complicated than a simple HTTP_REQUEST…
-
Interfacing SoftAx to ESX 5.1 standard vswitch
Hi all, We have two SoftAX's used as Lab devices. I can communicate with them via the management interfaces, however, no communication via the Ethernet interfaces. These need to be trunks to pass the various vlans from the VM's. The server guys are unsure how to do this as they are telling me that apply one vlan to each…
-
One Arm deployment problem aith Windos server 2010
I'm facing a problem when i use Nate IP with one arm mode so all clients reach to the servers with the same ip so the team who is responsible on these servers can not make any trace or trouble shoot for his clients as all of them reach to the server with the same nate ip So, who i can solve this problem without change the…
-
T3 protocol
i have a problem the web logic application using the T3 protocol to communicate to the BRM database , on the Weblogic im pointing the VIP of BRM im using TCP protocol but they can't communicate, do you have aflex or recommendation of this matter
-
Drop or Reject the HTTP TRACE method
Recent Customer asked for a way to drop or reject the HTTP TRACE method for PCI compliance. Thanks to JonD here is a quick aFleX to do that. when HTTP_REQUEST { if { [HTTP::method] eq "TRACE"} { reject } }
-
Is there a way to log snat transations
We just moved our LDAP service to our new A10 load balancers. Our PROD partition (which is where our LDAP virtual server is on) is running in one arm mode utilizing a snat pool. Every thing is working fine but our LDAP administrator is asking if there is a way to save a log file of the snat translations for the LDAP…
-
Search and replace
I need a way to see if a uri contains || and then replace all places it does with !!. Example: http://foo.bar.com/u?e=83||l||0||email@gmail.com||http://foo.bar.com needs to redirect to http://foo.bar.com/u?e=83!!l!!0!!email@gmail.com!!http://foo.bar.com.
-
External monitor script
Hi, I would like to create a external monitor health check that use SSH to login a linux server ,and send the command : “df -a” The answer expect contain the keyword “video” linux server ip:10.10.1.81 linux username:root linux password:whnm2013 How can I do this in script? Tks Best regards, Bon
