-
outbound nat based on IP
I'm trying to configure LLB for ISP links and having some trouble with the outbound NAT. Basically when it goes out ISP1 it should default to NAT pool ISP_C for most users, but when it comes from one range (using individual IP in my testing) it needs to use NAT pool ISP_CTHSE Under my 0.0.0.0 VIP this aflex works: when…
-
SNI and AFLEX
Hi all, I have a problem with aflex configured on a VIP with a SNI template applied. On the VIP I have exposed application for domain1 (the default certificate in the SSL template) and 2 services for domain2. SNI template i sworking fine but now I need to add on the VIP an aflex like this: #Rewrite if {[HTTP::host] matches…
-
Don't Allow a URL containing an MS-DOS device name
Hi! I would like to use our AX1030 and aFlex to make sure that "Microsoft ASP.NET MS-DOS Device Name DoS"-requests get a 404.5 response "Microsoft ASP.NET MS-DOS Device Name DoS"-request have one of the following as a sequence in the URL: AUX CON PRN NUL COM1 LPT1 LPT2 LPT3 COM2 COM3 COM4 Any suggested way to solve this in…
-
aFlex server selection by uri
Hi, I would need to do a aFlex script that would match www.domain.tld/test and then forward traffic only to one server ip-address, instead of loadbalancing with two servers. I have made the following aFlex script:# aFleX script for URL Rewrite# Direct /test to www1 10.0.01#when HTTP_REQUEST {if [HTTP::uri] contains…
-
aflex ip based traffic management
Hi, i'm having a problem with some (basic) aflex traffic redirection on a virtual server that I'm trying to use. I'm trying to match certain subnet ranges of users to a prioritised server pool (sg2-80), but to not prevent them from connectivity if that prioritised pool goes down for some reason, and send the majority of…
-
Cannot get a simple URI redirect working
Hi all, I've been searching through examples on here, the alfex github, the samples on the ACOS device, but just cannot get a simple redirect working with AFlex. Can somebody please point me in the right direction? I'm trying to do the following The user visits https://hostname.domain.com and the ACOS device redirects them…
-
Detect HTTPS traffic
Hi, I'm after a variable that can differentiate httpS traffic from http traffic. Is this possible with http::host or http::uri? Thanks, William
-
Multiple protocols on virtual server port
Hello everyone, I need to make one virtual port both to manipulate with TCP stream (TCP::payload replace) and to insert HTTP header. Unfortunately, tcp_proxy port (the only one that can do TCP::payload replace) can't handle HTTP traffic. Any thoughts?
-
IP::addr and regex
is it possible to check against client IP using regex? basically trying to do an aflex ACL to limit IP's for SMTP connections something similar to this (this isn't working of course) when CLIENT_ACCEPTED { if { not [IP::addr [IP::client_addr] matches regex "^192\.168\.2\.(10[5-7])$"] } { drop } }
-
Redirect when HTTP_RESPONSE [HTTP::status] contains "200"
I need to set up a script that does redirection when there was status code 200 for the same page with dynamic context for example https://myURL.com/xtyfwdk I set the following script but has error Error : aFleX compile error : line 15: "command is invalid in current event context [ HTTP :: uri ]" used script When…
-
Restrict SMTP to list of allowed IPs
MS Exchange 2007 services under one VIP, on AX 3200-12's in one-arm mode. I want to restrict the SMTP service to allow only a predefined list of client IP addresses or networks to go through. This would match the allow list on the Exchange Server configuration. The reason for this is since the AX's are in one-arm mode…
-
aFLEX for SIP SLB on Code bases
Will this script load balance SIP traffic? If Code 900 send traffic to node x.x.x.17 If code 903 send traffic to node x.x.x.18 Load balance rest of the traffic. when SIP_REQUEST { if { [SIP::to] starts_with "<sip:900" } { node x.x.x.17 } } when SIP_REQUEST { if { [SIP::to] starts_with "<sip:903" } { node x.x.x.18 } }…
-
Reselect rserver depending of the server response URL after a 302
Hello We have a web server that is configured in a way that, if it detects an internal failure like in the DB, it returns a 302 code redirecting the request to a sorry page in a URL format http://<domain>/error I need to create an script or maybe a healthcheck that allows me to detect that response, and then reselect…
-
aFleX for cookies httponly with one exception
Hello, I need to make a script aFleX for cookies with flag HTTPonly with one exception for cookie with name LID. I tried to use aFleX like below: when HTTP_RESPONSE { if {([HTTP::header exists "Set-Cookie"] and [HTTP::cookie contains "LID"])} { set cookie_value [HTTP::cookie "TestCookie1"] HTTP::cookie remove "TestCookie1"…
-
Restrict Access to particular URLs
I am looking at the best way to only allow access to particular URLs on a VIP. One way I thought of was to use a aFlex script to allow/deny access. I have not found any specific scripts to do this, but I have found some for other providers. I am looking for the best most efficient way for latency/system resources to…
-
problem with my sorry server
Hello: I have two service-group,(servers X and sorry servers). When my primary service-group fail (all servers down) sorry server respond in other service-group (this step is okay) but when primary service-group came back, I (have) need to wait about 8 minutes (that time is a configuracion for sticky in primary…
-
aFleX - Request client certificate to authenticate .
It can request authentication key when the url https://meudominio.com/LoginCert or https://meudominio.com/RegisterCert is accessed ? Below is a sample configuration when CLIENTSSL_CLIENTCERT { set client_cert [SSL::cert 0] log local0. "[X509::whole $client_cert]" } when HTTP_REQUEST { if {([HTTP::uri] starts_with…
-
Block Exchange ECP externally
I am trying to block Exchange ECP(2013)from external access. I am having issues with the aFlex rule below: when HTTP_REQUEST { if { HTTP::uri] starts_with "/ecp" } { drop } } In the GUI I get a Warning: aFlex syntax error:line 3;"syntax error in expression"Http::url]starts_with "/ecp" ":variable ref.."" What have done…
-
Can I refer to an ACL within an aFlex?
Hi there, I have two pools that should explicitely be used depending on the clients source IP-adresses, and this already seems to works with the following aFlex example: when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.0/24] } { pool POOL1 } else { pool POOL2 } } The problem is, that we have multiple…
-
aFleX: Bruce Force Attack Protection
Hi A10 vADC Community, I would like to share to the A10 vADC community a custom aFleX script created by an A10 SE(Jose S.). This aFleX script mitigates and protects the A10 ADC from BruteForce attacks. This is a very useful script and customizable based on parameter preference. I strongly suggest to implement this script…
-
NTP Reflection Attack
Hello All, This aflex may be used to protect against a NTP Reflection Attack (CVE-2013-5211). Apply this to the virtual service for NTP, udp port 123. # This aFleX detects and drops the NTP Reflection attack -reject Monlists # Refer to https://www.us-cert.gov/ncas/alerts/TA14-013A when CLIENT_DATA { binary scan…
-
Proxy Pass Rule
Hi guys, I need a proxy pass rule to send the connection from /PortalTransparencia to /PortalTransparencia/HomeTransparencia I can´t use HTTP::redirect
-
DNS NXDOMAIN Attack Aflex
All, this may be used as a template to protect against DNS NXDOMAIN attacks. The aFlex will dynamically build a table of FQDNs based on observed DNS replies that are 'NXDOMAIN'. Entries are stored for an hour (3600 seconds). Subsequent requests for these FQDNs are blocked. when RULE_INIT { set ::holdtime 3600 } when…
-
variable scopes only for one virtual sever or one request
Hello. I want to operate multiple stage environments(development, staging, production) in a partition. For those environments, I want to use same aflex policies as many as possible. I had looked for use following aflex policies. staging_env.tclwhen RULE_INIT { set ::global::target_service = "staging_service_80"}…
-
AX handling of Connection Limit
Hello I've been looking into making our AX3030 handle max connections towards our appservers so it doesn't let it overload the appservers and I can't find much info on how it handles connection limits and how we can fine tune it. First, I'd like a definition on Connection Limit, is it the amount of http requests? Another…
-
Supporting multiple services selective client-ssl and server-ssl w/ single VIP
We have a need to support numerous services behind a single VIP. URL switching makes this fairly easy, however some sites use client-ssl, and other sites use client & server-ssl. What would an effective AFLEX look like to support this SSL-template selection based on specific header content?
-
Collect different info from different Webmail clients
My goal is to log different information from Webmail clients than from ActiveSync clients. It seems the most obvious way to distinguish the two clients is from the HTTP::URI. So I've written the following script, which sadly has an error somewhere in it; line 19 according to the A10. when HTTP_REQUEST { if { [HTTP::method]…
-
Geolocated redirect aFlex
Hi team, Just a quick message to advertise about a specific aFlex adaptation I had to do. The actual iR**le is defined as following: when HTTP_REQUEST { set url [string tolower [HTTP::host]] if {$url ne "es.sites.xxx.com"} { switch [whereis [IP::client_addr] country] { ES { HTTP::redirect http://es.xxx.com } IT {…
