f5-appsvcs-extension icon indicating copy to clipboard operation
f5-appsvcs-extension copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

AS3 "httpHost" value for LTM Policies

Open donE89 opened this issue 3 years ago • 6 comments

Requesting that "httpHost" value be added for AS3 key name "type".

Currently the only supported "type" values are: ["http","httpCookie","httpHeader","httpRedirect","httpUri","waf","forward","drop","clientSsl","persist","tcl","log"]

The closet supported type is "httpHeader" but this does not suffice. The "httpHost" value is needed for ltm policies. The tmsh equivilent is http-host ie: ltm policy fqdn.com.policy { controls { forwarding } last-modified 2022-03-11:20:23:49 partition Common requires { http } rules { abc { actions { 0 { http-host replace value fqdn.com } 1 { forward select pool fqdn.com.pool } } } } status published strategy best-match }

Attempted AS3 Conversion: "fqdn.com.policy": { "rules": [ { "name": "abc", "actions": [ { "event": "request", "type": "httpHost", "replace": { "value": "fqdn.com" } }, { "event": "request", "type": "forward", "select": { "pool": { "use": "fqdn.com.pool" } } } ] } ], "strategy": "best-match", "class": "Endpoint_Policy" }

AS3 Response: { "code":422, "errors":[ "/t_app/fqdn.com.443.tcp.app/fqdn.com.policy/rules/0/actions/0/type: should be equal to one of the allowed values ["http","httpCookie","httpHeader","httpRedirect","httpUri","waf","forward","drop","clientSsl","persist","tcl","log"]" ], "declarationFullId":"", "message":"declaration is invalid" }

donE89 avatar Sep 15 '22 20:09 donE89

We have been using this with success:

  "type": "httpHeader",
  "replace": {
    "name": "Host",
    "value": "newfqdn.com",
  }

wncocz avatar Sep 15 '22 21:09 wncocz

For what it is worth, according to this comment, the httpHost condition of an ltm policy just matches against the host header anyway

https://github.com/F5Networks/f5-appsvcs-extension/issues/397#issuecomment-747603366

21buckets avatar Sep 16 '22 06:09 21buckets

I will try this what version of AS3 are you using?

donE89 avatar Sep 16 '22 17:09 donE89

I will try this what version of AS3 are you using?

Currently on 3.36.0; have been using this configuration for many versions prior.

wncocz avatar Sep 16 '22 19:09 wncocz

Here is another example of a similar issue LTM policy is using Http Host value but AS3 does not have equivalent. Policy: ltm policy policy.somesite.com { controls { forwarding } last-modified 2022-10-19:21:37:10 requires { http } rules { "Redirect Rule" { actions { 0 { http-reply redirect location tcl:https://somesite-wiam.com[HTTP::uri] } } conditions { 0 { http-host host values { somesite.com } } } } } status published strategy first-match }

AS3 Input { "class": "AS3", "action": "dry-run", "declaration": { "class": "ADC", "schemaVersion": "3.41.0", "target": { "address": "10.47.200.211" }, "t_10.x.x.x": { "class": "Tenant", "remark": "AppID: 100294", "somesite.443.tcp.app": { "class": "Application", "template": "generic", "label": "https-bridge-app", "somesite.443.vs": { "class": "Service_HTTPS", "enable": true, "virtualAddresses": [ "10.x.x.x" ], "virtualPort": 443, "redirect80": false, "serverTLS": "somesite.c.ssl.pf", "clientTLS": { "bigip": "/Common/serverssl" }, "profileHTTP": { "bigip": "/Common/http" }, "iRules": [ "somesite.irule.csr.access.uat3.int.ally.com.redirects" ], "pool": "somesite.pool", "persistenceMethods": [ { "bigip": "/Common/cookie.bigip-encryption" } ], "policyEndpoint": [ { "use": "policy.somesite" } ], "snat": { "bigip": "/Common/SNATS_BANK_MDL1" }, "profileTCP": { "bigip": "/Common/tcp-lan-optimized" }, "profileAnalytics": { "bigip": "/Common/analytics" } }, "somesite.pool": { "class": "Pool", "loadBalancingMode": "round-robin", "slowRampTime": 10, "members": [ { "servicePort": 8484, "shareNodes": true, "adminState": "enable", "serverAddresses": [ "10.46.88.75" ] }, { "servicePort": 8484, "shareNodes": true, "adminState": "enable", "serverAddresses": [ "10.46.88.76" ] } ], "monitors": [ { "bigip": "/Common/tcp" } ] }, "policy.somesite": { "rules": [ { "name": "Redirect Rule", "conditions": [ { "event": "request", "type": "httpHeader", "host": { "values": [ "somesite" ], "operand": "equals" } } ], "actions": [ { "event": "request", "type": "httpRedirect", "location": "tcl:https://somenewsite.com[HTTP::uri]" } ] } ], "strategy": "first-match", "class": "Endpoint_Policy" }, "pool.tridion2011.uat3.8052": { "members": [ { "addressDiscovery": "static", "servicePort": 8052, "serverAddresses": [ "10.46.130.157", "10.46.130.160", "10.45.88.54", "10.45.88.55" ], "shareNodes": true } ], "monitors": [ { "bigip": "/Common/tcp_15" } ], "class": "Pool" }, "pool.somesite.8484": { "members": [ { "addressDiscovery": "static", "servicePort": 6301, "serverAddresses": [ "10.46.131.36", "10.46.131.39" ], "shareNodes": true }, { "addressDiscovery": "static", "servicePort": 8484, "serverAddresses": [ "10.46.88.75", "10.46.88.76" ], "shareNodes": true } ], "monitors": [ { "bigip": "/Common/tcp" } ], "class": "Pool" }, "somesite.443.cert": { "certificate": { "bigip": "/Common/lb-somesite" }, "privateKey": { "bigip": "/Common/lb-somesite" },

      "class": "Certificate"
    },
    "somesite.c.ssl.pf": {
      "certificates": [
        {
          "certificate": "somesite.443.cert"
        }
      ],
      "ciphers": "ALL:!TLSv1:!TLSv1_1:!DHE:!SHA:!MD5:!ADH:!EXPORT:!EXP",
      "class": "TLS_Server"
    }
  }
}

} }

Error: { "code": 422, "errors": [ "/t_10.x.x.x/somesite.443.tcp.app/policy.somesite/rules/0/conditions/0: should have required property 'all'" ], "declarationFullId": "", "message": "declaration is invalid" }

donE89 avatar Dec 20 '22 21:12 donE89

And apologies looking back over our message history; I realize I forgot to mention that your suggested course of action was successful in the previous scenario

donE89 avatar Dec 20 '22 21:12 donE89