f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
redirect80 virtual server does not inherit properties of parent virtual server
Environment
- Application Services Version: {"version":"3.33.0","release":"4","schemaCurrent":"3.33.0","schemaMinimum":"3.0.0"}
- BIG-IP Version: 15.1.4
Summary
This seems vaguely similar to #514.
When setting redirect80 to 'true'. the resulting port 80 virtual server does not inherit the AFM policy or logging profile of the parent VIP. This causes AFM to effectively block (and not log) traffic to port 80.
I am deploying AS3 VSs through Big-IQ, but I suspect the result would be the same when declaring directly to the Big-IP.
Steps To Reproduce
Steps to reproduce the behavior:
- Submit the following declaration:
{
"id": "example.com_HTTPS_443",
"class": "ADC",
"controls": {
"class": "Controls",
"userAgent": "BIG-IQ/8.1 Configured by API"
},
"updateMode": "selective",
"schemaVersion": "3.22.0",
"example.com_HTTPS_443": {
"class": "Tenant",
"ipv4_vip": {
"class": "Application",
"template": "https",
"TLS_Server": {
"class": "TLS_Server",
"cipherGroup": {
"bigip": "/Common/test-balanced"
},
"certificates": [
{
"certificate": "/example.com_HTTPS_443/ipv4_vip/Certificate"
}
],
"tls1_0Enabled": false,
"tls1_1Enabled": false,
"tls1_2Enabled": true,
"tls1_3Enabled": false,
"singleUseDhEnabled": true,
"renegotiationEnabled": true
},
"Certificate": {
"class": "Certificate",
"chainCA": {
"bigip": "/Common/letsencrypt-stg-int-r3.crt"
},
"privateKey": {
"bigip": "/Common/example.com.key"
},
"certificate": {
"bigip": "/Common/example.com.crt"
}
},
"serviceMain": {
"pool": {
"use": "/example.com_HTTPS_443/ipv4_vip/example.com_https-443_ipv4_pool"
},
"snat": "none",
"class": "Service_HTTPS",
"enable": true,
"clientTLS": {
"bigip": "/Common/serverssl-test"
},
"mirroring": "none",
"serverTLS": "/example.com_HTTPS_443/ipv4_vip/TLS_Server",
"profileTCP": {
"egress": {
"bigip": "/Common/test-tcp-server"
},
"ingress": {
"bigip": "/Common/test-tcp-client"
}
},
"redirect80": true,
"profileHTTP": {
"bigip": "/Common/HTTP_X-Forwarded-for"
},
"virtualPort": 443,
"shareAddresses": true,
"profileAnalytics": {
"use": "/example.com_HTTPS_443/ipv4_vip/Analytics_Profile"
},
"virtualAddresses": [
"10.254.254.254"
],
"persistenceMethods": [],
"securityLogProfiles": [
{
"bigip": "/Common/test-network"
}
],
"policyFirewallEnforced": {
"bigip": "/Common/HIGH-VIP_AFM_POLICY"
},
"serviceDownImmediateAction": "none"
},
"Analytics_Profile": {
"class": "Analytics_Profile",
"collectIp": false,
"collectGeo": false,
"collectUrl": false,
"collectMethod": false,
"collectUserAgent": false,
"collectOsAndBrowser": false,
"collectPageLoadTime": false,
"collectResponseCode": true,
"collectClientSideStatistics": true
},
"example.com_https-443_ipv4_pool": {
"class": "Pool",
"members": [
{
"ratio": 1,
"adminState": "enable",
"shareNodes": true,
"servicePort": 443,
"priorityGroup": 0,
"serverAddresses": [
"10.250.255.1"
]
}
],
"monitors": [
{
"bigip": "/Common/test-https1.0"
}
],
"loadBalancingMode": "round-robin",
"serviceDownAction": "none"
}
}
}
}
- Observe the following error response:
ltm virtual /example.com_HTTPS_443/ipv4_vip/serviceMain {
creation-time 2022-01-12:14:44:03
description ipv4_vip
destination 10.254.254.254:https
fw-enforced-policy HIGH-VIP_AFM_POLICY
ip-protocol tcp
last-modified-time 2022-01-12:14:44:03
mask 255.255.255.255
partition example.com_HTTPS_443
pool /example.com_HTTPS_443/ipv4_vip/example.com_https-443_ipv4_pool
profiles {
/example.com_HTTPS_443/ipv4_vip/Analytics_Profile { }
/example.com_HTTPS_443/ipv4_vip/TLS_Server {
context clientside
}
HTTP_X-Forwarded-for { }
test-tcp-client {
context clientside
}
test-tcp-server {
context serverside
}
serverssl-test {
context serverside
}
}
security-log-profiles {
test-network
}
serverssl-use-sni disabled
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vs-index 53
}
ltm virtual /example.com_HTTPS_443/ipv4_vip/serviceMain-Redirect- {
creation-time 2022-01-12:14:44:03
description ipv4_vip
destination 10.254.254.254:http
ip-protocol tcp
last-modified-time 2022-01-12:14:44:03
mask 255.255.255.255
partition example.com_HTTPS_443
profiles {
http { }
test-tcp-client {
context clientside
}
test-tcp-server {
context serverside
}
}
rules {
_sys_https_redirect
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 54
}
Expected Behavior
Ideally, the port 80 VS should inherit all properties of the parent VS, aside from the pool and iRule. Otherwise, the behavior of the port 80 VS is inconsistent with the behavior of the port 443 VS.
But for the issues in front of me currently, just getting the 80 VS to inherit the AFM and log profiles to be inherited would help a lot.
Actual Behavior
The port 80 VS enabled by redirect80 does not inherit the Network Firewall policy or logging profiles of the parent VS. This has security and compliance implications in my specific case.
I do see, from my examples, that the port 80 VS does inherit the parent TCP profiles.
Thank you for your feedback. I have added this to our internal product backlog as AUTOTOOL-2962.
Please reach out to us at [email protected] in order for us to get more information and prioritize. Thanks.
Hi @dstokesf5 , @sunitharonan
Has there been any progress on AUTOTOOL-2962 ? If it is still in development, would it be possible to have this include the "Description" of the redirect virtual server to be a copy of the main VS's description/remark?
The current behaviour is the description of the Redirect VS taks the Path (application) name of the virtual. I think would better for usability if it matched the main VS's description.
