search

F5Networks / f5-appsvcs-extension

F5 BIG-IP Application Services 3 Extension
Apache License 2.0
164 stars 53 forks source link

Unable to compare SSL SNI/hostname against data group #790

Open normelton opened 9 months ago

normelton commented 9 months ago

Environment

Summary

When building a policy, I can compare the HTTP hostname against a data group, but I cannot compare the SSL SNI hostname against the same data group. I get the following error

Steps To Reproduce

  1. Submit the following policy:
"http-redirect": {
    "class": "Endpoint_Policy",
    "strategy": "first-match",
    "rules": [
        {
            "name": "permit",
            "conditions": [{
                "type": "httpHost",
                "event": "request",
                "host": {
                    "operand": "ends-with",
                    "datagroup": {
                        "use": "permitted-domains"
                    }
                }
            }]
        }
    ]
}

It works fine.

  1. Submit this policy instead:
"https-block": {
    "class": "Endpoint_Policy",
    "strategy": "first-match",
    "rules": [
        {
            "name": "permit",
            "conditions": [{
                "type": "sslExtension",
                "event": "ssl-client-hello",
                "serverName": {
                    "operand": "ends-with",
                    "datagroup": {
                        "use": "permitted-domains"
                    }
                }
            }]
        }
    ]
}

It fails to post, I get the following error:

{
  "code": 422,
  "message": "declaration failed",
  "response": "01020036:3: The requested datagroup lookup failure:  (use) was not found.",
  "host": "localhost",
  "tenant": "init-policy",
  "runTime": 2365
},
dstokesf5 commented 8 months ago

it looks like two things are changing from your working and not working examples. If the permitted-domains data group is managed by AS3, can you try updating your failing example to use a use pointer instead of a bigip pointer?

normelton commented 8 months ago

Good observation. In all my testing, I copied/pasted the wrong example. The behavior is the same when with a use pointer. I updated my post above.

mdditt2000 commented 7 months ago

Add Jira AUTOTOOL-4132 to next sprint for prioritization discussion