summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul C. Buetow <paul@buetow.org>2014-05-26 18:29:01 +0200
committerPaul C. Buetow <paul@buetow.org>2014-05-26 18:29:01 +0200
commit880cf82beddc5533362280ec0790577fc51f8bd2 (patch)
tree0ec1e964465da4f339554c7873087e7dc72b40c1
parent1b7daadec1462bb1c6be126c2ebde4962f855507 (diff)
Add option -a, add possibility to manage ssl client profiles and vserver rules
Diffstat
-rw-r--r--README.pod17
-rw-r--r--docs/fapi.120
-rw-r--r--docs/fapi.pod17
-rw-r--r--docs/fapi.txt16
-rw-r--r--docs/synopsis.txt12
-rwxr-xr-xsrc/fapi87
6 files changed, 159 insertions, 10 deletions
diff --git a/README.pod b/README.pod
index ca50e31..4d3429d 100644
--- a/README.pod
+++ b/README.pod
@@ -134,7 +134,7 @@ And everything can be deleted as folows:
A simple HTTP NATed service can be created as follows.
- fapi vserver myvserver.example.com:80 create PROTOCOL_TCP /Common/http
+ fapi vserver myvserver.example.com:80 create PROTOCOL_TCP http
fapi vserver myvserver.example.com:80 set vlan VLANNAME
fapi vserver myvserver.example.com:80 set pool foopool
@@ -150,6 +150,21 @@ You need also to set the SNAT flag as follows:
fapi vserver myvserver.example.com:80 set snat automap
+=head2 Settung up simple SNAT Services with SSL offloading enabled
+
+Just like SNAT service (use port 443) but with these additional steps
+
+First Upload the SSL certificate to the F5 BIG IP (e.g. System -> File Management
+-> SSL Certificate List on BIG IP V11.4).
+
+ # Afterwards create a new SSL profile to use the new certificate:
+ # (Will automatically use key/crt myserver.example.com.{key,crt})
+ fapi profileclientssl myserver.example.com create
+
+ # Then attach that profile to the vserver (default context is
+ # PROFILE_TYPE_CLIENT_SSL, which means SSL between F5 and Clients)
+ fapi vserver myvserver.example.com:443 profile add myserver.example.com
+
=head2 About the NAME argument
In most cases NAME can be a hostname, FQDN or an IP address. Optionally folled
diff --git a/docs/fapi.1 b/docs/fapi.1
index c47300d..98bd100 100644
--- a/docs/fapi.1
+++ b/docs/fapi.1
@@ -124,7 +124,7 @@
.\" ========================================================================
.\"
.IX Title "FAPI 1"
-.TH FAPI 1 "2014-05-16" "fapi 0.7.3" "User Commands"
+.TH FAPI 1 "2014-05-26" "fapi 0.7.3" "User Commands"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -276,7 +276,7 @@ And everything can be deleted as folows:
A simple \s-1HTTP\s0 NATed service can be created as follows.
.PP
.Vb 3
-\& fapi vserver myvserver.example.com:80 create PROTOCOL_TCP /Common/http
+\& fapi vserver myvserver.example.com:80 create PROTOCOL_TCP http
\& fapi vserver myvserver.example.com:80 set vlan VLANNAME
\& fapi vserver myvserver.example.com:80 set pool foopool
.Ve
@@ -293,6 +293,22 @@ You need also to set the \s-1SNAT\s0 flag as follows:
.Vb 1
\& fapi vserver myvserver.example.com:80 set snat automap
.Ve
+.SS "Settung up simple \s-1SNAT\s0 Services with \s-1SSL\s0 offloading enabled"
+.IX Subsection "Settung up simple SNAT Services with SSL offloading enabled"
+Just like \s-1SNAT\s0 service (use port 443) but with these additional steps
+.PP
+First Upload the \s-1SSL\s0 certificate to the F5 \s-1BIG\s0 \s-1IP\s0 (e.g. System \-> File Management
+\&\-> \s-1SSL\s0 Certificate List on \s-1BIG\s0 \s-1IP\s0 V11.4).
+.PP
+.Vb 3
+\& # Afterwards create a new SSL profile to use the new certificate:
+\& # (Will automatically use key/crt myserver.example.com.{key,crt})
+\& fapi profileclientssl myserver.example.com create
+\&
+\& # Then attach that profile to the vserver (default context is
+\& # PROFILE_TYPE_CLIENT_SSL, which means SSL between F5 and Clients)
+\& fapi vserver myvserver.example.com:443 profile add myserver.example.com
+.Ve
.SS "About the \s-1NAME\s0 argument"
.IX Subsection "About the NAME argument"
In most cases \s-1NAME\s0 can be a hostname, \s-1FQDN\s0 or an \s-1IP\s0 address. Optionally folled
diff --git a/docs/fapi.pod b/docs/fapi.pod
index ca50e31..4d3429d 100644
--- a/docs/fapi.pod
+++ b/docs/fapi.pod
@@ -134,7 +134,7 @@ And everything can be deleted as folows:
A simple HTTP NATed service can be created as follows.
- fapi vserver myvserver.example.com:80 create PROTOCOL_TCP /Common/http
+ fapi vserver myvserver.example.com:80 create PROTOCOL_TCP http
fapi vserver myvserver.example.com:80 set vlan VLANNAME
fapi vserver myvserver.example.com:80 set pool foopool
@@ -150,6 +150,21 @@ You need also to set the SNAT flag as follows:
fapi vserver myvserver.example.com:80 set snat automap
+=head2 Settung up simple SNAT Services with SSL offloading enabled
+
+Just like SNAT service (use port 443) but with these additional steps
+
+First Upload the SSL certificate to the F5 BIG IP (e.g. System -> File Management
+-> SSL Certificate List on BIG IP V11.4).
+
+ # Afterwards create a new SSL profile to use the new certificate:
+ # (Will automatically use key/crt myserver.example.com.{key,crt})
+ fapi profileclientssl myserver.example.com create
+
+ # Then attach that profile to the vserver (default context is
+ # PROFILE_TYPE_CLIENT_SSL, which means SSL between F5 and Clients)
+ fapi vserver myvserver.example.com:443 profile add myserver.example.com
+
=head2 About the NAME argument
In most cases NAME can be a hostname, FQDN or an IP address. Optionally folled
diff --git a/docs/fapi.txt b/docs/fapi.txt
index 67fe651..8dea5c9 100644
--- a/docs/fapi.txt
+++ b/docs/fapi.txt
@@ -121,7 +121,7 @@ EXAMPLES
Setting up simple HTTP NAT Services
A simple HTTP NATed service can be created as follows.
- fapi vserver myvserver.example.com:80 create PROTOCOL_TCP /Common/http
+ fapi vserver myvserver.example.com:80 create PROTOCOL_TCP http
fapi vserver myvserver.example.com:80 set vlan VLANNAME
fapi vserver myvserver.example.com:80 set pool foopool
@@ -137,6 +137,20 @@ EXAMPLES
fapi vserver myvserver.example.com:80 set snat automap
+ Settung up simple SNAT Services with SSL offloading enabled
+ Just like SNAT service (use port 443) but with these additional steps
+
+ First Upload the SSL certificate to the F5 BIG IP (e.g. System -> File
+ Management -> SSL Certificate List on BIG IP V11.4).
+
+ # Afterwards create a new SSL profile to use the new certificate:
+ # (Will automatically use key/crt myserver.example.com.{key,crt})
+ fapi profileclientssl myserver.example.com create
+
+ # Then attach that profile to the vserver (default context is
+ # PROFILE_TYPE_CLIENT_SSL, which means SSL between F5 and Clients)
+ fapi vserver myvserver.example.com:443 profile add myserver.example.com
+
About the NAME argument
In most cases NAME can be a hostname, FQDN or an IP address. Optionally
folled by a port:
diff --git a/docs/synopsis.txt b/docs/synopsis.txt
index 8e7317c..807ece6 100644
--- a/docs/synopsis.txt
+++ b/docs/synopsis.txt
@@ -47,11 +47,19 @@ Synopsis:
vserver
vserver NAME create [protocol] [profile] [poolname] [mask]
vserver NAME delete
- vserver NAME get brief|detail|status|vlan
+ vserver NAME get brief|detail|status|vlan|profile|rule
vserver NAME set nat|pat disabled|enabled
vserver NAME set pool POOLNAME
vserver NAME set snat automap|none
- vserver NAME set vlan [list,of,vlans,to,allow]
+ vserver NAME set vlan [list,of,vlans,to,allow]
+ vserver NAME profile add PROFILENAME [PROFILECONTEXT]
+ vserver NAME profile remove PROFILENAME
+ vserver NAME rule add RULENAME [RULEPRIORITY]
+ vserver NAME rule remove RULENAME
+ profileclientssl
+ profileclientssl PROFILENAME create [SSLKEYNAME] [SSLCERTNAME]
+ profileclientssl PROFILENAME delete
+ profileclientssl PROFILENAME get detail
The following partially needs admininstrator privileges on / and /Common
 -f Common -b balancer.example.com selfip
-f Common -b balancer.example.com selfip NAME create NETMASK VLANNAME [TGROUP]
diff --git a/src/fapi b/src/fapi
index 4854d81..55428d6 100755
--- a/src/fapi
+++ b/src/fapi
@@ -91,11 +91,19 @@ class FapiBase(object):
' vserver',
' vserver NAME create [protocol] [profile] [poolname] [mask]',
' vserver NAME delete',
- ' vserver NAME get brief|detail|status|vlan',
+ ' vserver NAME get brief|detail|status|vlan|profile|rule',
' vserver NAME set nat|pat disabled|enabled',
' vserver NAME set pool POOLNAME',
' vserver NAME set snat automap|none',
- ' vserver NAME set vlan [list,of,vlans,to,allow]'
+ ' vserver NAME set vlan [list,of,vlans,to,allow]',
+ ' vserver NAME profile add PROFILENAME [PROFILECONTEXT]',
+ ' vserver NAME profile remove PROFILENAME',
+ ' vserver NAME rule add RULENAME [RULEPRIORITY]',
+ ' vserver NAME rule remove RULENAME',
+ ' profileclientssl',
+ ' profileclientssl PROFILENAME create [SSLKEYNAME] [SSLCERTNAME]',
+ ' profileclientssl PROFILENAME delete',
+ ' profileclientssl PROFILENAME get detail'
+ reset,
'The following partially needs admininstrator privileges on / and /Common',
style +
@@ -132,6 +140,7 @@ class ArgumentParser(FapiBase):
def __init__(self):
''' Initialize the argument parser '''
self._parser = parser = argparse.ArgumentParser(add_help=False)
+ parser.add_argument('-a', action='store_true', help='Disables auto port in vserver name')
parser.add_argument('-b', action='store',
help='Forces to use the secified loadbalancer (overwrites -e)')
parser.add_argument('-d', action='store_true', help='Disable colorful output')
@@ -399,7 +408,10 @@ class Fapi(FapiBase):
_, ip, _ = self.lookup(fqdn_or_ip)
else:
fqdn_or_ip, ip, port = self.lookup(a.name)
- name = fqdn_or_ip + '_' + port
+ if a.a:
+ name = fqdn_or_ip
+ else:
+ name = fqdn_or_ip + '_' + port
if a.sub == 'get':
if a.sub2 == 'detail':
def detail(f5):
@@ -454,6 +466,10 @@ class Fapi(FapiBase):
return lambda: f5().get_object_status([name])
elif a.sub2 == 'vlan':
return lambda: f5().get_vlan([name])
+ elif a.sub2 == 'profile':
+ return lambda: f5().get_profile([name])
+ elif a.sub2 == 'rule':
+ return lambda: f5().get_rule([name])
elif a.sub == 'create':
protocol = a.sub2 if a.sub2 else 'PROTOCOL_TCP'
if a.sub3:
@@ -513,6 +529,24 @@ class Fapi(FapiBase):
'vlans': vlans
}
return lambda: f5().set_vlan([name], [vlan_filter_list])
+ elif a.sub == 'profile':
+ profiles = {
+ 'profile_context': a.sub4 if a.sub4 else 'PROFILE_CONTEXT_TYPE_CLIENT',
+ 'profile_name': a.sub3,
+ }
+ if a.sub2 == 'add':
+ return lambda: f5().add_profile([name], [[profiles]])
+ elif a.sub2 == 'remove':
+ return lambda: f5().remove_profile([name], [[profiles]])
+ elif a.sub == 'rule':
+ rules = {
+ 'priority': a.sub4 if a.sub4 else '1',
+ 'rule_name': a.sub3,
+ }
+ if a.sub2 == 'add':
+ return lambda: f5().add_rule([name], [[rules]])
+ elif a.sub2 == 'remove':
+ return lambda: f5().remove_rule([name], [[rules]])
def __do_vip(self, f5):
''' Do stuff concerning virtual addresses '''
@@ -563,6 +597,39 @@ class Fapi(FapiBase):
tgroup = a.sub3
return lambda: f5().set_traffic_group([name], [tgroup])
+ def __do_profileclientssl(self, f5):
+ ''' Do stuff concerning SSL client certs '''
+ a = self._args
+ if not a.name:
+ return lambda: f5().get_list()
+ # Do the actual stuff
+ if a.sub == 'get':
+ if a.sub2 == 'detail':
+ def detail(f5):
+ d = {}
+ d['ca_file'] = f5().get_ca_file_v2([a.name])
+ d['key_file'] = f5().get_key_file_v2([a.name])
+ d['certificate_file'] = f5().get_certificate_file_v2([a.name])
+ d['chain_file'] = f5().get_chain_file_v2([a.name])
+ d['client_certificate_ca_file'] = f5().get_client_certificate_ca_file_v2([a.name])
+ d['description'] = f5().get_description([a.name])
+ return d
+ return lambda: detail(f5)
+ if a.sub == 'create':
+ key_path = a.sub2 if a.sub2 else a.name + '.key'
+ certificate_path = a.sub3 if a.sub3 else a.name + '.crt'
+ key_file = {
+ 'value': key_path,
+ 'default_flag': False,
+ }
+ certificate_file = {
+ 'value': certificate_path,
+ 'default_flag': False,
+ }
+ return lambda: f5().create_v2([a.name], [key_file], [certificate_file])
+ elif a.sub == 'delete':
+ return lambda: f5().delete_profile([a.name])
+
def __do_vlan(self, f5):
''' Do stuff concerning VLANs '''
a = self._args
@@ -654,6 +721,13 @@ class Fapi(FapiBase):
elif a.sub2 == 'tgroup':
return lambda: f5().set_traffic_group([a.name], [a.sub3])
+ def __do_keycertificate(self, f5):
+ ''' Do stuff concerning SSL keys and Certificates'''
+ a = self._args
+ if not a.name:
+ # Somehow does not work with bugsuds 1.0.0
+ return lambda: f5().get_certificate_list_v2(0)
+
def __do_tgroup(self, f5):
''' Do stuff concerning TrafficGroups'''
a = self._args
@@ -711,6 +785,8 @@ class Fapi(FapiBase):
return self.__do_vserver(lambda: self._f5.LocalLB.VirtualServer)
elif a.what == 'vip':
return self.__do_vip(lambda: self._f5.LocalLB.VirtualAddressV2)
+ elif a.what == 'profileclientssl':
+ return self.__do_profileclientssl(lambda: self._f5.LocalLB.ProfileClientSSL)
elif a.what == 'vlan':
return self.__do_vlan(lambda: self._f5.Networking.VLAN)
elif a.what == 'selfip':
@@ -719,6 +795,11 @@ class Fapi(FapiBase):
return self.__do_tgroup(lambda: self._f5.Management.TrafficGroup)
elif a.what == 'folder':
return self.__do_folder(lambda: self._f5.Management.Folder)
+ elif a.what == 'folder':
+ return self.__do_folder(lambda: self._f5.Management.Folder)
+ # Somehow does not work with bigsuds 1.0.0
+ # elif a.what == 'kc' or a.what == 'keycertificate':
+ # return self.__do_keycertificate(lambda: self._f5.Management.KeyCertificate)
def run(self):
''' Do the actual stuff.
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-17 16:26:39 +0000