F5BigDohApp Reference¶
The F5BigDohApp Custom Resource (CR) configuration parameters. Each heading below represents the top-level parameter element. For example, to set the virtual server destination address, use spec.destination.address.
Parameters¶
spec¶
| Parameter | Description |
|---|---|
dns |
Specifies configuration of a Domain Name System (DNS) profile used by the virtual server. See spec.dns below for more parameter options. |
destination |
Specifies the destination IP address for clients to use as a DNS resolver. See spec.destination below for more parameter options. |
pool |
Specifies the load balancing pool configuration of the remote DNS servers used to resolve DNS queries. |
monitors |
Specifies the monitor configuration for the pool members. When a member is detected down, DNS queries will not be sent until the status changes to up. See spec.monitors below for more parameter options. |
snat |
Specifies Source Network Address Translation (SNAT) configuration used by the virtual server. See spec.snat below for more parameter options. |
tcpSettings.clientSide |
Specifies a client side F5BigTcpSetting CR referenced by the virtual server, using the metadata.name parameter. |
tcpSettings.serverSide |
Specifies a server side F5BigTcpSetting CR referenced by the virtual server, using the metadata.name parameter. |
udpSettings.serverSide |
Specifies a server side F5BigUdpSetting CR referenced by the virtual server, using the metadata.name parameter. |
vlans |
Specifies a F5BigNetVlan CR to reference that accepts network traffic, using the metadata.name parameter. |
ddosProfile |
Specifies a DDOS profile's name to utilize for this virtual server. The profile is then applied for this context (after the application of global DDOS policy). F5BIGPercontext DDoS CR to reference using the metadata.name parameter. |
loadBalancingMethod |
Specifies the load balancing algorithm used to load balance name resolution requests among the members: round-robin (default) distributes connections evenly across all pool members. ratio-least-connections distributes connections first to members with the least number of active connections. weighted-round-robin distributes connections across all pool members based on specified weights and ratio-session distributes connections according to the ratio of the number of sessions each pool member has active. |
serverIpProtocol |
Specifies the IP protocol for which you want the virtual server to direct traffic. Sample protocol names are tcp and udp. |
logProfile |
Specifies DNS F5BigLogProfile to be used. |
dnsOverHttps.name |
Specifies a unique name to identify the profile . |
clientSideHttp2 |
Specifies client side HTTP/2 connections. spec.clientSideHttp2 below for more parameter options. |
clientSideHttp |
Specifies client side HTTP connections. spec.clientSideHttp below for more parameter options. |
clientSideSsl |
Specifies client side SSL connections. spec.clientSideSsl below for more parameter options. |
protocolInspectionProfile |
Specifies a F5BigIpsPolicy CR to reference using the spec.name parameter. |
iRules |
Specifies one or more iRules CRs within F5BigDohApp CR. |
spec.destination¶
| Parameter | Description |
|---|---|
address |
Specifies the virtual server's address. Any of this field and ipv6Address is required to be specified for virtual server destination. |
ipv6Address |
Specifies the virtual server's IPV6 address. Any of this field and address is required to be specified for virtual server destination. |
port |
Specifies the virtual server's port. The default is 443. |
spec.dns¶
| Parameter | Description |
|---|---|
dns64Mode |
Specifies the DNS64 mode: disable (default), secondary, immediate, and v4-only. See spec.dns.dns64mode below for more parameter options. Refer to the CNFs NAT64 guide for implementation assistance. |
dns64Prefix |
The IPv6 prefix used for DNS64 mapping; mapping A to AAAA type records. The default is ::. |
dns64AdditionalSectionRewrite |
Sets DNS64 additional section rewriting. For AAAA and A records in additional section. This field specifies how they are being rewritten. The options are disable (default), v6-only, v4-only, any. See spec.dns.dns64AdditionalSectionRewrite below for more parameter options. |
dnsCache |
Indicates whether to allow queries to be answered non-authoritatively by a DNS cache. It enables caching when referencing a F5BIGDnscache CR (Custom Resource) by metadata.name. The default is empty which means caching is disabled. |
dnsExpressEnabled |
Indicates whether DNS Express service is enabled. The default is enabled. |
dnsZoneTransferEnabled |
Indicates whether the system answers zone transfer requests for a DNS zone created on the system. The default is disabled. |
ecsInsertionEnabled |
Indicates whether the system uses the edns client subnet option. The default is disabled. |
eccInsertionEnabled |
Indicates whether the system uses DNS EDNS(0) Cache Control Extension. The dafault is disabled. |
spec.dns.dns64Mode¶
| Value | Description |
|---|---|
disabled |
The BIG-IP system does not map IPv4 addresses to IPv6 addresses. |
secondary |
The BIG-IP system receives an AAAA query and forwards the query to a DNS server. The BIG-IP system then forwards the first good response from the DNS server to the client. If the system receives an A response first, it appends a 96-bit prefix to the record and forwards it to the client. If the system receives an AAAA response first, it simply forwards the response to the client. The system disregards the second response from the DNS server. |
immediate |
The BIG-IP system receives an AAAA query and forwards the query to a DNS server. Only if the server fails to return a response does the BIG-IP system send an A query. If the BIG-IP system receives an A response, it appends a 96-bit user-configured prefix to the record and forwards it to the client. |
v4-only |
The BIG-IP system receives an AAAA query, but forwards an A query to a DNS server. After receiving an A response from the server, the BIG-IP system appends a 96-bit user-configured prefix to the record and forwards it to the client. Important: Select this option only if you know that all your DNS servers are IPv4 only servers. |
spec.dns.dns64AdditionalSectionRewrite¶
| Value | Description |
|---|---|
disable |
The BIG-IP system does not perform additional rewrite. |
v6-only |
The BIG-IP system accepts only A records. The system appends the 96-bit user-configured prefix to a record and returns an IPv6 response to the client. |
v4-only |
The BIG-IP system accepts only AAAA records and returns an IPv6 response to the client. |
any |
The BIG-IP system accepts and returns both A and AAAA records. If the DNS server returns an A record in the Additional section of a DNS message, the BIG-IP system appends the 96-bit user-configured prefix to the record and returns an IPv6 response to the client. |
spec.monitors¶
Note: For all F5BigDohApp monitors, F5 recommends setting the timeout value to be the same or less than the interval value.
| Parameter | Description |
|---|---|
dns |
DNS monitor configuration. |
icmp |
ICMP monitor configuration. |
tcp |
TCP monitor configuration. |
spec.monitors.dns¶
| Parameter | Description |
|---|---|
acceptRcode |
The RCODE required in the response for an 'up' status: no-error or anything. The default is no-error. |
aliasAddress |
The IP address of the resource that is the destination of this monitor. |
aliasPort |
The port of the resource that is the destination of this monitor. |
answerContains |
The record types requred in the answer section of the response in order to mark the status of a node up: query-type (default), any-type, or anything. |
enabled |
Specifies whether this monitor is enabled or not: true or false (default). |
queryName |
The query name that the monitor sends a DNS query for. This is a required field of a DNS monitor. |
queryType |
The DNS query type that the monitor sends: a (default) or aaaa. |
recv |
The IP address that the monitor looks for in the DNS response's resource record sections. |
reverse |
Enables the monitor operates in reverse mode. When the monitor is in reverse mode, a successful receive string match marks the monitored object down instead of up: true or false (default). |
interval |
The frequency, in seconds, at which the system issues the monitor check when either the resource is down or the status of the resource is unknown: 1 to 86400. The default is 5. |
timeout |
The number of seconds the target has in which to respond to the monitor request. Timeout must be equal to or less than the interval.: 1 to 86400. The default is 5. |
timeUntilUp |
The amount of time, in seconds, after the first successful response before a node is marked up: 0 to 86400. The default is 0. |
upInterval |
The frequency, in seconds, at which the system issues the monitor check when the resource is up: 0 to 4294967295. The default is 0. |
spec.monitors.icmp¶
| Parameter | Description |
|---|---|
enabled |
Specifies whether this monitor is enabled or not: true or false (default). |
interval |
The frequency, in seconds, at which the system issues the monitor check when either the resource is down or the status of the resource is unknown.: 0 to 86400. The default is 5. |
timeout |
The number of seconds the target has in which to respond to the monitor request. Timeout must be equal to or less than the interval.: 0 to 86400. The default is 5. |
spec.monitors.tcp¶
| Parameter | Description |
|---|---|
enabled |
Specifies whether this monitor is enabled or not: true or false (default). |
interval |
The frequency, in seconds, at which the system issues the monitor check when either the resource is down or the status of the resource is unknown.: 0 to 86400. The default is 5. |
timeout |
The number of seconds the target has in which to respond to the monitor request. Timeout must be equal to or less than the interval.: 0 to 86400. The default is 5. |
receiveDisableString |
The regular expression, when matched, disables the target. |
receiveString |
The regular expression, when matched, indicated the target is up. |
sendString |
Text string to send to the target. |
spec.pool¶
| Parameter | Description |
|---|---|
minActiveMembers |
Specifies the minimum number of members that must be available in one priority group: 0 (default) to 65535. |
members |
Specifies a list of IP addresses and ports for the service. This is a required field for a pool. |
spec.pool.members¶
| Parameter | Description |
|---|---|
address |
Specifies the address of the service. This is a required field of a pool member. |
port |
Specifies the port of the service: 0 to 65535. The default value is 53. |
priorityGroup |
Specifies the port of the service: 0 (default) to 8. |
spec.snat¶
| Parameter | Description |
|---|---|
type |
Specifies the type of source address translation to use: none (default), snat, or automap. When using snat a snat.pool must be defined. |
pool |
Specifies the name of a F5BigCneSnatpool. The name of F5BigCneSnatpool uses its CR (Custome Resource) metadata.name parameter. You can only use this option when automap and translation are not used. |
spec.tcpSettings¶
| Parameter | Description |
|---|---|
clientSide |
Specifies the name of client-side TCP profile F5BigTcpSetting. The name of F5BigTcpSetting uses its CR (Custome Resource) metadata.name parameter. If not specified, the default sys-default-tcp will be used. |
serverSide |
Specifies the name of server-side TCP profile F5BigTcpSetting. The name of F5BigTcpSetting uses its CR (Custome Resource) metadata.name parameter. If not specified, the default sys-default-tcp will be used. |
spec.udpSettings¶
| Parameter | Description |
|---|---|
serverSide |
Specifies the name of server-side UDP profile F5BigUdpSetting. The name of F5BigUdpSetting uses its CR (Custome Resource) metadata.name parameter. If not specified, the default sys-default-dns-udp will be used. |
spec.vlans¶
| Parameter | Description |
|---|---|
vlanList |
Specifies a list names of F5BigNetVlan that the virtual server will use to either accept traffic. The name of F5BigNetVlan uses its CR (Custome Resource) metadata.name parameter. |
vlanList.item |
A reference to a F5BigNetVlan name. |
disableListedVlans |
When enabled, accept traffic on all VLANs except those defined in the vlans.vlanlist. The parameter: true (default) or false. |
spec.clientSideHttp2¶
| Parameter | Description |
|---|---|
activationModes |
Specifies whether to enable all HTTP/2 modes, or only enable the Selected Modes listed in the Enabled column. The options are alpn" and always. The default is alpn. |
concurrentStreamsPerConnection |
Specifies the number of outstanding concurrent requests that are allowed on a single HTTP/2 connection. The default is 10. |
connectionIdleTimeout |
Specifies the number of seconds that an HTTP/2 connection is idly left open before being shut down. The default is 300 seconds. |
frameSize |
Specifies the size of data frames, in bytes, that HTTP/2 sends to the client. Larger frame sizes improve network utilization, but can affect concurrency. The default value is 2048 bytes. |
insertHeader |
Specifies whether an HTTP header indicating the use of HTTP/2 should be inserted into the request that goes to the server. The default value is disabled. |
insertHeaderName |
Specifies the name of the HTTP header controlled by Insert Header. The default X-HTTP2. |
receiveWindow |
Specifies the way that the HTTP/2 profile performs flow control. The receive window allows HTTP/2 to stall individual upload streams when needed. This functionality applies to HTTP/2 and to SPDY version 3. The default value is 32 KB. |
writeSize |
Specifies the total size of combined data frames, in bytes, that HTTP/2 sends in a single write. This setting controls the size of the TLS records when HTTP/2 is used over SSL. A large write size causes HTTP/2 to buffer more data, but improves network utilization. The default value is 16384 bytes. |
headerTableSize |
Specifies the size of the header table, in bytes. The HTTP/2 protocol compresses HTTP headers to save bandwidth. A larger table size allows better compression, but requires more memory. The default value is 4096 bytes. |
enforceTlsRequirements |
Specifies whether the system requires TLS for communications between specified senders and recipients. Per RFC7540, the TLS requirements are that TLS compression is not allowed, and TLS Renegotiation must be disabled. If you leave the default setting (Enabled), you must modify your client SSL (or server SSL) profile and disable TLS Renegotiation. |
spec.clientSideHttp¶
| Parameter | Description |
|---|---|
basicAuthRealm |
Specifies a quoted string for the basic authentication realm. The system sends this string to a client whenever authorization fails. |
oneConnect |
Specifies, when checked (enabled), that the system performs HTTP header transformations for the purpose of keeping connections open. The default is disabled. This setting is applicable only when you configure a OneConnect pool. |
oneConnectStatusReuse |
Specifies a quoted string for the status reuse for the one connect. The default is 200 206 |
headerInsert |
Specifies a quoted header string that you want to insert into an HTTP request. You can also specify none. |
headerErase |
Specifies the header string that you want to erase from an HTTP request. You can also specify none.. |
fallbackHost |
Specifies an HTTP fallback host; HTTP redirection allows you to redirect HTTP traffic to another protocol identifier, host name, port number, or URI path. |
fallbackStatusCodes |
Specifies one or more three-digit status codes that can be returned by an HTTP server. |
responseHeadersPermitted |
Specifies headers that the BIG-IP system allows in an HTTP response. |
encryptCookies |
Encrypts specified cookies that the BIG-IP system sends to a client system. |
encryptCookieSecret |
Specifies a passphrase for the cookie encryption. |
responseChunking |
Specifies how to handle chunked and unchunked responses. The options available are preserve, selective, unchunk, rechunk, sustain and last. The default is sustain. |
requestChunking |
Specifies how to handle chunked and unchunked requests. The options available are preserve, selective, unchunk, rechunk, sustain and last. The default is sustain. |
lwsMaxColumn |
Specifies the maximum number of columns allowed for a header that is inserted into an HTTP request. The dafault is 80. |
lwsSeparator |
Specifies the linear white space separator that the system should use between HTTP headers when a header exceeds the maximum width specified by the lws width setting. The dafault is \r\n |
redirectRewrite |
Specifies which of the application HTTP redirects the system rewrites to HTTPS. The options available are none, all, matching, nodes and last. The default is none. |
maxHeaderSize |
Specifies the maximum header size. The dafault is 32768. |
maxRequests |
Specifies the number of requests that the system accepts on a per-connection basis. The dafault is 0. |
maxHeaderCount |
Specifies the maximum number of headers allowed in HTTP request/response. The dafault is 64. |
pipelining |
Specifies the pipelining in HTTP streams. The options available are disable and enable. The dafault is disable. |
truncatedRedirects |
Specifies what happens if a truncated redirect is seen from a server. If enabled, the redirect will be forwarded to the client, otherwise the malformed HTTP will be silently ignored. The options available are disable and enable. The dafault is disable. |
insertXforwardedFor |
When using connection pooling, which allows clients to make use of other client requests' server-side connections, you can insert the X-Forwarded-For header and specify a client IP address. The options available are disable and enable. The dafault is disable. |
adaptiveParsing |
Specifies parsing in an adaptive way of HTTP: true amd false (dafault). |
proxyType |
Specifies the type of HTTP proxy. The options availabe are reverse, explicit and transparent. |
passthroughOversizeClientHeaders |
Specifies the behavior when too-large client headers are received. If enabled, will switch to pass through mode instead of rejecting the connection: true amd false (dafault). |
passthroughExcessClientHeaders |
Specifies the behavior when too many client headers are received. If enabled, will switch to pass through mode instead of rejecting the connection: true amd false (dafault). |
passthroughOversizeServerHeaders |
Specifies the behavior when too-large server headers are received. If enabled, will switch to pass through mode instead of rejecting the connection: true amd false (dafault). |
passthroughExcessServerHeaders |
Specifies the behavior when too many server headers are received. If enabled, will switch to pass through mode instead of rejecting the connection: true amd false (dafault). |
passthroughPipeline |
Enables or disables HTTP/1.1 pipelining. The options available are reject, allow and passthrough. If passthrough is selected, then the HTTP filter will switch to pass through mode and be disabled if pipelined data is seen. The default value is allow, which means that clients can make requests even when prior requests have not received a response. In order for this to succeed, however, destination servers must include support for pipelining. |
passthroughUnknownMethod |
Specifies whether to allow, reject or switch to passthrough mode when an unknown HTTP method is parsed. The dafault is allow. |
knownMethods |
Specifies which HTTP methods count as being known. Removing RFC-defined methods from this list will cause the HTTP filter to not recognize them. The dafault is CONNECT, DELETE*, GET, HEAD, LOCK, OPTIONS, POST, PROPFIND, PUT, TRACE and UNLOCK** |
sendProxyViaHeaderInRequest |
Specifies whether to append, remove, or preserve a Via header in an HTTP request. The dafault is preserve. |
sendProxyViaHeaderInResponse |
Specifies whether to append, remove, or preserve a Via header in an HTTP response. The dafault is preserve. |
sendProxyViaHeaderHostName |
Specifies the hostname to include into Via header. |
acceptXff |
Enables or disables trusting the client IP address, and statistics from the client IP address, based on the request's XFF (X-forwarded-for) headers, if they exist: true and false (default). |
xffAlternativeNames |
Specifies alternative XFF headers instead of the default X-forwarded-for header. |
serverAgentName |
Specifies the value of the Server header in responses that the BIG-IP itself generates. The dafault is BigIP. |
fwdpDnsResolver |
Specifies the dns-resolver object that will be used to resolve hostnames in proxy requests. |
fwdpRouteDomain |
Specifies the route-domain that will be used for outbound proxy requests. |
fwdpTunnelName |
Specifies the tunnel that will be used for outbound proxy requests. This enables other virtual servers to receive connections initiated by the proxy service. |
fwdpConnectAllowed |
Specifies the behavior of the proxy service for CONNECT requests: true and false (default). |
fwdpIpv6 |
Specifies that URIs will attempted to be resolved as IPv6 addresses before trying as IPv4: true and false (default). |
fwdpHostnames |
Specifies the which host names are to be treated as local. Proxy requests made for those hosts will be treated as regular HTTP requests and will be sent to the configured default pool. |
hstsMode |
Specifies whether to include the HSTS response header: enable and disable (default). |
hstsMaximumAge |
Specifies the maximum age to assume the connection should remain secure. The dafault is 16070400. |
hstsIncludeSubdomains |
Specifies whether to include the includeSubdomains directive in the HSTS header: enable and disable (default). |
hstsPreload |
Specifies whether to include the preload directive in the HSTS header: enable and disable (default). |
fwdpConnectErrorMsg |
Specifies the error message that will be returned to the browser when a proxy request can't be completed because of a failure to establish the outbound connection. |
fwdpDnsErrorMsg |
Specifies the error message that will be returned to the browser when a proxy request can't be completed because of a failure to resolve the hostname in the request. |
fwdpBadRequestErrorMsg |
Specifies the error message that will be returned to the browser when a proxy request can't be completed because the request was malformed. |
fwdpBadResponseErrorMsg |
Specifies the error message that will be returned to the browser when a proxy request can't be completed because the response was malformed. |
spec.clientSideSsl¶
| Parameter | Description |
|---|---|
enableTls13 |
Enables/Disables TLS 1.3 protocol support: true (default) and false. |
enableTls12 |
Enables/Disables TLS 1.2 protocol support: true (default) and false. |
enableTls11 |
Enables/Disables TLS 1.1 protocol support: true (default) and false. |
ciphers |
Specifies OpenSSL-style cipher string. The dafult is DEFAULT. |
keyCertPairs |
List of certificate key pair to use. |
enableSessionTicket |
Enables/Disables Session Ticket support: true (default) and false. |
enableRenegotiation |
Enables/Disables Renegotiation support: true and false (default). |
renegotiationMode |
Specifies the secure renegotiation mode. The options availabe are request, require and require-strict. The dafault is require. |
spec.clientSideSsl.keyCertPairs¶
| Parameter | Description |
|---|---|
key |
References SSL/TLS private keys. Key names must be appended to the path file://etc/ssl/tls-keys-certs/ |
cert |
References SSL/TLS certificates and intermediate CA certificates used to terminate secure ingress connections. Certificate names must be appended to the path file://etc/ssl/tls-keys-certs/ |