F5BigDohApp Reference

The F5BigDohApp Custom Resource (CR) configuration parameters. Each heading below represents the top-level parameter element. For example, to set the virtual server destination address, use spec.destination.address.

Parameters

spec

Parameter Description
dns Specifies configuration of a Domain Name System (DNS) profile used by the virtual server. See spec.dns below for more parameter options.
destination Specifies the destination IP address for clients to use as a DNS resolver. See spec.destination below for more parameter options.
pool Specifies the load balancing pool configuration of the remote DNS servers used to resolve DNS queries.
monitors Specifies the monitor configuration for the pool members. When a member is detected down, DNS queries will not be sent until the status changes to up. See spec.monitors below for more parameter options.
snat Specifies Source Network Address Translation (SNAT) configuration used by the virtual server. See spec.snat below for more parameter options.
tcpSettings.clientSide Specifies a client side F5BigTcpSetting CR referenced by the virtual server, using the metadata.name parameter.
tcpSettings.serverSide Specifies a server side F5BigTcpSetting CR referenced by the virtual server, using the metadata.name parameter.
udpSettings.serverSide Specifies a server side F5BigUdpSetting CR referenced by the virtual server, using the metadata.name parameter.
vlans Specifies a F5BigNetVlan CR to reference that accepts network traffic, using the metadata.name parameter.
ddosProfile Specifies a DDOS profile's name to utilize for this virtual server. The profile is then applied for this context (after the application of global DDOS policy). F5BIGPercontext DDoS CR to reference using the metadata.name parameter.
loadBalancingMethod Specifies the load balancing algorithm used to load balance name resolution requests among the members: round-robin (default) distributes connections evenly across all pool members. ratio-least-connections distributes connections first to members with the least number of active connections. weighted-round-robin distributes connections across all pool members based on specified weights and ratio-session distributes connections according to the ratio of the number of sessions each pool member has active.
serverIpProtocol Specifies the IP protocol for which you want the virtual server to direct traffic. Sample protocol names are tcp and udp.
logProfile Specifies DNS F5BigLogProfile to be used.
dnsOverHttps.name Specifies a unique name to identify the profile .
clientSideHttp2 Specifies client side HTTP/2 connections. spec.clientSideHttp2 below for more parameter options.
clientSideHttp Specifies client side HTTP connections. spec.clientSideHttp below for more parameter options.
clientSideSsl Specifies client side SSL connections. spec.clientSideSsl below for more parameter options.
protocolInspectionProfile Specifies a F5BigIpsPolicy CR to reference using the spec.name parameter.
iRules Specifies one or more iRules CRs within F5BigDohApp CR.

spec.destination

Parameter Description
address Specifies the virtual server's address. Any of this field and ipv6Address is required to be specified for virtual server destination.
ipv6Address Specifies the virtual server's IPV6 address. Any of this field and address is required to be specified for virtual server destination.
port Specifies the virtual server's port. The default is 443.

spec.dns

Parameter Description
dns64Mode Specifies the DNS64 mode: disable (default), secondary, immediate, and v4-only. See spec.dns.dns64mode below for more parameter options. Refer to the CNFs NAT64 guide for implementation assistance.
dns64Prefix The IPv6 prefix used for DNS64 mapping; mapping A to AAAA type records. The default is ::.
dns64AdditionalSectionRewrite Sets DNS64 additional section rewriting. For AAAA and A records in additional section. This field specifies how they are being rewritten. The options are disable (default), v6-only, v4-only, any. See spec.dns.dns64AdditionalSectionRewrite below for more parameter options.
dnsCache Indicates whether to allow queries to be answered non-authoritatively by a DNS cache. It enables caching when referencing a F5BIGDnscache CR (Custom Resource) by metadata.name. The default is empty which means caching is disabled.
dnsExpressEnabled Indicates whether DNS Express service is enabled. The default is enabled.
dnsZoneTransferEnabled Indicates whether the system answers zone transfer requests for a DNS zone created on the system. The default is disabled.
ecsInsertionEnabled Indicates whether the system uses the edns client subnet option. The default is disabled.
eccInsertionEnabled Indicates whether the system uses DNS EDNS(0) Cache Control Extension. The dafault is disabled.

spec.dns.dns64Mode

Value Description
disabled The BIG-IP system does not map IPv4 addresses to IPv6 addresses.
secondary The BIG-IP system receives an AAAA query and forwards the query to a DNS server. The BIG-IP system then forwards the first good response from the DNS server to the client. If the system receives an A response first, it appends a 96-bit prefix to the record and forwards it to the client. If the system receives an AAAA response first, it simply forwards the response to the client. The system disregards the second response from the DNS server.
immediate The BIG-IP system receives an AAAA query and forwards the query to a DNS server. Only if the server fails to return a response does the BIG-IP system send an A query. If the BIG-IP system receives an A response, it appends a 96-bit user-configured prefix to the record and forwards it to the client.
v4-only The BIG-IP system receives an AAAA query, but forwards an A query to a DNS server. After receiving an A response from the server, the BIG-IP system appends a 96-bit user-configured prefix to the record and forwards it to the client. Important: Select this option only if you know that all your DNS servers are IPv4 only servers.

spec.dns.dns64AdditionalSectionRewrite

Value Description
disable The BIG-IP system does not perform additional rewrite.
v6-only The BIG-IP system accepts only A records. The system appends the 96-bit user-configured prefix to a record and returns an IPv6 response to the client.
v4-only The BIG-IP system accepts only AAAA records and returns an IPv6 response to the client.
any The BIG-IP system accepts and returns both A and AAAA records. If the DNS server returns an A record in the Additional section of a DNS message, the BIG-IP system appends the 96-bit user-configured prefix to the record and returns an IPv6 response to the client.

spec.monitors

_images/spk_info.png Note: For all F5BigDohApp monitors, F5 recommends setting the timeout value to be the same or less than the interval value.

Parameter Description
dns DNS monitor configuration.
icmp ICMP monitor configuration.
tcp TCP monitor configuration.

spec.monitors.dns

Parameter Description
acceptRcode The RCODE required in the response for an 'up' status: no-error or anything. The default is no-error.
aliasAddress The IP address of the resource that is the destination of this monitor.
aliasPort The port of the resource that is the destination of this monitor.
answerContains The record types requred in the answer section of the response in order to mark the status of a node up: query-type (default), any-type, or anything.
enabled Specifies whether this monitor is enabled or not: true or false (default).
queryName The query name that the monitor sends a DNS query for. This is a required field of a DNS monitor.
queryType The DNS query type that the monitor sends: a (default) or aaaa.
recv The IP address that the monitor looks for in the DNS response's resource record sections.
reverse Enables the monitor operates in reverse mode. When the monitor is in reverse mode, a successful receive string match marks the monitored object down instead of up: true or false (default).
interval The frequency, in seconds, at which the system issues the monitor check when either the resource is down or the status of the resource is unknown: 1 to 86400. The default is 5.
timeout The number of seconds the target has in which to respond to the monitor request. Timeout must be equal to or less than the interval.: 1 to 86400. The default is 5.
timeUntilUp The amount of time, in seconds, after the first successful response before a node is marked up: 0 to 86400. The default is 0.
upInterval The frequency, in seconds, at which the system issues the monitor check when the resource is up: 0 to 4294967295. The default is 0.

spec.monitors.icmp

Parameter Description
enabled Specifies whether this monitor is enabled or not: true or false (default).
interval The frequency, in seconds, at which the system issues the monitor check when either the resource is down or the status of the resource is unknown.: 0 to 86400. The default is 5.
timeout The number of seconds the target has in which to respond to the monitor request. Timeout must be equal to or less than the interval.: 0 to 86400. The default is 5.

spec.monitors.tcp

Parameter Description
enabled Specifies whether this monitor is enabled or not: true or false (default).
interval The frequency, in seconds, at which the system issues the monitor check when either the resource is down or the status of the resource is unknown.: 0 to 86400. The default is 5.
timeout The number of seconds the target has in which to respond to the monitor request. Timeout must be equal to or less than the interval.: 0 to 86400. The default is 5.
receiveDisableString The regular expression, when matched, disables the target.
receiveString The regular expression, when matched, indicated the target is up.
sendString Text string to send to the target.

spec.pool

Parameter Description
minActiveMembers Specifies the minimum number of members that must be available in one priority group: 0 (default) to 65535.
members Specifies a list of IP addresses and ports for the service. This is a required field for a pool.

spec.pool.members

Parameter Description
address Specifies the address of the service. This is a required field of a pool member.
port Specifies the port of the service: 0 to 65535. The default value is 53.
priorityGroup Specifies the port of the service: 0 (default) to 8.

spec.snat

Parameter Description
type Specifies the type of source address translation to use: none (default), snat, or automap. When using snat a snat.pool must be defined.
pool Specifies the name of a F5BigCneSnatpool. The name of F5BigCneSnatpool uses its CR (Custome Resource) metadata.name parameter. You can only use this option when automap and translation are not used.

spec.tcpSettings

Parameter Description
clientSide Specifies the name of client-side TCP profile F5BigTcpSetting. The name of F5BigTcpSetting uses its CR (Custome Resource) metadata.name parameter. If not specified, the default sys-default-tcp will be used.
serverSide Specifies the name of server-side TCP profile F5BigTcpSetting. The name of F5BigTcpSetting uses its CR (Custome Resource) metadata.name parameter. If not specified, the default sys-default-tcp will be used.

spec.udpSettings

Parameter Description
serverSide Specifies the name of server-side UDP profile F5BigUdpSetting. The name of F5BigUdpSetting uses its CR (Custome Resource) metadata.name parameter. If not specified, the default sys-default-dns-udp will be used.

spec.vlans

Parameter Description
vlanList Specifies a list names of F5BigNetVlan that the virtual server will use to either accept traffic. The name of F5BigNetVlan uses its CR (Custome Resource) metadata.name parameter.
vlanList.item A reference to a F5BigNetVlan name.
disableListedVlans When enabled, accept traffic on all VLANs except those defined in the vlans.vlanlist. The parameter: true (default) or false.

spec.clientSideHttp2

Parameter Description
activationModes Specifies whether to enable all HTTP/2 modes, or only enable the Selected Modes listed in the Enabled column. The options are alpn" and always. The default is alpn.
concurrentStreamsPerConnection Specifies the number of outstanding concurrent requests that are allowed on a single HTTP/2 connection. The default is 10.
connectionIdleTimeout Specifies the number of seconds that an HTTP/2 connection is idly left open before being shut down. The default is 300 seconds.
frameSize Specifies the size of data frames, in bytes, that HTTP/2 sends to the client. Larger frame sizes improve network utilization, but can affect concurrency. The default value is 2048 bytes.
insertHeader Specifies whether an HTTP header indicating the use of HTTP/2 should be inserted into the request that goes to the server. The default value is disabled.
insertHeaderName Specifies the name of the HTTP header controlled by Insert Header. The default X-HTTP2.
receiveWindow Specifies the way that the HTTP/2 profile performs flow control. The receive window allows HTTP/2 to stall individual upload streams when needed. This functionality applies to HTTP/2 and to SPDY version 3. The default value is 32 KB.
writeSize Specifies the total size of combined data frames, in bytes, that HTTP/2 sends in a single write. This setting controls the size of the TLS records when HTTP/2 is used over SSL. A large write size causes HTTP/2 to buffer more data, but improves network utilization. The default value is 16384 bytes.
headerTableSize Specifies the size of the header table, in bytes. The HTTP/2 protocol compresses HTTP headers to save bandwidth. A larger table size allows better compression, but requires more memory. The default value is 4096 bytes.
enforceTlsRequirements Specifies whether the system requires TLS for communications between specified senders and recipients. Per RFC7540, the TLS requirements are that TLS compression is not allowed, and TLS Renegotiation must be disabled. If you leave the default setting (Enabled), you must modify your client SSL (or server SSL) profile and disable TLS Renegotiation.

spec.clientSideHttp

Parameter Description
basicAuthRealm Specifies a quoted string for the basic authentication realm. The system sends this string to a client whenever authorization fails.
oneConnect Specifies, when checked (enabled), that the system performs HTTP header transformations for the purpose of keeping connections open. The default is disabled. This setting is applicable only when you configure a OneConnect pool.
oneConnectStatusReuse Specifies a quoted string for the status reuse for the one connect. The default is 200 206
headerInsert Specifies a quoted header string that you want to insert into an HTTP request. You can also specify none.
headerErase Specifies the header string that you want to erase from an HTTP request. You can also specify none..
fallbackHost Specifies an HTTP fallback host; HTTP redirection allows you to redirect HTTP traffic to another protocol identifier, host name, port number, or URI path.
fallbackStatusCodes Specifies one or more three-digit status codes that can be returned by an HTTP server.
responseHeadersPermitted Specifies headers that the BIG-IP system allows in an HTTP response.
encryptCookies Encrypts specified cookies that the BIG-IP system sends to a client system.
encryptCookieSecret Specifies a passphrase for the cookie encryption.
responseChunking Specifies how to handle chunked and unchunked responses. The options available are preserve, selective, unchunk, rechunk, sustain and last. The default is sustain.
requestChunking Specifies how to handle chunked and unchunked requests. The options available are preserve, selective, unchunk, rechunk, sustain and last. The default is sustain.
lwsMaxColumn Specifies the maximum number of columns allowed for a header that is inserted into an HTTP request. The dafault is 80.
lwsSeparator Specifies the linear white space separator that the system should use between HTTP headers when a header exceeds the maximum width specified by the lws width setting. The dafault is \r\n
redirectRewrite Specifies which of the application HTTP redirects the system rewrites to HTTPS. The options available are none, all, matching, nodes and last. The default is none.
maxHeaderSize Specifies the maximum header size. The dafault is 32768.
maxRequests Specifies the number of requests that the system accepts on a per-connection basis. The dafault is 0.
maxHeaderCount Specifies the maximum number of headers allowed in HTTP request/response. The dafault is 64.
pipelining Specifies the pipelining in HTTP streams. The options available are disable and enable. The dafault is disable.
truncatedRedirects Specifies what happens if a truncated redirect is seen from a server. If enabled, the redirect will be forwarded to the client, otherwise the malformed HTTP will be silently ignored. The options available are disable and enable. The dafault is disable.
insertXforwardedFor When using connection pooling, which allows clients to make use of other client requests' server-side connections, you can insert the X-Forwarded-For header and specify a client IP address. The options available are disable and enable. The dafault is disable.
adaptiveParsing Specifies parsing in an adaptive way of HTTP: true amd false (dafault).
proxyType Specifies the type of HTTP proxy. The options availabe are reverse, explicit and transparent.
passthroughOversizeClientHeaders Specifies the behavior when too-large client headers are received. If enabled, will switch to pass through mode instead of rejecting the connection: true amd false (dafault).
passthroughExcessClientHeaders Specifies the behavior when too many client headers are received. If enabled, will switch to pass through mode instead of rejecting the connection: true amd false (dafault).
passthroughOversizeServerHeaders Specifies the behavior when too-large server headers are received. If enabled, will switch to pass through mode instead of rejecting the connection: true amd false (dafault).
passthroughExcessServerHeaders Specifies the behavior when too many server headers are received. If enabled, will switch to pass through mode instead of rejecting the connection: true amd false (dafault).
passthroughPipeline Enables or disables HTTP/1.1 pipelining. The options available are reject, allow and passthrough. If passthrough is selected, then the HTTP filter will switch to pass through mode and be disabled if pipelined data is seen. The default value is allow, which means that clients can make requests even when prior requests have not received a response. In order for this to succeed, however, destination servers must include support for pipelining.
passthroughUnknownMethod Specifies whether to allow, reject or switch to passthrough mode when an unknown HTTP method is parsed. The dafault is allow.
knownMethods Specifies which HTTP methods count as being known. Removing RFC-defined methods from this list will cause the HTTP filter to not recognize them. The dafault is CONNECT, DELETE*, GET, HEAD, LOCK, OPTIONS, POST, PROPFIND, PUT, TRACE and UNLOCK**
sendProxyViaHeaderInRequest Specifies whether to append, remove, or preserve a Via header in an HTTP request. The dafault is preserve.
sendProxyViaHeaderInResponse Specifies whether to append, remove, or preserve a Via header in an HTTP response. The dafault is preserve.
sendProxyViaHeaderHostName Specifies the hostname to include into Via header.
acceptXff Enables or disables trusting the client IP address, and statistics from the client IP address, based on the request's XFF (X-forwarded-for) headers, if they exist: true and false (default).
xffAlternativeNames Specifies alternative XFF headers instead of the default X-forwarded-for header.
serverAgentName Specifies the value of the Server header in responses that the BIG-IP itself generates. The dafault is BigIP.
fwdpDnsResolver Specifies the dns-resolver object that will be used to resolve hostnames in proxy requests.
fwdpRouteDomain Specifies the route-domain that will be used for outbound proxy requests.
fwdpTunnelName Specifies the tunnel that will be used for outbound proxy requests. This enables other virtual servers to receive connections initiated by the proxy service.
fwdpConnectAllowed Specifies the behavior of the proxy service for CONNECT requests: true and false (default).
fwdpIpv6 Specifies that URIs will attempted to be resolved as IPv6 addresses before trying as IPv4: true and false (default).
fwdpHostnames Specifies the which host names are to be treated as local. Proxy requests made for those hosts will be treated as regular HTTP requests and will be sent to the configured default pool.
hstsMode Specifies whether to include the HSTS response header: enable and disable (default).
hstsMaximumAge Specifies the maximum age to assume the connection should remain secure. The dafault is 16070400.
hstsIncludeSubdomains Specifies whether to include the includeSubdomains directive in the HSTS header: enable and disable (default).
hstsPreload Specifies whether to include the preload directive in the HSTS header: enable and disable (default).
fwdpConnectErrorMsg Specifies the error message that will be returned to the browser when a proxy request can't be completed because of a failure to establish the outbound connection.
fwdpDnsErrorMsg Specifies the error message that will be returned to the browser when a proxy request can't be completed because of a failure to resolve the hostname in the request.
fwdpBadRequestErrorMsg Specifies the error message that will be returned to the browser when a proxy request can't be completed because the request was malformed.
fwdpBadResponseErrorMsg Specifies the error message that will be returned to the browser when a proxy request can't be completed because the response was malformed.

spec.clientSideSsl

Parameter Description
enableTls13 Enables/Disables TLS 1.3 protocol support: true (default) and false.
enableTls12 Enables/Disables TLS 1.2 protocol support: true (default) and false.
enableTls11 Enables/Disables TLS 1.1 protocol support: true (default) and false.
ciphers Specifies OpenSSL-style cipher string. The dafult is DEFAULT.
keyCertPairs List of certificate key pair to use.
enableSessionTicket Enables/Disables Session Ticket support: true (default) and false.
enableRenegotiation Enables/Disables Renegotiation support: true and false (default).
renegotiationMode Specifies the secure renegotiation mode. The options availabe are request, require and require-strict. The dafault is require.

spec.clientSideSsl.keyCertPairs

Parameter Description
key References SSL/TLS private keys. Key names must be appended to the path file://etc/ssl/tls-keys-certs/.key.
cert References SSL/TLS certificates and intermediate CA certificates used to terminate secure ingress connections. Certificate names must be appended to the path file://etc/ssl/tls-keys-certs/.crt.