Colin Walker

Topics

DevCentral > Weblogs > Colin Walker - Wielding the Power of the Network to Better Applications Everywhere

	Friday, January 22, 2010 #

DevCentral Top5 01/22/2010

Wow! What a whirlwind it's been the past few weeks. Between holidays and vacation and people traveling out of town, it's been an absolute zoo around here. Though I've been out the past week or so there has been an avalanche of content. I've hemmed and hawed and finally managed to slim my picks down to just five, though there are at least a dozen awesome things worth checking out on DevCentral in the past week or so. So don't be shy, get out there and poke around for yourself. For now, though, here are my top 5 picks for the week:

v10.1 - The table Command - The Basics

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2375

The new table command introduced in 10.1 is so hawesome and powerful it's hard for me to decide where to even begin describing the grandeur that is the table command. I've decided to begin at the beginning, and point you to the basics first. There are nine (yes, 9) tech tips published in the past week or so having to do with the new table command. They range from this intro doc to some pretty powerful, in depth, well explained examples. They are all penned by the creator of the command and go into amazing detail. This series has instantly become a contender for one of my favorite batches of content ever released on DevCentral, which is saying something. If you're looking for a way to store data, store data in a structured format, perform counting operations or about a bagillion other things dealing with data storage and manipulation in iRules, you must read about the table command. Huge thanks to spark for the work on the command and going above and beyond on the documentation.

TMSH Scripting in v10.1

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2374

This week's Top5 has not one, but two awesome docs regarding scripting on your BIG-IP. While iRules are near and dear to my heart, TMSH is quickly catching my interest as well. The new shell along with the powerful new scripting capabilities are wicked cool and have the potential to do some pretty amazing things. TMSH crams a huge amount of utility into an easily approachable package. This great doc Jason wrote up gets you started in style with an excellent description of where to begin, then takes you quite a bit further giving you examples of just how to build your own script. The possibilities seem rather limitless so I'm excited to see what people start doing once they get the hang of it. Check this one out for sure, and if you like what you see I'd recommend taking a look at the TMSH wiki and maybe giving this week's podcast where we spoke with Mark Crosland in depth about TMSH a listen.

ARX Config, Day One

http://devcentral.f5.com/weblogs/dmacvittie/archive/2010/01/18/arx-config-day-one.aspx

In the first installment of what I'm hoping proves to be a long, detailed series describing his experiences with his ARX, Don dishes out a great intro post about getting his ARX out of the box and working. He's honest and gives plenty of details about both what he loved and what he…didn't, which I appreciate. It sounds like he also plans to go into detail about any troubles he's having or things that he finds that stand out to him and the users should know about. With his vast experience in the storage world, getting to see an ARX through his eyes is just about the next best thing to getting to fiddle with one yourself. So if you have any interest in learning what it's like to set up and start using an ARX device, I recommend keeping a keen eye on this series. Having no ARX experience myself I'm quite interested to get his impressions, so I'll be one of the subscribed readers too.

iRule Editor - Offline Editing

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2385

Joe's amazing creation, the iRule Editor, just got better. He's released a couple new features for it recently but the one that caught my attention the most is something that people have been asking about for quite some time now: offline editing. The iRule Editor has previously been a 100% online tool. You'd fire it up, connect to your device and start editing away. But what if you're on a plane or just don't have a device to connect to? Well, you were out of luck. Even though you could save the iRules themselves to your on disk archive, the editor wouldn't allow you to edit them offline before. But now, you can. Keep in mind that you won't be able to use any syntax checking because that uses tmm on the BIG-IP to test compile the code, but you can edit to your heart's content along with all the handy features of the iRule Editor you've grown to love. Joe even took the time to go through a walkthrough of how this works and show you how to use the cool new feature in this video. This is a very cool improvement…thanks Joe!

Following Google's Lead on Security? Don't Forget to Encrypt Cookies

http://devcentral.f5.com/weblogs/macvittie/archive/2010/01/15/google-gmail-ssl-cookie-encryption.aspx

Last but certainly not least is Lori's post talking about SSL and why it isn't the only thing you need to think about when working on securing an application. Yes, SSL is an excellent and pretty standard first step to securing an online application these days. I, just like Lori, completely agree that you should be using SSL encryption as a security measure if you're at all concerned about your users or their data. Something Lori mentions though is spot on, "it’s not a panacea, especially where cookies are involved". Just because something is being encrypted across the wire doesn't mean that you can necessarily assume that it's going to be 100% safe once it gets where it's going. Data being stored on a client system, such as cookies that carry auth information, are a prime target for many malicious attacks trying to pry at user info. Cooke Encryption can be a powerful agent in stopping this and stepping up your security one more level. Have a look for yourself for a more detailed description of how this works.

There you have this week's DevCentral Top5. As always, feedback is welcomed and you can check out previous versions of the Top5 here - http://devcentral.f5.com/Default.aspx?tabid=101

Technorati Tags: DevCentral,Top 5,ARX,iRule Editor,iRules,Table,Google,tmsh,Colin Walker

#Colin

Add Comment |

	Thursday, January 07, 2010 #

20 Lines or Less #34 – A whole new year of iRules

What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

So here we are in the future. Surely by 2010 we should have jetpacks and hover cars and personal teleporters, right? Well, technological advancements may have fallen short on some of those things promised to us time and time again by the world of sci-fi, but advancements there have been. After 100+ examples of iRules in 20 Lines or Less I’m continually impressed by what people can come up with to accomplish in a few lines of code. With new versions, new commands and a continually growing community, I have nothing but high hopes for the 20LoL and the DC community in general in twenty-ten.

With that, let’s dig into a few of the first iRule examples to be shown off this decade.

Load balanced Redirection

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=814405&view=topic

In this example Aaron shows up my simple little outline of a rule with his more thought out logic. Showing you how you might load balance to a pair of redirects rather than actual pools or nodes, he even shows you how to make sure that you aren’t redirecting to a downed location by making use of the LTM’s built-in features. Very cool.

 when HTTP_REQUEST { 
  
    # For a load balancing selection from the VIPs default pool 
    # This assumes you've set the pool's load balancing algorithm to round robin 
    switch [LB::select] { 
       "1.1.1.1" { 
          # Send client a 302 redirect with the hostname which corresponds to the 1.1.1.1 server IP 
          HTTP::respond 302 Location "http://firsthost.domain.com" Cache-Control No-Cache Pragma No-Cache 
       } 
       "2.2.2.2" { 
          # Send client a 302 redirect with the hostname which corresponds to the 2.2.2.2 server IP 
          HTTP::respond 302 Location "http://secondhost.domain.com" Cache-Control No-Cache Pragma No-Cache 
       } 
       default { 
          # Take some default action if both servers are marked down? 
       } 
    } 
 }

Terminate TCP Sessions

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=814016&view=topic

In this extremely cool example we get a peek at how user millencol1n uses an iRule to fire Bigpipe commands. By logging a particular string, then having his system fire a command based on that particular string when it’s found in the log, he’s able to effectively have his iRule firing off Bigpipe commands to clean his TCP sessions. That’s some neat stuff. Thanks for the example.

 when RULE_INIT { 
     set ::count 0 
   } 
  
 when CLIENT_ACCEPTED { 
    if { [active_members pool_a] > 0 } { 
       pool pool_a 
      log local0. "primary active" 
    if { $::count == 1 } { 
        log "clean sessions" 
       set ::count 0 } 
      
    } else { 
       pool pool_b 
  log local0. "secondary active"  
  set ::count 1   
    } 
 } 
 when LB_FAILED { 
    pool pool_b 
  set ::count 1   
  log local0. "Selected member: [LB::server addr]"    
 }

Restricting browser types

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=814336&view=topic

This example shows us how one could easily limit users to a particular user agent, which generally translates into a given browser type for those non-spoofing types. If your application only works in IE or you only want users with FireFox accessing certain sections of your site, this simple little snippet will get you where you need to go.

 when HTTP_REQUEST { 
  
    # Check if the UA header does not contain MSIE 
    if { not ([HTTP::header "User-Agent"] contains "MSIE") } { 
  
       # Send an HTTP response indicating the UA isn't allowed? 
       HTTP::respond 200 content {<html>your browser isn't allowed</html>} 
    } 
 }

I hope you had a great year last year and I’m looking forward to an even better one this year. As always all questions, comments & feedback are welcomed. Until next time, keep those examples coming and keep iRuling.

Technorati Tags: 20 Lines or Less,DevCentral,iRules,HTTP,TCP,Bigpipe,Colin Walker

#Colin

Add Comment |

	Friday, December 11, 2009 #

DevCentral Top5 12/11/2009

There has been plenty to do the past couple of weeks, which means there's plenty to talk about today. Ranging from gaming to storage virtualization to interviews and more, I bring you my Top 5 picks of the week from DevCentral. And yes, of course there are some iRules in there. Here's your Top5:

Delivering SaaS Solutions with Hobsons Patrick McFadin

http://devcentral.f5.com/weblogs/interviews/archive/2009/12/07/delivering-saas-solutions-with-hobsons-patrick-mcfadin.aspx

In this interview with Patrick McFadin, Ken Salchow talks about software as a service, virtualization, spikes in traffic causing delivery challenges, and more. Perhaps more importantly the two talk about how F5's offerings, most notably in their case LTM, allow them to make the most out of their systems and applications, and handle the challenges that get thrown at them. This isn't a new story. Making use of F5 products and advanced technologies such as iRules has made this kind of leg-work a thousand times easier for many people. I just found it extremely cool to be able to listen in on such a candid chat with one such user. Patrick even went so far as to say, "I don't think we could do what we do without our F5 units in place". That's some pretty cool stuff, right there.

X marks the Games

http://devcentral.f5.com/weblogs/psilva/archive/2009/12/08/x-marks-the-games.aspx

In his 24^th offering in the great 26 Short Topics about Security series Pete Silva talks to us about gaming. I know, I know…g is not the 24^th letter of the alphabet. I'll allow Pete the stretch, though. He's talking about gaming, gaming security, gaming platforms, and steers us carefully towards Xbox. Well played, sir. Having satisfied his need to find a letter X to which security is related, he goes on to discuss some very real issues with security in a gaming world. Being an avid gamer myself this was of interest, and I found most of it to be pretty spot on. Letting your guard down simply because you're online gaming may result in a stolen credit card almost as fast as clicking a bad link in an email and "logging in". It's a dangerous web out there, keep your guard up.

File Virtualization… The short primer

http://devcentral.f5.com/weblogs/dmacvittie/archive/2009/12/06/file-virtualizationhellip-the-short-primer.aspx

Don chose to talk about storage over the past week. In one of a couple of posts in a somewhat heated thread with another storage space writer, Don talks about ARX, though you may have missed it if you weren't looking closely. It's not that he barely talks about it, it's more that you might not realize that he's talking about it past the dropping of the name in the beginning. The commentary is solid though, discussing File Virtualization and NAS vs. SAN concerns. I'm not a storage expert, and he clearly is, so I won't try and re-write his post, but I'd definitely recommend checking it out. Virtualization is big and getting bigger and file virtualization is an important yet often overlooked part of any large-scale virtualization story. This one's worth a read.

Next-Generation Management of Data Centers Should be Modeled on Social Networking

http://devcentral.f5.com/weblogs/macvittie/archive/2009/12/04/next-generation-management-of-data-centers-should-be-modeled-on-social.aspx

Leave it to Lori to draw a correlation between Facebook and NMS. I mean, really? I love it, don't get me wrong, but never in a million years would I have thought to suggest it in such a manner, let alone create a pretty cool mock-up of just how "infrabook" might look. She makes some strong points though, if you think about it. Networking is networking, whether you're connecting people or servers, and the idea of building "relationships" between objects is germane in both the social networking and "networking networking" worlds as well. I like her thought process and some of the points she raises. Am I ready to log into Facebook and manage my Ubuntu systems for a corp. net there? No, but neither is she. That doesn't mean some of the same ideas and utilities wouldn't apply. Check this one out, it's fun and makes you think.

20 Lines or Less #33 - Killer contest entries in 20 Lines or Less

http://devcentral.f5.com/weblogs/cwalker/archive/2009/12/11/20-lines-or-less-33-ndash-killer-contest-entries.aspx

With three more entries to the 20 Lines or Less series, I'm happy to announce that we've broken the century mark. With over 100 cool examples of what iRules can do for you in just a few short lines of code, the 20LoL is now gunning for 200 entries. What's more is that that this week's 20LoL is a special iRule Do You? contest edition. Three of the entries into the contest that either won or received honorable mention were perfect examples for this series, so I figured I'd highlight them again. With two winners and an honorable mention in this year's contest weighing in at less than 21 lines of (actual) code each, there should be no doubt as to just how much power you can pack into a small iRules package. This series continues to be a blast to write, so look out for more small iRules kicking serious butt heading your way.

There are my Top5 picks for the week. Hopefully you found them helpful. Shoot me some feedback if you have it, otherwise thanks for reading and I hope you'll be back next week for more. As always, you can check out older versions of the Top5 here - http://devcentral.f5.com/Default.aspx?tabid=101

Technorati Tags: DevCentral,Top5,iRules,Virtualization,SOA,Storage,Gaming,Colin Walker

#Colin

One Comment |

20 Lines or Less # 33 – Killer contest entries in 20 Lines or Less

This week the answer to that question is a good one – Win the iRule do You? contest! Rather than trolling the forums, CodeShare and my personal archives, this week I bring to you a special 20LoL edition. This week’s entries are pulled from the winners and honorable mentions of the recently completed iRule Do You? contest here on DevCentral.

I absolutely love that I get to show you some short iRules that are not only neat or interesting, but they’re so innovative, creative and powerful that they won (or almost won) prizes in our annual contest. If that’s not proof that you can do amazing things in just a few lines of code with iRules, then I don’t know what is. This wasn’t planned, I didn’t trim these down, the stars just aligned right for me to be able to spotlight a few super cool rules from this year’s contest. For complete contest results & entries, as well as full descriptions of each rule, check out the contest pages on DC.

Today’s 20LoL is doubly special, though. Not only do I get to highlight some clearly awesome contest entries, this also marks the edition where the 20LoL eclipses the 100 examples mark. Over 100 examples of iRules doing what iRules do in under 21 lines of code. I’m stoked that I’ve gotten to continue with this feature this long, and I’m looking forward to hundreds more. Thanks for reading.

RTSP-redirect – by Jari Leppälä

http://devcentral.f5.com/Default.aspx?tabid=2227

In an attempt to build hash based persistence, Jari built this cool iRule that not only performs the needed persistence, but does so without forcing the traffic to ever even flow through the BIG-IP. Using the BIG-IP as a logic device but not bothering it with the traffic is a slick concept to me in this case. Gotta love it.

when RTSP_REQUEST {
if { [RTSP::method] contains "OPTIONS" } {
RTSP::respond 200 OK "Server: F5-redirector\r\nPublic: OPTIONS, SETUP\r\n\r\n"
}
if { [RTSP::method] contains "SETUP" or [RTSP::method] contains "DESCRIBE" } {
set client [IP::remote_addr]
regexp "rtsp://.*/(.*)$" [RTSP::uri] url file
# MD5 Hash & Persistence
set S ""
foreach N [active_members -list vod] {
    if { [md5 $N$file] > $S } {
      set S [md5 $N$file]
      set W $N
    }
}
set vod [lindex $W 0]
set newuri "rtsp://$vod:554/$file"
RTSP::respond 302 MOVED_TEMPORARILY "Server: F5-redirector\r\nLocation: $newuri\r\nConnection: close\r\n\r\n"
log "Client ($client) request to $file redirected to $newuri"
}
}

Encrypt Outgoing Soa Request – by Sake Blok

http://devcentral.f5.com/Default.aspx?tabid=2228

Looking for a way to make his outbound SOA traffic more secure, Sake came up with yet another iRule contest winner this year. No stranger to the winner’s circle, Sake continues to be an awesome contributor with innovative, original ideas for how to bend iRules to his whims. I always love seeing what he comes up with and this was no exception.

when RULE_INIT {
   # Debug off (0), Errors-only(1), On(2) or Verbose(3)
   set ::debug 3
   if { $::debug>=2 } { log local0. "Log level set to $::debug" }
}
when CLIENT_ACCEPTED {
   # Remember the address of the destination SOA server
   set SoaServerIP [IP::local_addr]
   if { $::debug>=3 } { log local0. "$SoaServerIP: Outgoing connection requested" }
}

when HTTP_REQUEST {
   # Extract the hostname of the SOA server from the HTTP request
   # This name will must match the common name in the certificate
   # of the SOA server when the SSL session is set up.
   set SoaServerName [string tolower [substr [HTTP::host] 0 ":"]]
   if { $::debug>=3 } { log local0. "$SoaServerIP: Hostname = $SoaServerName" }

   # Overrule the dummy address in the default pool of the virtual
   # and change it to the address of the SoaServer. Also change the
   # destination port from 80 to 443.
   node $SoaServer 443
}

when SERVERSSL_HANDSHAKE {
   # Extract the server certificate from the SOA server ServerHello message
   set SoaServerCert [SSL::cert 0]

   # Extract the common name from the server certificate
   set CommonName [string tolower [findstr [X509::subject $SoaServerCert] "CN=" 3 ","]]
   if { $::debug>=3 } { log local0. "$SoaServerIP: Common Name = $CommonName" }

   if { $CommonName ne $SoaServerName } {
      clientside {TCP::respond "HTTP/1.1 403 WRONG CERTIFICATE\r\n\r\nThe common name $CommonName `
in the certificate at $SoaServerIP does not match to hostname $SoaServerName in the SOA request.\r\n"}
      TCP::close
      if { $::debug>=1 } { log local0. "$SoaServerIP: Name mismatch CN=$CommonName, Hostname=$SoaServerName" }
   } else {
      # Create a log entry for this (successful) request
      if { $::debug>=2 } { log local0. "$SoaServerIP: Request to $SoaServerName successfully forwarded" }
   }
}

DSL Setup DNS – by Christopher Wood

http://devcentral.f5.com/Default.aspx?tabid=2229

Even though Christopher didn’t quite claim victory this year, his entry was one of my personal favorites and showed that he absolutely has the ability to do so. I have no doubt that he’ll be a force to be reckoned with in coming contests. This very cool iRule shows how he was able to make the process of getting users with newly installed DSL modems online much simpler. Not only did it solve an immediate problem (getting users online with ease) it reduced support calls too. That’s a double win.

when RULE_INIT {
# Header generation (in hexadecimal)
# qr(1) opcode(0000) AA(1) TC(0) RD(1) RA(1) Z(000) RCODE(0000)
set ::header "8580"
# 1 question, 1 answer, 0 NS, 0 Addition
set ::header "${::header}0001000100000000"
# Type = A
set ::answerz "0001"
# Class = IN
set ::answerz "${::answerz}0001"
# TTL = 1 minute
set ::answerz "${::answerz}0000003c"
# Data length = 4
set ::answerz "${::answerz}0004"
# Address = 0.0.0.0 (in hex)
set ::answerz "${::answerz}00000000"
}
when CLIENT_DATA {
binary scan [UDP::payload] H4@12A*@12H* id dname question
# the drop statement below has to be in an if context
if { 1 } {
    set ::questionx "${question}"
    set ::myl [string range ${::questionx} 0 end-8]
    set ::myllower [string tolower ${::myl}]
    # this is the decimal representation of the hex for lowercased "fake.com"
    if { [ string match "*1234567890abcdef123456" ${::myllower} ] } {
      pool internal-DNS
    } else {
      set payload [binary format H* ${id}${::header}${question}${::myl}${::answerz} ]
      # drops the incoming connection
      drop
      UDP::respond $payload
    }
}
}

Thanks again to everyone who participated in this year’s iRule Do You? contest. I hope to see even more entries next year, and more people doing hawesome things in just a few lines of code. Here’s your proof that it’s possible, see what you can do to top them.

Technorati Tags: 20 Lines or Less,DevCentral,iRules,20LoL,iRule Do You?,SOA,DNS,Streaming,Colin Walker

#Colin

One Comment |

	Friday, November 20, 2009 #

20 Lines or Less #32 – Sip, Counters & Classes

SIP topology hiding forward proxy

http://devcentral.f5.com/wiki/default.aspx/iRules/SIP_topology_hiding_and_forward_proxy.html

If you’re passing SIP traffic and want a way to mask the via & or from headers when passing traffic to the outside world, this might be just the rule you’ve been waiting for. It’s a cool look at using iRules for an off the wall issue with a non-HTTP protocol. This is a simplified version of the original iRule to cram it down to less than 21 lines, but the functionality is identical. Just a lot less comments and a few less variables being set. Good stuff.

when SIP_REQUEST {
        set originator_ip [IP::remote_addr]
        node [IP::local_addr]:[TCP::local_port]
}
when SIP_REQUEST_SEND {
        set snat_ip [serverside {IP::local_addr}]
        set ip_map [list [findstr [SIP::header From] "@" 1 ">"] $snat_ip]
        SIP::header remove from
        SIP::header insert from "[string map $ip_map [SIP::header "From"]]"
        SIP::header remove via
        SIP::header insert via [string map $ip_map [SIP::header "Via"]]
}
when SIP_RESPONSE {
        set ip_map [list $snat_ip $originator_ip]
        SIP::header remove from
        SIP::header insert from "[string map $ip_map [SIP::header "From"]]"
        SIP::header remove via
        SIP::header insert via [string map $ip_map [SIP::header "Via"]]
}

CMP v10 Compatible counters using the session table

http://devcentral.f5.com/wiki/default.aspx/iRules/CMP_v10_compatible_counters_using_the_session_table.html

In this codeshare entry hoolio outlines two different ways to set up counters using the session table in v10. The benefit to this is that it’s fully CMP compliant which in certain systems will up performance considerably. It’s also much cooler because the second of the two examples packed into a single iRule shows how to make virtual specific variables for your counters, which is a trick I like a lot. I’m just highlighting the virtual specific version though Aaron showed you how to do both a virtual specific version and a global version in the original post, linked above.

when HTTP_REQUEST {
   set vip [virtual name]
   set value [session lookup uie "${vip}_my_counter"]
   if {$value eq ""}{
      session add uie "${vip}_my_counter" 0
   } else {
      session add uie "${vip}_my_counter" [expr {$value + 1}]
   }
}

v10 Class matching

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=86237&view=topic

In version 10 iRules were given a whole new way to access data groups: the class command. The class command offers a host of new and powerful abilities and Aaron’s making use of one of them in this example. I want to dig into this more and see what other options there might be to achieve what he’s gunning for, but this one isn’t a bad one at all, so I thought I’d highlight it.

# Loop through each class line
for {set i 0} {$i < [class size my_dgl]} {incr i} {
 # Use scan to parse the two fields from the class
 scan [class element -name $i my_dgl] {%[^ ]%s} my_pattern my_value
 # Use string match to evaluate the pattern against the string
 if {[string match -nocase $my_pattern [HTTP::uri]]}{
 # Found a match
 log local0. "Matched $my_pattern, using $my_value"
 break
 }
}

That’s it for this week. I’ll be out next week for vacation/holiday so check back the week after for more condensed iRule goodness!

Technorati Tags: 20 Lines or Less,20LoL,iRules,DevCentral,F5,Classes,SIP,Counters,Global Variables,Colin Walker

#Colin

Add Comment |

	Friday, November 06, 2009 #

DevCentral Top5 11/06/2009

While ramping up for "The Next Big Thing" continues amongst the DC staff, there is much to talk about in regards to content that's happening in the here and now, not just in the eagerly awaited future (with jet-packs and stuff…). DevCentral has seen its share of cool content this week, as it does every week, so let's talk about what needs talking about. Bringing you everything from TCL strings to a philosophical discussions of when vs. where and which is more important, I'm here with my Top5 picks for the week. And here they are:

When Is More Important Than Where in Web Application Security

http://devcentral.f5.com/weblogs/macvittie/archive/2009/11/06/when-is-more-important-than-where-in-web-application-security.aspx

In this post Lori was as insightful and informative as ever, discussing why being timely is more important, in general, than being perfect when it comes to application security. It's a pretty simple concept to me. When it comes right down to it, no one really cares where you solve a security problem, they care about when you solve it. It's well and good that you want to argue that things should be solved at the app layer vs. the WAF, but if I can provide a solution in 10 minutes...how long is it going to take you to patch every single application for even a miniscule security flaw? I agree just as much with Lori's reminder that WAF and app security models shouldn't compete. They are complimentary in the war against attacks, not mutually exclusive, and should be treated as such.

Every time someone tries to tell you which method is more "proper" or "correct", though, I'd ask them just how much they care about being proper in very real terms. How much is it worth in terms of hours (or days) of their application being exposed? At what point is it worth trading 20, 40, 120 hours of being exposed to a known exploit for an ounce of being "proper", which is already debatable at best, as opposed to getting the fix in place in a fraction of the time? Lori being insightful and informative isn't anything new. She knew she had a solid point to make and I tend to agree. What she didn't know was just how timely she was in setting the stage for her point to be illustrated, but we'll get to that in a moment. They call that foreshadowing, I think. I can tell you're on pins and needles.

20 Lines or Less #31 - Traffic shaping, header re-writing, and TLS renegotiation

http://devcentral.f5.com/weblogs/cwalker/archive/2009/11/06/20-lines-or-less-31-ndash-traffic-shaping-header-re-writing.aspx

Behold, your suspense is relieved! I unveil before your very eyes the payoff to Lori's unintentional setting of the stage. But how, you ask, does the 20LoL tie in with the When vs. Where of App Security? Via the much discussed TLS renegotiation vulnerability that has been burning up the net, of course. When a security measure as deeply rooted and common as TLS encryption is found to be susceptible to attacks, there is much to talk about, and talk they have. It turns out that via a man in the middle attack would-be ne'er-do-wells have the potential to insert information into a renegotiated SSL connection. This is very bad. What's very good, however, is that a user from the DevCentral community drafted a simple fix, at least in their deployment, the very next day. That's the power of iRules. Agility at its very finest, if I've ever seen it. We could debate all day where the best place, technically speaking, to implement the fix is. Or we could just fix it in about 10 minutes of coding and another 30 minutes of testing, and be done with it. That's just one of the rules in the 20LoL, of course. There are two more very cool examples of iRules doing the cool things they do in less than 21 lines of code. Check them out.

iRules 101 - #16 - Parsing Strings with the TCL Scan Command

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2346

Jason digs into the amazingly powerful yet often overlooked scan command in his latest contribution to the iRules 101 series. The scan command has some pretty staggeringly powerful capabilities to parse strings in an ultra efficient manner. It takes a little getting used to but it's definitely a command that has potential beyond what's obvious at first glance. Jason does a good job of breaking down some of the options and giving clear examples of not only the command itself but how you might use it in the context of an iRule. Very cool stuff, and worth a read for any current or would be iRulers out there.

Operations Manager Debugging Part I: Top 10 Tools for Developing and Debugging Management Packs

http://devcentral.f5.com/weblogs/jhendrickson/archive/2009/11/04/operations-manager-debugging-part-i-top-10-tools-for-developing.aspx

You've been hearing a lot about the Management Pack lately. That's not likely to change, especially if they keep putting out not only consistent, timely releases with new features, but awesome documentation and commentary along the way. Case in point, Joel Hendrickson put up a blog post this week about his Top 10 favorite tools for the kind of debugging he ends up doing often times as a member of that team. Whether or not you're directly involved with the Management Pack, this is a very cool list. It's interesting to see him walk through each tool, what it does and in some cases how he uses them. I'm always a sucker for hearing a geek talk about … well … being a geek, and that's just what Joel's up to in this informative post. Take a look for all your code debugging needs.

pyControl Just as Happy on Linux

http://devcentral.f5.com/weblogs/jason/archive/2009/11/04/pycontrol-just-as-happy-on-linux.aspx

In response to the many questions asking about pyControl and whether or not it's viable as a Linux solution to iControl programming, Jason put together this tidy little post that not only answers the question (yes, by the way), but shows you just how to get started. This was a cool reminder to me not only of how awesome the pyControl project is, but of just how easy it can be to get started digging into iControl and all the cool things that it can do. With just a few commands, outlined in Jason's post, you can have an environment up and running, ready to start developing. I'm even more excited to see what's coming in pyControl2, whenever I get a chance to play with that. But that's a post for another day.

There you have it, five picks for this week that you just really should not miss. As always, don't be shy with your feedback, and check out previous versions here: http://devcentral.f5.com/Default.aspx?tabid=101

Technorati Tags: DevCentral Top5,iRules,pyControl,TLS,MitM,renegotiation,Linux,Mpack,Colin Walker

#Colin

3 Comments |

20 Lines or Less #31 – Traffic shaping, header re-writing and TLS renegotiation

This week not only are the examples cool and interesting, but one of them at least is extremely timely. You’ve no doubt heard about the client-initiated MITM attack for TLS that was recently disclosed. It’s front-page news around the web and for good reason. While research needs to be done and a real fix needs to be put in place, one crafty community member was quick to draft up a simple fix to at least help mitigate their own issues. And in under 20 lines, no less. Here are this week’s offerings:

Simple traffic shaping

http://devcentral.f5.com/wiki/default.aspx/iRules/Simple_traffic_shaping.html

User JackofallTrades brings us a great example of iRules simplicity via the codeshare. If you’re looking for a way to send folks to different rateclasses based on their usage, this is one way you can get there. It’s highly customizable, too, since it’s an iRule.

when SERVER_DATA {
                set srvAge [IP::stats age]
                set srvBytes [IP::stats bytes in]
                # change 10000ms/10s to your desired time        
                if {$srvAge > 10000 } {
                                # change the recieved bytes if needed
                                if {$srvBytes > 3000000 } { 
                                                 # makesure you create the rate class
                                                rateclass bandHog
                                                #log local0. "Bandwidth Hog: [IP::client_addr] server bytes $srvBytes"
                                }

}              
                
                #log local0. " [IP::client_addr]:[TCP::client_port] server age: $srvAge server bytes: $srvBytes"
}

Rewrite Host header to server name

http://devcentral.f5.com/wiki/default.aspx/iRules/rewrite_host_header_to_server_name.html

Hoolio’s at it again with his latest codeshare entry. In this example he shows how you can write in custom host address headers based on the destination server your request is being sent to. Fun stuff.

when HTTP_REQUEST_SEND {

   # Need to force the host header replacement and HTTP:: commands into the clientside context
   #  as the HTTP_REQUEST_SEND event is in the serverside context
   clientside {

      if {$::host_debug}{log local0. "[IP::client_addr][TCP::client_port]: New [HTTP::method] request to [HTTP::host][HTTP::uri]"}

      # Look up the selected server IP in the datagroup to get the host header value
      set host_header_value [findclass [LB::server addr] $::ip_to_host_class " "]

      if {$::host_debug}{log local0. "[IP::client_addr][TCP::client_port]: Looked up [LB::server addr], found: $host_header_value."}

      # Check if the lookup returned a value
      if {$host_header_value ne ""}{
   
         # Replace the host header value
         HTTP::header replace Host $host_header_value
         if {$::host_debug}{log local0. "[IP::client_addr][TCP::client_port]: Replaced Host header with $host_header_value."}
      }
   }
}

Mitigating the TLS client-initiated renegotiation MITM attack

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=86456&view=topic

Last but certainly not least, user Lupo comes to us with a simple yet hawesome iRule to show an easy way to put a stop to renegotiation MITM attacks in your environment…just so long as you have iRules handy (and don’t need to renegotiate your SSL connections). I love it when users share cool things they’re doing. I love it even more when those cool things are timely, interesting, and almost certainly useful to many other people. Way to go Lupo, thanks for sharing. Note that this, as with all 20LoL entries, isn’t tested/guaranteed/endorsed, etc. But it’s pretty sound logic and I don’t see any good reason it shouldn’t work. Test it in your environment and see for yourself.

when CLIENT_ACCEPTED { 
   # initialize TLS/SSL handshake count for this connection 
   set sslhandshakecount 0 
 } 
  
 # if you have lower priority iRules on the CLIENTSSL_HANDSHAKE event, you have to make sure, that they don't interfere with this iRule 
 when CLIENTSSL_HANDSHAKE priority 100 { 
   # a handshake just occurred 
   incr sslhandshakecount 
  
   # is this the first handshake in this connection? 
   if { $sslhandshakecount != 1 } { 
     # log (rate limited) the event (to /var/log/tmm) 
     log "\[VS [virtual] client [IP::client_addr]:[TCP::client_port]\]: TLS/SSL renegotiation occurred, dropping connection" 
     # close the clientside connection 
     TCP::close 
   } 
 }

There are three more awesome examples for you. 20 lines of code or less packed with all sorts of iRuley goodness to make your lives easier, better, faster or safer. How can you not love that? See you next time.

Technorati Tags: 20 Lines or Less,20LoL,DevCentral,F5,iRules,TLS,MitM,security,rate shape,Colin Walker

#Colin

Add Comment |

	Friday, October 30, 2009 #

DevCentral Top5 10/30/2009

Released into the wild, the DevCentral team is back from our week of being sequestered in a conference room discussing the meaning of life, the universe and everything. Well…everything as it pertains to DC, at least. We even rolled successfully to save against being mauled by zombies or turned into newts (hey…it's almost Halloween, gimme a break…). As such there is plenty of content to pour through this week, including a very cool talk with a newbie to the F5 family. As always I'll give you my picks and hope they serve you well. Here is the Top5 for this week:

Cast Your Vote for Best iRule for the 2009 Contest

http://devcentral.f5.com/weblogs/JeffB/archive/2009/10/29/6170.aspx

We're almost there! I'm sure some of you that were paying close attention have been looking at your calendars with all of the days marked off, waiting with baited breath for the announcement of the winners of this year's iRule Do You? contest. There is but one more person that needs to vote before we can be finished - you! We've made our picks, cast our ballots and bet on our respective ponies, as it were, and now it's time for the community to get involved. Take a minute to go look at the top 6 iRule entries this year. You'll get to feast your eyes on what people are doing with the coolest coding language in the networking world, then vote for your favorite to win the grand prize. Not only is this post informative, but it's interactive as well. Take a few minutes and go take a look at what the community is up to.

DevCentral Weekly Roundup Episode 109 - Branch Cache Chumby

http://devcentral.f5.com/weblogs/dcpodcast/archive/2009/10/29/devcentral-weekly-roundup-episode-109-branch-cache-chumby.aspx

It's all right, I have no idea what the heck "Branch Cache Chumby" means either. Regardless of the title, this week's podcast was very cool. We talked about a few of the usual things as well as Jeff mentioning the above post wherein the community gets to help steer the ship directly for a change, rather than indirectly. Most interesting of all, though, was the in-depth discussion that we had with the guest this week, F5's own James Hendergart. James is a relatively new player on the F5 team but he's got plenty of experience, so he comes across as anything but new. We talked at length about what he and the Business Development team are up to with Microsoft, ranging from Sharepoint to Exchange to Branch Caching and beyond. It's always good to hear what other teams are up to and James has some definite passion about what he's doing, so it turned into a great talk. This one is worth a listen.

A First Look at the F5 PRO-Enabled Management Pack for Microsoft Virtual Machine Manager 2008

http://devcentral.f5.com/weblogs/jhendrickson/archive/2009/10/27/a-first-look-at-the-f5-pro-enabled-management-pack-for.aspx

Speaking of Microsoft, the guys on the Management Pack team are on a roll. They just keep dropping release after release with new, cool features for you to play with. In this post Joel Hendrickson, one of the devs on that team, walks through some of the new bells and whistles in their newest deployment. I love seeing what these guys are going to come up with next, and they haven't disappointed so far. If you've been following or have interest in the management pack at all, I think this is definitely worth a read.

To Take Advantage of Cloud Computing You Must Unlearn, Luke.

http://devcentral.f5.com/weblogs/macvittie/archive/2009/10/28/to-take-advantage-of-cloud-computing-you-must-unlearn.aspx

The unlearning Lori is talking about is all that knowledge you have about application scaling and sizing. It's common practice to over-supply resources for an application. You think the app needs x amount of CPU and y amount of RAM to comfortably run at normal operating levels? Great. Now go buy servers with 2-3x those resources so you can be sure that things are always running smoothly, even during spikes in usage. That might not sound so bad, but what if "x cpu and y RAM" ends up being 40 physical machines worth once you've tripled it? Now scale that out across many applications and you start to see the problem that companies running their own infrastructure have often had to deal with. They have all this capacity going to waste a huge percentage of the time, but they have to have it for those 5 or 6 times a year when usage spikes. This, as Lori says, is one of the large draws to the cloud computing and virtualization model(s). There are a few hiccups, of course, if you treat your options for virtualized resources in the cloud the same as you always have your physical systems. Lori goes into much more depth in her post, I suggest you give it a read to find out more.

20 Lines or Less #30

http://devcentral.f5.com/weblogs/cwalker/archive/2009/10/30/20-lines-or-less-30.aspx

Back at it this week the 20LoL is here with three more great iRules examples courtesy of the community. In this particular case when I say "community" I mean "hoolio". I didn't realize it until after I'd pulled all three examples that they all ended up being from one guy. That's less shocking, though, if you look at the 5,000+ posts Aaron has put out there for the iRulers worldwide. This week I grabbed a couple good ones dealing with pre-loading search queries via http redirects, even more fun with the ever popular nested switch statement, and updating referrer headers in-line. We're darn close to breaking 100 unique iRule examples under 21 lines of code in this series, and every week I love digging around to see what I can find that people are up to in just a few short commands. Take a look if you want to get some ideas on how to use small iRules to have a big impact.

That’s it for this week. As always, check out previous versions here: http://devcentral.f5.com/Default.aspx?tabid=101 and don't be shy with your feedback.

Technorati Tags: Top5,DevCentral,iRules,Cloud Computing,Virtualization,Mpack,Microsoft,Colin Walker

#Colin

Add Comment |

20 Lines or Less #30

Well we made it to 30 editions of the 20LoL. Soon we’ll break 100 iRule examples that are under 21 lines of code each. Pretty neat stuff, if you ask me. This week is the hoolio show, it seems. The guy is just a monster in the forums, what can I say? I sure am glad he’s on our side. I’ve got three examples that I randomly pulled from the forums because I thought they were cool. Only later did I realize that he had penned them all. So big thanks yet again to Aaron and all his hard work to better the community.

Pre-loaded searches based on host name

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=86016&view=topic

This cool little example is a neat spin on a simple HTTP redirect. The basic idea is to redirect to a given search site and set the search parameter to be the original host name of the request. So I could request bobschickenshack.com and be redirected to a search for bobschickenshack on the search page of my choosing. Very cool idea, and darn easy to implement.

 
 when HTTP_REQUEST { 

    # Rewrite the host header to www.yahoo.com and the
    # uri to /search?q=$host where $host is the originally requested hostname 
    HTTP::header replace "www.yahoo.com" 
    HTTP::uri "/search?q=[HTTP::host]" 
 }

More fun with nested switch

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=85807&view=topic

I know we’ve covered switch before, but this is yet another good use of it and I really like the idea of selecting snatpools based on which server the request is going to end up going to. I trimmed this one down a little but only by removing a few of the possible snatpool options, all logic is the same, even though it’s just an excerpt of the overall solution provided.

 when LB_SELECTED { 
    switch [LB::server addr] { 
       222.35.42.126 { 
          switch [IP::client_addr] { 
             192.168.3.11 { snatpool snat_crt_test2 } 
             default { snatpool snat_crt_pool } 
          } 
       } 
       221.218.248.155 { 
          switch [IP::client_addr] { 
             192.168.3.11 { snatpool snat_uni_test2 } 
             default { snatpool snat_uni_pool } 
          } 
       } 
       default { snat automap } 
    } 
 }

Updating referrers

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=85807&view=topic

Hoolio does a good job of not only pointing out the inherent problem with trying to replace referrer headers with hostnames from requests, but giving an option that works as desired even if it’s a little bit different direction than the OP was headed. This is a good example of in-line string replacement with string map, too, which is an often under used command that’s worth a look.

 
 when HTTP_REQUEST { 

    log local0. "[IP::client_addr]:[TCP::client_port]: New [HTTP::method] request to [HTTP::host][HTTP::uri]\ 
       with Referer [HTTP::header Referer]" 

    if {[HTTP::header exists "MyHeader"]} {  
       log local0. "[IP::client_addr]:[TCP::client_port]: Updating Referer to\ 
          [string map -nocase {http:// https://} [HTTP::header Referer]" 
       HTTP::header replace Referer "[string map -nocase {http:// https://} [HTTP::header Referer]" 
    } 
 } 
 when HTTP_REQUEST priority 501 { 
    log local0. "[IP::client_addr]:[TCP::client_port] (501): Current Referer [HTTP::header Referer]" 
 }

There you have it, 3 more iRules to show off just how much you can do in only 20 lines of code. Next time we’ll break past the 100 examples mark. See ya then.

Technorati Tags: 20 lines or less,20LoL,DevCentral,F5,iRules,Colin Walker

#Colin

Add Comment |

	Friday, October 16, 2009 #

DevCentral Top5 10/16/2009

After some much needed vacation I'm back at the helm this week to deliver your Top5. I'm sure you've managed to find some tasty morsels on DevCentral while I was away, but hopefully I'll be able to help out and point you in the direction of some more DC goodness now that I'm back. The past couple weeks have been busy and I have only 5 slots to fill with my picks, so make sure to keep checking out DevCentral if you're looking for more, but here is this week's Top5:

DevCentral Weekly Roundup Episode 107 - The F5 Guy

http://devcentral.f5.com/weblogs/dcpodcast/archive/2009/10/15/devcentral-weekly-roundup-episode-107-the-f5-guy.aspx

The Weekly Roundup is no stranger to the Top5. Indeed I find it's often a valuable entry as it gives some perspective on what the team and community are up to, cool things you should see, etc. It's kind of my way of fitting more than 5 entries into the Top5, but shhh, don’t' tell anyone. This week, however, there's even more reason than normal to check it out. Blogger and F5 expert The F5 Guy graced us with his presence on the cast this week, and it was filled with hawesomeness as was expected when I heard he was joining us. We talked about what he's been up to, how he came to work with F5 gear, what kinds of products and technologies he works with, how and why he started his blog, www.thef5guy.com, and how the team should all have iPhones. Okay, that last part was an inside joke, but it's in there too. In any event, there was some awesome F5 and DevCentral talk going on and if you missed the live stream, you should definitely check out the podcast if you get a chance.

OOW Coverage on DevCentral

http://devcentral.f5.com/weblogs/dmacvittie/archive/2009/10/15/oow-coverage-on-devcentral.aspx

Don made a smart move this week and made a blog post rounding up and listing all the awesome videos that Pete Silva took while attending Oracle's Open World event. So while I'm linking to Don's blog, I think he'll agree that Pete is the one that did the leg work and deserves the credit along with his assorted cast of guests ranging from Calvin Rowland to Andy Ohler to Ron Carovano and beyond. Pete shot a series of short, easily consumed clips interviewing different F5ers at Open World about the event, F5's work with Oracle, what was new and exciting, and their take on the show. It was pretty cool to get a feel for the happenings without actually being there and Pete's classic style and enthusiasm shone through as always. These vids are worth a gander if you're interested to hear about F5 and Oracle. I know I was, and I'm glad I got a chance to watch them.

F5 Management Pack v1.4.1.93 Released: Globalization Support!

http://devcentral.f5.com/weblogs/druddell/archive/2009/09/30/f5-management-pack-v1.4.1.93-released-globalization-support.aspx

The post itself may be short, but the implications and impact are…long? Regardless of my grammatical failings, another new version of the F5 Management Pack has been dropped courtesy of the ever busy MPack team here at F5. If you haven't gotten your hands on the Management Pack yet, you should. There are way too many cool things that you can do to not have at least taken a look yet. With new versions dropping frequently and a steady stream of tutorial content coming straight from the Devs, it's not hard to get started. With this newest release the Management Pack now boasts globalization support to support localized versions of Windows Server 2003 and 2008 R2. This is good news for those worldwide audiences looking to dig further into the world of monitoring and management with the F5 Management Pack. Very cool stuff.

Using Network-Side Scripting to Implement Mock API Endpoints

http://devcentral.f5.com/weblogs/macvittie/archive/2009/10/05/using-network-side-scripting-to-implement-mock-api-endpoints.aspx

It's a shame, really, to try and distill Lori's ever expanding army of posts down to just a single entry for the time I was out, but such is my lot in life. Using the tried and true "throw a dart at the dart-board" method seemed out of the question, so I just picked the one that talked about iRules and had code in it. What…you're surprised? Have you read my stuff before? In this post Lori delves into mocking up an API endpoint in iRules, our very own brand of network-side scripting. It's built to inspect an API call, determine what call it is, then return canned responses based on that call. Pretty cool stuff, right? What's even more cool is that this can end up saving time and resources for plenty of people that happen to have F5's ADC devices already deployed and could use it to test against. I'll admit it, I'm a sucker for a good iRules post, and Lori's got my attention straight away. Good stuff for anyone interested in network-side scripting, APIs, or SOA-ish type stuff.

Creating Cacti Templates for BIG-IP CPU Utilization

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=4324

Taking you step by step through the process of creating these Cacti templates, all the way from the data collection Perl script to the Cacti configuration, is our resident Cacti expert, Jason. This very cool Tech Tip goes into stellar detail to get you from point A to B without losing you along the way. Complete with big animal pictures and the actual code you'll need to get started, Jason leads you down the path towards a state of Cacti zen. I'm not a huge SNMP or Cacti guy experience-wise, but it's some pretty cool stuff in the right hands and Jason makes it plenty interesting. It's cool to see what he's up to. Take a look for yourself.

There you have it, the Top5 for the week. I'm glad to be back and hope you found this helpful. As always, feedback is appreciated, and you can check out previous Top5s here - http://devcentral.f5.com/Default.aspx?tabid=101

Technorati Tags: DevCentral,Top5,iRules,Oracle,Cacti,The F5 Guy,Colin Walker

#Colin

14 Comments |

	Tuesday, September 29, 2009 #

Do you Rule? Do you … iRule?

If so, you had better hurry. You’re running out of time to submit your cool, unique, amazing or otherwise interesting iRules to this year’s iRule. Do You? contest. All you have to do is fill out one simple form and you’ll be entered to win some pretty hawesome prizes. If I weren’t disqualified for being an employee (and one of the judges) I would have submitted 10 entries by now for a chance at not only the sweet swag, but the glory of being the #1 iRuler on DevCentral.

This contest is fun, for sure, but it’s also a fantastic way to showcase just how innovative and powerful iRules are. As someone with a deep affection for the technology it makes me extremely excited to see all the entries coming in from around the world. We’ve seen all sorts of solutions, big and small, simple and complex, and all of them have an equal shot. We don’t just want the 400 line monsters. There’s a good chance that some of the iRules from the 20LoL would fare just fine in this contest, if they’re interesting enough.

So take a few minutes, go through your iRules library (what…doesn’t everyone have one?) and dig out your favorite few to submit. It only takes a couple minutes and it’s well worth it.

Technorati Tags: DevCentral,F5,iRules,iRule. Do You?,Contest,Prizes,Colin Walker

#Colin

Add Comment |

	Friday, September 25, 2009 #

DevCentral Top5 09/25/2009

Side-projects and behind the scenes activities abound as the DevCentral team works towards the next goal on our plans for world domination, carefully sketched on Jeff's whiteboard. I'm glad to say that the extended DC team has been helping, as always, to keep the content flowing though, and there's plenty to highlight this week. Take a look at this week's Top5:

Closing in on the iRules Contest Deadline

http://devcentral.f5.com/weblogs/jason/archive/2009/09/15/closing-in-on-the-irules-contest-deadline.aspx

Jason points out a very important, timely fact. It's nearly the end of your window to submit killer iRules for great prizes! The iRules contest is coming to a close. We've gotten some awesome entries so far and I've personally loved seeing them flow in from all over the world. There is still time, though. If you've got an iRule that you use that is cool and unique and warrants sharing, now is the time! Get it submitted and put your bid in for one of the pretty killer prizes offered to the winners. Check out Jason's post to get the details of what they are, where to apply, and a cool example iRule from the forums that could easily be submitted.

Despite Rumors to the Contrary F5 Remains In the Lead

http://devcentral.f5.com/weblogs/macvittie/archive/2009/09/25/despite-rumors-to-the-contrary-f5-remains-in-the-lead.aspx

Lori comes to you this week with an important news bulletin: F5 is still leading the charge in the ADC market, despite the mutterings you may have heard recently. With the release of the new Magic Quadrant from Gartner there is always a fair amount of posturing and hubbub. Lucky are we that our positioning continues to speak for itself, well in the lead. I'm not usually one to go in for marketing type stuff, but the geek in me loves that we have the coolest technology at the party, bar-none. This is one of the many indicators of that, and I was glad to see Lori point it out.

DevCentral Weekly Roundup Episode 104 - Guru, Guy, and My BIG-IP

http://devcentral.f5.com/weblogs/dcpodcast/archive/2009/09/24/devcentral-weekly-roundup-episode-104-guru-guy-and-my.aspx

This week's podcast was a particularly cool one, thanks to the caller that decided to join us. A few weeks ago we started dabbling in live-streaming our podcasts as we record them. This week Joe added the functionality to allow users to call in and chat with us in real-time, while we record. I was pleasantly surprised that we had a community member do precisely that, and share with us what they're currently doing with our tech. If you ever doubt that DevCentral is a far-reaching community with active members, an impromptu call from an international user to chat with us about what they're doing should cure what ails you.

Turn Your Podcast Into An Interactive Live Streaming Experience

http://devcentral.f5.com/weblogs/Joe/archive/2009/09/25/turn-your-podcast-into-a-interactive-live-streaming-experience.aspx

As I mentioned above, the past few weeks we've been adding functionality to our podcasts. This once simple process has become increasingly more complex as we've tried to leverage new and cool features to make them more engaging and interactive for our users. With Joe at the helm we've incorporated several tools that make this possible. Today he put out a blog post detailing just how these all work together and exactly how it is that he crafted this bigger, better mousetrap. I found it quite interesting and it's a neat peek behind the curtains into one of the things we do here in DC Land.

Reduce your Risk

http://devcentral.f5.com/weblogs/psilva/archive/2009/09/24/reduce-your-risk.aspx

In Pete's 13^th of 26 short topics about security he discusses mitigation. He touches on the fact that you should generally assume, if you're dealing with a publicly facing application, that you will eventually be the target of some malicious activity. He also details a few ways in which we all help to mitigate those risks on a daily basis. From firewalls to strong passwords to access cards to secure facilities, there are many hoops we all jump through daily, whether we think about it or not, to try and mitigate the risks inherent in today's IT world. This series is an interesting one and the pieces are easy to digest. I intend to keep following it as it moves towards topic #26, and I recommend you do the same.

There you have it, my Top5 picks from DevCentral for the week. Hopefully you enjoyed them, and I'll be back with more soon. Be sure to check out previous editions of the Top5 here - http://devcentral.f5.com/Default.aspx?tabid=101

Technorati Tags: DevCentral Top5,iRules,iRules Contest,F5,Security,Podcast,Gartner,Colin Walker

#Colin

Add Comment |

	Friday, September 11, 2009 #

DevCentral Top5 09/11/2009

The extended DevCentral team has been hard at work this week, as always, fulfilling your geek needs and then some. As such, this Friday's Top5 brings to you all types of DevCentral-y goodness. From text, to audio, to informative pictures, we've got it all this week. I've picked a few of the best, five to be exact, to share with you. Here they are:

The Threat Behind the Firewall

http://devcentral.f5.com/weblogs/psilva/archive/2009/09/09/the-threat-behind-the-firewall.aspx

Pete Silva dives into drives this week in his piece on the dangers lurking behind seemingly benign usb drives. These undeniably handy devices can do just as much, if not more, harm than good if you're not careful. Pete points out a few ways in which you can find yourself in trouble, and how these devices make up an increasingly large portion of the distribution means for malware infections. I use them, I'm sure you do, and this is an interesting read. It never hurts to be safe with your systems, but to do that you have to know what to watch out for. This is a good read if you're looking to get to know more about how you can stay safe with your usb devices, and knowing is half the battle, or so they say.

iRules Insight - HTTP Event Order

http://devcentral.f5.com/weblogs/jason/archive/2009/09/08/irules-insight-http-event-order.aspx

Jason found a fantastic forum post this week, that featured a pretty darn cool image. An image so cool, in fact, that he turned it into a blog post. There isn't a ton of text to read through, because there's plenty to digest in this image which attempts to detail the logical flow of an iRule firing HTTP events. This is something that might be quite useful for those building or starting to build iRules. I know the event order topic has come up numerous times. There are documents out now that show the order, but I thought this visual representation was very cool. One of the follow-up comments is pretty outstanding also. Go take a look.

WILS: Automation versus Orchestration

http://devcentral.f5.com/weblogs/macvittie/archive/2009/09/10/wils-automation-versus-orchestration.aspx

Maybe it's the fact that she was writing it like Seth, maybe it's because the point came across clearly and made me nod my head repeatedly while I read the piece, maybe it's just because it made me think of orchestras and music and conductors, and I have a soft spot for all those things, but this was my favorite blog post by Lori this week. She had several, as always, and this was by no means the most commented on or the most in-depth. I think it is extremely clear and concise, though, and there is something to be said for both of those things. Discussing the difference between automating a single, rigid, clearly defined task, even if it has multiple steps, and orchestrating an entire process, I.E. many tasks being performed together, each dependant on multiple situational variables, is not an easy thing to do. I think this clear-cut post did it well, so it makes my Top5. Seth would be proud.

20 Lines or Less #29

http://devcentral.f5.com/weblogs/cwalker/archive/2009/09/10/20-lines-or-less-29.aspx

More iRules! Yes, this week brought another edition of the 20LoL. As I near the 30^th edition I talk about HTTP port numbers in a request and how to deal with them, checking pool member status in real-time and reporting it, and some fun with nested switching and pool selection. These are always fun for me to write and I think there's value in them for anyone that's using or looking into iRules. Whether you're an iRule newbie, a veteran, or just trying to figure out what the heck you'd use one for, I recommend taking a look. The 20 Lines or Less is always a good place to get simple, easy to follow examples of iRules doing real world things that benefit real people.

Audio White Paper - Create A Smarter Storage Strategy

http://devcentral.f5.com/weblogs/interviews/archive/2009/09/11/create-a-smarter-storage-strategy.aspx

In another edition of his Audio White Paper series, Pete peps up another storage white paper. If you've been looking to learn more about how you can lighten your storage management burden, but haven't taken the time to dig into the documents that discuss how, you might be able to squeeze in giving this a listen to help you out. The white-paper, linked to from the post, discusses file data growth and how this will continue to be a concern for companies, how there is a wealth of options to the degree of making what to do unclear, and gives some options that might help clear things up. I wasn't convinced that audio versions of white papers would be popular at first. Given the response we've seen over the history of DevCentral, including this series of Pete's, I've become a believer and for good reason. If you don't have the time or inclination to dig through the document itself, the audio version might just do the trick.

There are my five favorites from DevCentral this week. I hope you enjoyed them as much as I did. Let me know if you've got any feedback, as always, and I'll see you next week.

Technorati Tags: DevCentral,F5,Top5,iRules,iControl,Automation,HTTP,Colin Walker

#Colin

Add Comment |

	Thursday, September 10, 2009 #

20 Lines or Less #29

29 editions later and still going strong. The 20LoL is a testament to just how many different things can be done with iRules in just a few lines of code. Just imagine the possibilities if this were the 30LoL.

This week I’ve got three more examples, all from the forums. Today we’ll cover dealing with port numbers in HTTP requests, checking pool status from within an iRule, and more fun with nested switching. The community keeps putting out fantastic examples so I just keep on writing about them. Keep it up.

Removing HTTP request port numbers

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=62227&view=topic

Hoolio came up with a trio if examples of how to deal with port numbers in your HTTP requests. All of them are good, depending on your situation, but I’m only going to highlight one here. Go check out the forum post above to see the other two and get the context of the thread.

when HTTP_REQUEST {
# Check if Host contains a colon
if {[HTTP::host] contains ":"}{
# Redirect client to requested host minus the port and preserve the original URI
HTTP::redirect "https://[getfield [HTTP::host] ":" 1][HTTP::uri]"
}
}

Checking pool member status

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=62093&view=topic

User cmbhatt, another one of our power-users, came up with a very cool example of using the LB::select command and HTTP::respond to show the status of a selected pool member. It even has a built in meta-refresh so you can continually monitor the status. Pretty neat stuff.

when HTTP_REQUEST {
 if {[HTTP::uri] eq "/status" } {
 scan [LB::select] %s%s%s%s%d command current_pool command2 current_member current_port
 eval [LB::select]
 set response "<html><head><title>$current_pool Pool Status - [clock format [clock seconds]]</title><meta http-equiv='refresh' content='10; url=http://[HTTP::host]/status'></head>"
 if { [active_members $current_pool] < 1 } {
 append response "POOL NAME:$current_pool CURRENT MEMBER:$current_member:$current_port STATUS: DOWN </body></html>"
 } else {
 append response "POOL NAME:$current_pool CURRENT MEMBER:$current_member:$current_port STATUS: UP </body></html>"
 }
 }
 HTTP::respond 200 content $response "Content-Type" "text/html"
}

More nested switching and pool selection vs. redirection

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&view=topic&postid=62162

This rule stemmed from cmbhatt, once again, then I went in and made some tweaks where I think it made sense, as you can see in the thread. The idea is that the user is looking to do some inspection of first the host, then in some cases, depending on what the host is, the URI as well. Based on what’s found either a load balancing decision is made or a redirect is issued. This is yet another awesome example of how iRules can turn something that would be ridiculously tricky or even impossible elsewhere into something pretty straight-forward.

when HTTP_REQUEST {
switch [HTTP::host] {
    "www.mydomain.eu" {
      switch [HTTP::uri] {
        "/" { HTTP::respond 301 Location "http://www.mydomain.eu/zz/index.html" }
        default { pool mydomain_eu_pool    }
      }
    }
    "www.mydomain.be" {
      switch [HTTP::uri] {
        "/" { HTTP::respond 301 Location "http://www.mydomain.eu/be/zz/index.jsp" }
         default { pool mydomain_be_pool }
      }
    }
    "www.mydomain.nl" { HTTP::respond 301 Location "http://www.mydomain.eu/nl/zz/index.jsp" }
    "www.mydomain.fr" -
    "mydomain.fr" { HTTP::respond 301 Location "http://www.mydomain.eu/fr/zz/index.jsp }
    "www.mydomain.lu" { HTTP::respond 301 Location "http://www.mydomain.eu/lu/zz" }
}
}

There you have it, three more iRules to get you on your way in less than 21 lines of code. Feel free to submit ideas, suggestions of feedback, as always.

Technorati Tags: F5,DevCentral,20LoL,20 Lines or Less,iRules,HTTP,switch,HTTP::respond,Colin Walker

#Colin

Add Comment |

	Thursday, September 03, 2009 #

20 Lines or Less #28

Nearing the thirty mark with the 20LoL it occurs to me that I’m having a harder and harder time with something. No, it’s not finding interesting ideas to feature. The community has been absolutely stellar with that part. There are always plenty of iRules for me to grab either directly or with some modification (which is half the fun). No the issue is that I’m having a tough time remembering if I’ve covered a topic too similar to the current one already. Forgive me if I end up double dipping at some point. At the very least it will be a new slant on the idea.

I’m pretty sure this week these are all original concepts. I bring to you examples of SSL and Non SSL traffic sharing a vip in harmony, making use of the scan command to dissect URIs, and some more persistence trickery.

SSL and plaintext living together

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=61869&view=topic

There was a need to serve SSL traffic for all but only a few URIs, and the desire was to use an iRule to do so. Fortunately for the original poster someone was quick to seek out some of hoolio’s earlier work via the search function. In this example you can see how to selectively disable encryption for a particular URI. This could work in the inverse just as easily (selectively enable for only a few secure URIs).

when HTTP_REQUEST {

   # Check if request matches the criteria to disable server-side SSL
   if { [HTTP::uri] starts_with "/clear"}{

      # disable SSL on the serverside context
      SSL::disable serverside

      # select the http pool
      pool http_pool

   } else {
      # default is to use server-side SSL and the https pool
      pool https_pool
   }
}

Multiple Persistence timeouts based on URI

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=61948&view=topic

In a very cool juggling act, hoolio puts on yet another seminar on how to use iRules to meet your tricky and extremely specific needs. He shows here how you can manage a single type of persistence (source address in this case) with multiple timeouts based on the URI that’s requested. The additional trick here is to have the longer timeout not overwritten by the shorter timeout the next time that user requests a URI not in the “extended timeout” list. I like it.

when HTTP_REQUEST {

    # Check requested path
    switch -glob [HTTP::path] {
       "/apps/aml/*" {
          # Persist client for 10 hours
          persist source_addr 36000
       }
       default {
          # Persist client for 1 hour
          persist source_addr 3600
       }
    }
}

Scanning URIs

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=61774&view=topic

The need from the user was to alter multiple variables in a URI. This was complicated further by the structure of the URI and the type of replacement that needed to be done. Aaron (hoolio) though, swift as ever, managed to whip up a tidy solution to the problem making use of the powerful scan command. This one is definitely cool and shows off this under-used command.

when HTTP_REQUEST {

    log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP request to [HTTP::uri]"

    if { [HTTP::uri] contains "adserver/impression" }{
       log local0. "[IP::client_addr]:[TCP::client_port]: Matched URI check"

       # Scan the URI looking for the pid, oid and rand values
       if { [scan [HTTP::uri] {/adserver/impression/pid=%[^/]/oid=%[^/]/rand=%[^/]} pid oid rand] == 3 } {

          log local0. "[IP::client_addr]:[TCP::client_port]: Scanned three values: pid = $pid, oid = $oid, rand = $rand"
          HTTP::uri [string map "adserver/impression/pid=$pid/oid=$oid/rand=$rand/?click ad.imp?pid=$pid&oid=$oid&rand=$rand/?pclk" [HTTP::uri]]
       }
    }
}
when HTTP_REQUEST priority 501 {
    log local0. "[IP::client_addr]:[TCP::client_port]: 501: Updated URI: [HTTP::uri]"
}

There are your three examples for the week in an aggregate 60 lines or less (see what I did there?). Hopefully you’re continuing to find these interesting to read. I’m definitely still enjoying putting them together and want to give yet another massive thanks to the amazing community as a whole and specifically Hoolio for the continued contributions.

Technorati Tags: F5,DevCentral,20 Lines or Less,20LoL,iRules,Colin Walker

#Colin

Add Comment |

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		165		Comments		113
Stories		0		Trackbacks		0

	Tag Cloud
	20 Lines or Less 20LoL BIG-IP Cloud Computing Colin Walker DC Top5 DevCentral DevCentral Top5 F5 F5Interop FaceBook Google Google Chrome HTTP iControl Interop iPhone iRules Persistence Ramblings Security TCP Top5 Twitter Virtualization more tags...

Post Categories

		iRules
		Ramblings
		iControl
		DevCentral
		Development / General IT Goodness
		Monitoring/Management
		XML
		Security
		ISV Solutions
		Microsoft Solutions
		DC Top5
		Cloud Computing
		v.10