|
|
DevCentral > Weblogs > - Wielding the Power of the Network to Better Applications Everywhere
Thursday, August 26, 2010
#
What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head. This week we dive into parsing SSL encrypted payloads until a given string is found, logging user login info as it comes across the wire, and enforcing a subsite ACL. http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1172756/aff/5/showtab/groupforums/Default.aspx#1175124 In this first, rather cool, example from user mattrm we get a peek at how he’s dealing with logging user info as they log in by making use of the stream profile, STREAM::match command and regular expressions. when STREAM_MATCHED {
# log each match found by the stream filter
log local0. "Stream filter matched:[STREAM::match]"
set myvar [STREAM::match]
set 4 "blah"
regexp {Username=(.+)\sUserpassword=(.+)\sUseremail=(.+)\sUserhomefolder=(.+)\s} $myvar matched sub1 sub2 sub3
log local0. "Username=[b64decode $sub1] Userpassword=[b64decode $sub2] Usermail=[b64decode $sub3]"
}
when LB_SELECTED {
set serverIP [LB::server addr]
log local0. "LB Server IP $serverIP"
} http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1174268/aff/5/showtab/groupforums/Default.aspx Bhattman and Chris Miller tag team to answer a thread talking about creating a sub-site ACL and provides this cool little chunk of code. The idea is pretty simple, block access to a specific section of an app unless the client is coming from a specific list of IP addresses. The implementation is wonderfully simple, though, complete with an Access Denied-esque message straight from the iRule. when HTTP_REQUEST {
if { [class match [string tolower [HTTP::uri]] contains subsite] and !([[string tolower [HTTP::uri]] contains "/admin/upload") and ![class match [IP::addr [IP::client_addr]] eq allow] }
{
HTTP::respond 200 content "<HTML><HEAD><TITLE>Forbidden Redirect From Remote Server</TITLE></HEAD>\<BODY>Acess is forbidden</BODY></HTML>"
} } http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1174288/aff/5/showtab/groupforums/Default.aspx Last but never least, spark rolls up his sleeves and flexes an ounce of his iRuling muscle to show how easy it can be to collect SSL payload data until a given string is found. He even goes one step further to discuss the difference in functionality between the TCP::collect and SSL::collect commands and how the base functionality is similar but not identical. Definitely a cool one. when CLIENTSSL_DATA {
if { [SSL::payload] contains "the query string" } {
log local0. "I got the query!"
SSL::release
} else {
SSL::collect
}
} There you have it, three more examples of iRules coolness in less than 21 lines of code each. See you soon for more iRuling goodness. #Colin
Many happenings abound these days, enough that it's hard for even me to keep track of them all. Amongst them in the past couple weeks have been wicked cool iRules projects, video projects, and likely most importantly of all, the expansion of the DevCentral team. Some of it I can talk about, some of it is still secret squirrel status, but here's what I can tell you for sure: there is no shortage if hawesome stuff to be seen on DevCentral. Here are five things, as a matter of fact, that you definitely shouldn't miss. I give you this week's DC Top5: DC Land Grows by One, A.k.a: Hello World! http://devcentral.f5.com/weblogs/watkins/archive/2010/06/25/hello-world.aspx It's my great pleasure to give a shout out to George Watkins, the newest addition to the DevCentral team. George may be tfng on our team, but he's no newbie when it comes to this crazy future techno-stuff we like to do around here. His roots are in tech covering the ground of Systems Administrator, coding fanboy, and more recently purveyor of all things good and sound in the world of LTM/GTM for the DevCentral team. As someone I've personally worked with since he started here at F5, I can say I'm quite glad to have scooped him up for the DC team as we'll all be benefiting from the geeky things he'll be brewing up in no time. He's also got a fair amount of knowledge about DC, what we do and how we do it since, well, he's been the guy turning the knobs and pulling the levers on our internal gear for a while now. Those nifty iRules we run on DevCentral to do the whiz-bang cool things? Yeah, he's the guy that's been putting those in place once they pass dev/test. Anyway, head on over to his blog, subscribe, and say hi. I have no doubt you'll be seeing a lot more goodness flowing forth from his neck of the woods quite soon. Welcome, George! iRules 101 - #17 - Mapping Protocol Fields with the Binary Scan Command http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084381/iRules-101--17-ndash-Mapping-Protocol-Fields-with-the-Binary-Scan-Command.aspx So you knew this one was going to be in the Top 5, right? Come on…iRules, obscure commands, in-depth protocol analysis, this has everything but a ribbon and a note saying "here's a gift, feature this in your weekly summary". Jason out-did himself with the research and effort put into this solution. Basically there was an obscure issue with trying to identify certain browser types based on the strength of cipher they allow, and route traffic accordingly to keep certain parts of a site secure. Jason did the leg-work necessary to do the iRule wizardry to make this happen. Of course, it turns out it wasn't needed, but I'll let you read the article to find out why. Regardless, it's a slick example of scanning info to map fields for inspection/decision purposes. All you iRuley types need to check this one out for sure. Given Enough Standards, Define Anarchy http://devcentral.f5.com/weblogs/dmacvittie/archive/2010/06/24/given-enough-standards-define-anarchy.aspx I know, I know, standards should help prevent anarchy, the title threw me off too. But as expected, Don delivers as you read through the post and it starts to make more sense. He's referring to the anarchy created by too many conflicting standards trying to control the way your technology, in this case data storage, works. If you have too many people trying to tell you how to do things too many ways, eventually you're not getting anything done, at least not efficiently. I like his idea of starting over and looking at the real world needs and identifying a common mechanism to deliver them. Realistic? Who knows, but I'm hopeful that it will come to fruition at some point or another. Either way, this is definitely a good read to start thinking about some of the things that you might be facing that are sapping the potential efficiency from your operations. Slimming down on the number of control mechanisms in place and standards that must be adhered to because of them might just help you in the short term until the perfect solution presents itself to cure what ails us all. Automated Gomez Performance Monitoring Part 2 - DataCenter Identification http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084379/Automated-Gomez-Performance-Monitoring-Part-2-ndash-DataCenter-Identification.aspx In this post Joe expands upon his cool demonstration of getting Gomez reporting injected in-line via iRules with an example of how to further hone your reporting information if you happen to, like us, be running in a multi datacenter configuration. By using the group identifier, you're able to split out the request traffic in the reporting mechanism so that you can view the requests sent only to a given data center, rather than all requests sent to your application worldwide. This makes it easy to identify datacenter specific issues or, depending on your deployment, view the usage information from different parts of the world if you're splitting data regionally, etc. A relatively simple yet very cool expansion to an already powerful rule, this one deserved to be called out. Take a peek for yourself. Data Center Feng Shui: SSL http://devcentral.f5.com/weblogs/macvittie/archive/2010/06/24/data-center-feng-shui-ssl.aspx Last but never least, Lori continues to steadily beat the drum of wicked-cool-awesome-geek topics, covering everything from cloud computing and virtualization to your grandma's home baked cookies and the inherent performance gains they can net you if deployed properly. In her Feng Shui SSL post, however, she talks about virtualization as it pertains to SSL performance. The cries of virtualization everywhere echoing from seemingly every rooftop these days are fantastic to hear, because that's part of what we here at F5 do, and I couldn't agree more that virtualizing things is a fantastic approach most times. That does not mean, however, that there is no longer a need for customized hardware in your deployment. As Lori quite clearly points out, the performance that custom built physical hardware can put out is simply superior in almost every case dealing with SSL. By giving yourself dedicated, additional resources to process cryptography you're taking the load off of the other CPU(s) and allowing them to do what they should be doing in the first place. Rather than tie up the CPU that should be processing your traffic with having it try to run the encryption/decryption algorithms that it isn't specifically designed for, having it run on a purpose built CPU can show dramatic improvements in overall performance. I'm not sure who wouldn't understand that, but if you know someone, show them this post and maybe Lori can help clear it up for them. Well, those are my 5 picks for the week. Have a good one, and check back soon for more DC Top5 recommendations. #Colin
A great post over on ajaxian got me to thinking today. Why is it whenever you hear people talking about speed on the internet, they use a single metric? Whether they’re discussing the connection in the datacenter, their residential DSL, or the wireless connection via their mobile device, everyone references the bandwidth of their connection when talking about speed. “Oh I just got a 20Mb/s connection at home, it’s blazing fast!". That’s all well and good, and 20 Mb/s is indeed a lot of throughput for a residential connection. Unfortunately for Joe Average, about 98% of the population wouldn’t know what the heck to DO with 20 Mb/s of download speed, and even worse than that…they would likely see absolutely zero increase in performance while doing the one thing most people use their connection for the most, browsing the web. No one seems to ever bother mentioning the true culprit for slow (or fast) web browsing performance: latency, measured in RTT (Round Trip Time). This is the measure of time it takes for your system to make a request to the server and receive a response back. I.E. one complete request loop. This is where the battle for speed when browsing the web is won and lost. A round trip is measured in milliseconds (ms). This represents how much time it will take regardless of file size (this is important later in the discussion) to make the trip from you to the server and back. This means each connection you have to open with the server for an additional request must take at least this long. You add in the time it takes to download each file after accounting for RTT. “Impossible!” you say, “Clearly going from a 10Mb/s connection to the new, fast, fancy (expensive?) 20 Mb/s connection my provider is proud to now be offering will double my speed on the web! 20 is twice as much as 10 you dullard!” you assert? Oh how wrong you are, dear uneducated internet user. Allow me to illuminate the situation via a brief discussion of what actually occurs when you are browsing the web. We’ll skip some of the fine grained details and all the DNS bits, but here’s the general idea: Whenever you make a request for a web page on the net, you send out a request to a server. That server, assuming you’re an allowed user, then sends a response. Assuming you don’t get redirected and are actually served a page, the server will send you a generally simple HTML page. This is a single, small file that contains the HTML code that tells your browser how to render the site. Your computer receives the file, and your browser goes to work doing exactly that, rendering the HTML. Up to this point people tend to understand the process, at least in broad strokes. What happens next is what catches people I think. Now that your browser is rendering the HTML, it is not done loading the page or making requests to the server, not by a long shot. You still haven’t downloaded any of the images or scripts. The references to all of that are contained in the HTML. So as your browser renders the HTLM for the given site, it will begin sending requests out to the server asking for those bits of content. It makes a new request for each and every image on the page, as well as any other file it needs (script files, CSS files, included HTML files, etc.) Here are the two main points that need to be understood when discussing Bandwidth vs. RTT in regards to page load times: 1.) The average web page has over 50 objects that will need to be downloaded (reference: http://www.websiteoptimization.com/speed/tweak/average-web-page/) to complete page rendering of a single page. 2.) Browsers cannot (generally speaking) request all 50 objects at once. They will request between 2-6 (again, generally speaking) objects at a time, depending on browser configuration. This means that to receive the objects necessary for an average web page you will have to wait for around 25 Round Trips to occur, maybe even more. Assuming a reasonably low 150ms average RTT, that’s a full 3.75 seconds of page loading time not counting the time to download a single file. That’s just the time it takes for the network communication to happen to and from the server. Here’s where the bandwidth vs. RTT discussion takes a turn decidedly in the favor of RTT. See, the file size of most of the files necessary when browsing the web is so minute that bandwidth really isn’t an issue. You’re talking about downloading 30-60 tiny files (60k ish on average). Even on a 2Mb/s connection which would be considered extremely slow by today’s standards these files would each be downloaded in a tiny fraction of a second each. Since you can’t download more than a few at a time, you couldn’t even make use of a full 2 Mb/s connection, in most situations. So how do you expect going from 10Mb/s to 20Mb/s to actually increase the speed of browsing the web when you couldn’t even make use of a 2Mb/s connection? The answer is: You shouldn’t. Sure, if they were downloading huge files then bandwidth would be king, but for many small files in series, it does almost nothing. You still have to open 50 new connection, each of which has a built in 150ms of latency that can’t be avoided before even beginning to download the file. However, if you could lower your latency, the RTT from you to the server, from 150ms down to 50ms, suddenly you’re shaving a full 2.5 seconds off of the inherent delay you’re dealing with for each page load. Talk about snappier page loads…that’s a huge improvement. Now of course I realize that there are lots of things in place to make latency and RTT less of an issue. Advanced caching, pre-rendering of content where applicable so browsers don’t have to wait for ALL the content to finish downloading before the page starts rendering, etc. Those are all great and they help alleviate the pain of higher latency connections, but the reality is that in today’s internet using world bandwidth is very rarely a concern when simply browsing the web. Adding more bandwidth will not, in almost all cases, increase the speed with which you can load websites. Bandwidth is king of course, for multi-tasking on the web. If you’re the type to stream a video while downloading audio while uploading pictures while browsing the web while playing internet based games while running a fully functioning (and legal) torrent server out of your house…well then…you might want to stock up on bandwidth. But don’t let yourself be fooled into thinking that paying for more bandwidth in and of itself will speed up internet browsing in general when only performing that one task. #Colin
Phew! Having DC5 successfully out the door, I'm happy to resume my regularly scheduled programming. I'm back, bringing you my Top5 picks off of DevCentral every week. I'll help you sort through the content pouring across the (now new and improved!) site and offer you a few things that you should definitely check out. It's good to see that the content has still been chugging away even while the team was heads down working on the new site improvements. A big thanks to the awesome community and the extended DC team folks (Lori, Pete and co.) for keeping the lights on. Now that I'm back at it, though, allow me to offer you this week's DC Top5: Network Optimization Won’t Fix Application Performance in the Cloud http://devcentral.f5.com/weblogs/macvittie/archive/2010/05/20/network-optimization-wonrsquot-fix-application-performance-in-the-cloud.aspx In her blog yesterday Lori pointed out some key differences between Network Acceleration/Optimization and Application Delivery Acceleration/Optimization that caught my eye and I thought were worth passing along. Her discussion really focuses on Application Performance and the idea that no amount of improving network performance can improve the performance of your application. You can do all the magic in the world to the network traffic while treating it like network traffic, buy the biggest pipes in the world, and still have a slow app. Why? Because changing the network speeds and feeds can't change your application or its behavior. Application Delivery, on the other hand, treats the application like an application and works with the application to try and better serve that application to the users trying to access it. As usual Lori goes into far more depth far better than I could, so just go read the post and thank me later. Automated Gomez Performance Monitoring http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084373/Automated-Gomez-Performance-Monitoring.aspx Joe hit another solid one with his dive into Gomez and iRules working together to provide a detailed look at what your application is doing. First he talks a bit about how Gomez gives you a true look from the outside of what your users are actually seeing in regards to app performance and behavior, then he dives into how iRules can help you deploy the scripts necessary for Gomez to do that thing it does. iRules, as always it seems, make this task much easier and allows you to inject the required code in one place rather than across multiple servers, as well as giving you some other tweaks that you can perform, should you so desire. Take a look at the article for step by step walk through along with necessary code. Multi-core Redux: Virtually Indistinguishable http://devcentral.f5.com/weblogs/dmacvittie/archive/2010/05/19/multi-core-redux-virtually-indistinguishable.aspx As sad as I was to see Don move on to another team within F5, I have to say I'm excited to see the kind of content he's been putting out since joining the TMM team. His delve into the multi-core world was of particular interest to me this week. In his spot-on commentary about how Multi-core, as amazing as it can be, tends to muddy the waters for developers as both individuals and as organizations thinking long-term, he talks about some personal experience he's had with that as well as a possible solution rapidly becoming more and more popular. Via virtualization you can all but ignore multi-core needs by simply supplying more instances of your application rather than a single instance making use of multiple cores. It's an interesting concept and one that I tend to agree is the path of least resistance and likely of most benefit as well. Take a read, I assure you it's worth your time. 20 Lines or Less #39 – Selective SSL, Port Stripping and Headers http://devcentral.f5.com/weblogs/cwalker/archive/2010/05/21/20-lines-or-less-39-ndash-selective-ssl-port-stripping.aspx Ahhh my beloved 20LoL. Long was it also neglected due to the steady march of impending deadlines which had to be met, but it too is back this week. I bring you three more examples of how awesome iRules can be in less than 21 lines of code. Take a look at how people in the community (not JUST hoolio, either!) are making use of network side scripting to selectively encrypt back-end SSL, strip port info from redirects, and deal with some interesting custom header needs. Novell Shoots at the Cloud and Scores http://devcentral.f5.com/weblogs/macvittie/archive/2010/05/18/novell-shoots-at-the-cloud-and-scores.aspx This week I'll leave you with a quite humorous bit brought to you by the good folks at Novell, by way of Lori's blog. They've been running a series of adds in the style of dramatic poetry readings using interesting tech topics as content. Lori's "Get Your SaaS Off My Cloud" article was fodder for one such add and it had me spinning up the roflcopter, so I thought I'd share with you for a late Friday funny. Check out the source article as well, as it's definitely a good read. That's it for my first week back post DC5 haze. I hope you've enjoyed it as I always do, and I'll be back next week with 5 more to keep your DC cravings fulfilled. #Colin
What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head. With the onslaught of work required to get DC5 up and running it’s been a while since I’ve offered some cool iRule goodness to the community from the community. There have been plenty of examples cruising through the forums, that’s for sure, I just haven’t had the time to comb through all of them or write them up. Now that I can again see the light of day, allow me to share a some good ones with you. Disabling SSL to one backend pool We’ve looked at ways to selectively disable SSL before, but this example had an interesting twist that I thought was…well…interesting. The idea here is to selectively disable SSL only on the back end of the connection, not the entire thing. The client should always be encrypted but the server can, in some cases, be plain-text to try and cut down on overhead. Cool idea, and here’s a look at how to make it work, according to a good example by user Alok. when HTTP_REQUEST {
set my_uri [string tolower [HTTP::uri]]
if { $my_uri starts_with "/secure" } {
pool ssl__pool
} else {
SSL::disable serverside
pool static_pool
}
} Hash persistence based on true-client IP Here’s a user that’s trying to work around a limitation in the content distribution service they’re using. They want to use an iRule to perform hash based persistence based on a header supplied giving the client’s IP address. Hoolio, as is often the case, springs into action and whips up a nifty little example making use of lindex and active_members –list that gets the job done. # Check if the active_members command returns an entry which can be split on a space into two variables
if {[active_members app_http_pool]}{
if {[scan [lindex [active_members –list app_http_pool] [expr {[md5 $tcip_header] % [active_members app_http_pool]}]] {%s %s} ip port] == 2}{
# Select the pool member IP and port
pool app_http_pool member $ip $port # Exit from this event in this rule
return
}
# Take some default action if the pool is down or scan didn't parse the output?
} Removing port numbers from redirects If you’re looking to strip port locations from your redirects, then boy do I have the rule for you. Well, it’s not my rule, really, but I get to share more of Aaron’s work with you, which is a regular and enjoyable part of my jobs these days, it seems. The one man juggernaut has knocked out a quick little header replacement rule using string map and the fun HTTP::is_redirect command to get this job done. when HTTP_RESPONSE {
if { [HTTP::is_redirect] } {
if { [HTTP::header Location] contains "www.acme.com:10040" } {
log local0. "Original Location value: [HTTP::header Location]"
HTTP::header replace Location [string map -nocase {www.acme.com:10400 www.acme.com} [HTTP::header value Location]]
}
}
}
when HTTP_RESPONSE priority 501 {
if { [HTTP::is_redirect] } { # Debug logging only. Remove this event once done testing
log local0. "Updated Location value: [HTTP::header Location]"
}
} Check back next week for some more examples of awesome things you can do with iRules in only a few lines of code. #Colin
Time does fly when you're having fun, and trying to keep up with everything that's been going on with DevCentral is my kind of fun. I love watching what everyone is up to, from updates from the con to new folks blogging about their hippy proclivities, there's never a dull day in DC land. And all of this while we're hard at work on many things behind the scenes that aren't readily apparent just yet. Of course, I realize I may be slightly biased and not everyone is as apt to stay immersed as I am, hence the introduction of this little newsletter many years ago, in which I pick the five things you really need to see, which I offer to you yet again here: There's Privacy Then There's Privacy http://devcentral.f5.com/weblogs/macvittie/archive/2010/03/18/privacy-different-from-privacy.aspx In one of Lori's recent blog entries she discusses allowing users to implement flexible security based on policies they craft themselves. That's an intriguing topic in its own right, but then she went on to talk about doing so with network side scripting, and I was hooked. The idea is to allow a user to implement their own filter to scrub content they themselves post before allowing it out into the wild. Are you concerned that your mom might read something bad on your Facebook page because you forgot to keep things "appropriate"? No worries, you could have a content scrubber in place allowing your posts to either get scrubbed or at least bounced back to you for editing before they're released into the wild. And all of that could be done with no modifications to the application itself. That's a pretty neat concept in my opinion, and Lori goes into way more detail in the post, so check it out. Addicted to Open Source http://devcentral.f5.com/weblogs/rcorder/archive/2010/03/12/addicted-to-open-source.aspx Ryan Corder introduces himself as an addict in this post, letting us know that he has an affliction that can't be shaken, a serious need for open source software. I've heard of worse things to be addicted to, so I'm sure he'll be all right, and in the meantime I look forward to enjoying his open source focused writing. In this introductory post he talks about his goal, what we need to do to get there, things we're already doing to move towards that end and generally how cool DevCentral is. Okay, I made that last part up, but it's a good post and if the next ones are just as good, this will soon be a blog to watch if you're interested in the software world, and particularly in open source. Post of the Week - High Speed Logging, iRules and you http://devcentral.f5.com/weblogs/dctv/archive/2010/03/11/post-of-the-week-ndash-high-speed-logging-irules-and.aspx There were some questions surrounding High Speed Logging via iRules that I wanted to get cleared up, so I attempted to do so in the post of the week last week. Since not everyone is familiar with HSL, I took a couple minutes to discuss what it is, how it works and how one might go about using it and why, then tried to answer a few of the questions that have been cropping up about it. This is a wicked cool feature that hasn't gotten a ton of publicity just yet, so I'm happy to showcase it a little and talk about what it can do. If you're into iRules and/or looking for a way to ship data off of an LTM, this is the ticket. Self Serve Security http://devcentral.f5.com/weblogs/psilva/archive/2010/03/17/self-serve-security-again.aspx In a look at the softer side of security, Pete discusses the importance of user awareness and education in his most recent post. Stemming from the final keynote he took in at this year's RSA conference, he delves into the importance of user education and shows off some stats from a very official looking report that say more is better. Honestly though, it's often underestimated what a giant part educating and preparing users and employees is in an overall security plan. Trying to forcibly keep users safe is much more difficult and much less effective than educating them on how to stay safe themselves. This is a good topic and I'm all for education of users over even more restricted access and policies, so read up and see what you can do to help keep yourself secure. 20 Lines or Less #38 - Classes, Encryption Detection & Caching http://devcentral.f5.com/weblogs/cwalker/archive/2010/03/18/20-lines-or-less-38-ndash-classes-encryption-detection-amp.aspx Often last but never least, is the 20 Lines or Less for this week. With cool examples from two of our most esteemed forum contributors, hoolio and l4l7, this one shouldn't be missed. This week shows off a good way to find and parse data stored in a class, a very cool way to gracefully handle HTTP traffic on an HTTPS port, and an oldie from the archives that'll let you set custom caching timeouts based on file extension. These are fun and quick to consume, and a darn good way to find out what kinds of things you can and maybe should be doing with F5's gear beyond the obvious. Whether you're an iRules pro or just contemplating using them, the 20LoL is never a bad place to start. That's it for this week, I'll be back next week with 5 more from DevCentral, assuming being locked in a conference room with the team all week doesn't preclude my ability to do so. Thanks for reading, and drop me a line of you have any feedback or suggestions. #Colin
Thursday, March 18, 2010
#
What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.
This week we’ve got a couple awesome new examples from two of the community all-stars, and one dusty old example from my archives. They’re all cool and useful, so take a peek and see what you think. If you want a problem solved or to submit an example, feel free, I’m always looking for feedback or ideas for the 20LoL, just drop me a line.
Class field parsing & updating Host info
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1171133&view=topic
Matt shows off why they call him L4L7 in this example of how to use some iRules fu to match class contents, parse it and then act on it. The requirement was updating the host header inline, while maintaining the mappings of what to change and what to change it to in a class, and that gets done in style.
when HTTP_REQUEST {
#find a match using host+uri against the class and
#returns the whole string (field1 field2 field3)then
#set it as newURI variable.
set newURI "[findclass [HTTP::host][HTTP::uri] $::redlist]"
if { $newURI ne "" } {
# Parse the three fields in the matched datagroup line
scan $newURI {%s %s %s} unused host uri
#change host and uri
if {$host ne ""}{
HTTP::header replace Host $host
}
if {$uri ne ""}{
HTTP::uri $uri
}
}
}
HTTP connections over 443
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1171154&view=topic
For a look at how to gracefully handle non encrypted HTTP traffic over port 443 (you know, just in case) hoolio has you covered this week. Basically this inspects the traffic and if there was an SSL cipher used, redirects requests to “/” to the login page. If there is no cipher used, meaning the traffic is not encrypted but is still coming over port 443, any requested URI is redirected to the SSL enabled login page. Handy stuff.
when HTTP_REQUEST {
# Check if the client used an SSL cipher
if {not ([catch {SSL::cipher version} result]) && $result ne "none"}{
# Client did use a cipher
log local0. "\$result: $result. Allowing encrypted request."
if {[HTTP::path] eq "/"}{
HTTP::redirect "https://[getfield [HTTP::host] : 1]/Login.jsp"
}
} else {
# Client did not use a cipher
log local0. "\$result: $result. Redirecting unencrypted request."
HTTP::redirect "https://[getfield [HTTP::host] : 1]/Login.jsp"
}
}
Selective browser caching
Taking a trip in the way-back machine I decided to dig into my archives of cool iRule goodness for our third example this week. Here’s a little iRule that I acquired along the way somewhere (I’m not going to claim I wrote it, since I can’t remember if it was me or someone else) that was simple but useful. Create two classes of file extensions, one to be cached long term (jpgs, gifs, pngs, etc) and one to be cached for a much shorter duration (css, html, whatever) then easily tell the client’s browser how to handle each.
when HTTP_REQUEST {
set uri [HTTP::uri]
}
when HTTP_RESPONSE {
if { [matchclass $uri ends_with $::cache_5min] } {
HTTP::header replace "Cache-Control" "max-age=500"
} elseif { [matchclass $uri ends_with $::cache_60min] } {
HTTP::header replace "Cache-Control" "max-age=3600"
}
}
That’s the 20LoL this week, thanks for playing. I’ll be back next week with more iRules goodness, so make sure to check back in.
#Colin
This week I bring to you a full house of content, docs over blogs. To say there have been more than a few pairs on DevCentral lately though would be an understatement. The rush of content could be likened to an avalanche but without the messy death and destruction bits to deal with. From interviews to tech tips to blog posts to original songs pertaining to cloud computing (no, I'm not joking, and no, the link isn't in here…go find it yourself), DevCentral never seems to sleep these days, which is just how we like it. In case you're overwhelmed and looking for a place to get started, here are my Top5 picks for the week: Citrix XenApp 5.0 Implementation Tips http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1082335 Naladar, one of the esteemed MVPs of the DevCentral community, comes to us with this piece on XenApp this week. He's looking to share his recent experiences and given his track record, he's the kind of person you want to listen to when he decides to share something with the community. While there are deployment guides out there for Presentation Server 4.5, Naladar takes the time to walk you through the differences in implementation that you'll need to pay attention to for v5. With some almost immediate positive feedback it's obvious that other people out there have found this one useful already. Combine that with the fact that I'm always eager for a chance to show off how awesome our users are, even to the point of contributing killer content for the masses, and this one had to be my top pick this week. Configuring a multi-tier Testing Environment with VMware Teams and BIG-IP LTM VE http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1084344 There have been many a post about LTM VE over the past few weeks, many of them very cool, but Don took a slightly different angle by showing you how to set up a VMware team so you can spin up and down your entire test team (VE, client, server) with the push of a single button. Pretty neat stuff. Not only that, but he goes into enough detail with screenshots and step by step instructions that you should be able to re-create the environment pretty easily if you're still looking for a way to get up and running with your VE deployment. Whether you were waiting for the right walk-through on setting up LTM VE to come along or you're just interested in seeing yet another way of doing things, this article was a goodie. BIG-IP Logging and Reporting Toolkit - part two http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1084341 The second installment of Joe Malek's awesome Logging and Reporting Toolkit series is out, and worth a read. Here he talks about the two vendor options he investigated when looking into advanced options for BIG-IP logging and reporting, Splunk and Q1 Labs. He talks a bit about each of their offerings, their strengths and what to expect from them. He then goes onto give us an extensive list of the different information these systems are going to be made to handle in the soon to come resolution to this technological tease wherein we'll finally get to see the results of his testing, his analysis of the options, and some fun charts. If you didn't catch the first installment yet, I highly recommend going and checking that one out as well. If I Had a Hammer… http://devcentral.f5.com/weblogs/macvittie/archive/2010/03/10/if-i-had-a-hammer.aspx Despite the title Lori does not go on to talk about carpentry or construction. Instead she fills us in on her take on Carr's analogy and why the "pay as you use" model is really more like a "pay for the minimum required in CASE you need it" model. It's not a negative slant on things, just realistic, to remember that there is an inherent cost in things that have to be running before requests actually come in. To fool ourselves into thinking that we're paying only for what we use, like electricity, when we're paying a set cost just to have the resources available when needed is..well..just that, fooling ourselves. I like her points here and thought it was worth passing on. The cloud can be awesome and effective and even cheap for many people, but don't get caught off-guard thinking it's going to be free until you need it while really being billed. 20 Lines or Less #37 - Hex, HTTPS, and SNATing http://devcentral.f5.com/weblogs/cwalker/archive/2010/03/12/20-lines-or-less-37.aspx I'm so sorry, 20LoL, I didn't mean to leave you out last time, there was just too much good stuff! I never meant to hurt you, you know how I love you, I just couldn't justify bumping one of the other hawesome topics for your iRuley goodness. You're back, though, this week, with 3 more examples of iRules fu at its finest. *cough* Check out what the forums & samples section have to offer this week in less than 21 lines of code. We've got payloads being converted to hex, yet another take on https redirection and some pretty nifty snating stuff happening. These are always a cool look at what people in the community are up to, so check it out. Well, there it is, another week, another 5 from DC. Hopefully you liked reading as much as I liked writing. Come back next week for more, and feel free to drop me a line with any feedback. #Colin
What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.
I bring to you your weekly dose of short yet cool iRule goodness. Check out what these iRule fu masters have crammed into less than 21 lines of code. This week we’ve got hex translation of HTTP payloads, intelligent redirection including port handling, and some snat intelligence in just a few lines of code. Dig it.
Log binary HTTP payload in hex
http://devcentral.f5.com/wiki/default.aspx/iRules/Log_binary_HTTP_payload_in_hex.html
Here’s one that we touched on briefly in the podcast last week. Hoolio decided that it would be fun or handy or…something, to convert and log the entire HTTP payload in hex for every response. I couldn’t tell you when this would be needed, but it was a pretty darn cool thought, and I thought I’d share it. Maybe he’ll come tell us what it was for. ;)
when HTTP_REQUEST {
# Log debug? 1=yes, 0=no
set debug 1
# Collect up to the first 1MB of POST data
if {[HTTP::method] eq "POST"}{
set clength 0
# Check if there is a content-length header and the value is set to less than 1Mb
if {[HTTP::header exists "Content-Length"] && [HTTP::header Content-Length] <= 1048576}{
set clength [HTTP::header Content-Length]
} else {
set clength 1048576
}
if {[info exists clength] && clength > 0} {
if {$debug}{log local0. "[virtual name]: Collecting $clength bytes"}
HTTP::collect $clength
}
}
}
when HTTP_REQUEST_DATA {
# Log the payload converted to hex
binary scan [HTTP::payload] H* payload_hex
if {$debug}{log local0. "[virtual name]: $payload_hex: $payload_hex"}
}
SNAT based on incoming IP
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1170490&view=topic
Matt dished out a great little example of how to effectively control which snat address a connection is assigned based on the IP range the request is coming in from. It’s simple, it’s efficient, it’s effective, and it’s short. Those are a few of my favorite things in iRules, so here you go.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.9.9.0/26] }{
snat 1.1.1.1
} elseif { [IP::addr [IP::client_addr] equals 10.9.9.65/26] }{
snat 2.2.2.2
} elseif { [IP::addr [IP::client_addr] equals 10.9.9.128/26] }{
snat 3.3.3.3
} else {
forward
}
}
Intelligent HTTP to HTTPS redirection…now with port handling!
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1168453&view=topic
This is a topic (HTTP to HTTPS redirection) that I’ve shown off at least a few times in the 20LoL, but that’s because it comes up so darn often in the forums and elsewhere. Here is yet another take on how to do it, and a darn good one at that. Note the use of string map, which I heart, and the fact that this one can actually handle requests that specifically have the port declared in the hostname. If you try to redirect to HTTPS but still have a :80 in your host, things might not go as swimmingly as you’d like.
when HTTP_RESPONSE {
# Check if server response is a redirect
if { [HTTP::header is_redirect]} {
# Log original and updated values
log local0. "Original Location header value: [HTTP::header value Location],\
updated: [string map -nocase "http:// https:// :80/ /" [HTTP::header value Location]]"
# Do the update, replacing http:// with https:// and :80/ with /
HTTP::header replace Location \
[string map -nocase "http:// https:// :80/ /" [HTTP::header value Location]]
}
}
There you go, 3 more examples of iRules goodness in 20 Lines or Less each. See ya next time.
#Colin
Wednesday, March 10, 2010
#
The new LTM VE has opened up the possibilities for writing, testing and deploying iRules in a big way. It’s easier than ever to get a test environment set up in which you can break things develop to your heart’s content. This is fantastic news for us iRulers that want to be doing the newest, coolest stuff without having to worry about breaking a production system. That’s all well and good, but what the heck do you do to get all of your current stuff onto your test system? There are several options, ranging from copy and paste (shudder) to actual config copies and the like, which all work fine. Assuming all you’re looking for though is to transfer over your iRules, like me, the easiest way I’ve found is to use the iRule editor’s export and import features. It makes it literally a few clicks and super easy to get back up and running in the new environment. First, log into your existing LTM system with your iRule editor (you are using the editor, right? Of course you are…just making sure). You’ll see a screen something like this (right) with a list of a bagillionty iRules on the left and their cool, color coded awesomeness on the right. You can go through and select iRules and start moving them manually, but there’s really no need. All you need to do is go up to the File –> Archive –> Export option and let it do its magic. All it’s doing is saving text files to your local system to archive off all of your iRuley goodness. Once that’s done, you can then spin up your new LTM VE and get logged in via the iRule editor over there. Connect via the iRule editor, and go to File –> Archive –> Import, shown below. 
Once you choose the import option you’ll start seeing your iRules popping up in the left-hand column, just like you’re used to. This will take a minute depending on how many iRules you have archived (okay, so I may have more than a few iRules in my collection…) but it’s generally pretty snappy. One important thing to note at his point, however, is that all of your iRules are bolded with an asterisk next to them. This means they are not saved in their current state on the LTM. If you exit at this point, you’ll still be iRuleless, and no one wants that. Luckily Joe thought of that when building the iRule editor, so all you need to do is select File –> Save All, and you’ll be most of the way home. I say most of the way because there will undoubtedly be some errors that you’ll need to clean up. These will be config based errors, like pools that used to exist on your old system and don’t now, etc. You can either go create the pools in the config or comment out those lines. I tend to try and keep my iRules as config agnostic as possible while testing things, so there aren’t a ton of these but some of them always crop up. The editor makes these easy to spot and fix though. The name of the iRule that’s having a problem will stay bolded and any errors in that particular code will be called out (assuming you have that feature turned on) so you can pretty quickly spot them and fix them. This entire process took me about 15 minutes, including cleaning up the code in certain iRules to at least save properly on the new system, and I have a bunch of iRules, so that’s a pretty generous estimate. It really is quick, easy and painless to get your code onto an LTM VE and get hacking coding. An added side benefit, but a cool one, is that you now have your iRules backed up locally. Not only does this mean you’re double plus sure that they won’t be lost, but it means the next time you want to deploy them somewhere, all you have to do is import from the editor. So if you haven’t yet, go download your BIG-IP LTM VE and get started. I can’t recommend it enough. Also make sure to check out some of the really handy DC content that shows you how to tweak it for more interfaces or Joe’s supremely helpful guide on how to use a single VM to run an entire client/LTM/server setup. Wicked cool stuff. Happy iRuling. #Colin
Friday, February 26, 2010
#
The hits just keep on coming. Between the release of the LTM VE, some internal DC projects that are brewing, some new site stuff we're trying to polish up, and all that daily stuff that just keeps showing up out of nowhere, there has been no shortage of distractions. There has also, however, been no shortage of amazing content cruising through DevCentral, so this week's Top5 is packed full of it. You know there's a lot of cool stuff out there when I actually had to make a list of about 15 things I'd like to highlight and start whittling it down to just five, and the 20LoL didn’t even make the cut. That’s unheard of in my “iRules ‘till I die” multiverse. So you can rest assured there are many things not in this list worth checking out, but this is the Top5, not the Top13…so here you go: Post of the Week - The triumphant return, thanks to LTM VE http://devcentral.f5.com/weblogs/dctv/archive/2010/02/24/post-of-the-week-ndash-the-triumphant-return-thanks-to.aspx First on the list of hits is a personal favorite that hasn't been around in a while, the post of the week. This one has historically been not only a personal favorite but a fan favorite as well. This has been a highly requested series that lapsed for a while, so now like those kids today say, I'm bringing it back. I've been meaning to get this back on wheels and moving for a while and the amazing (seriously…amazing) response in the LTM VE forum was the perfect impetus to get this going again. You have checked out the LTM VE forum, right? I'll pretend like you said yes. If you haven't, go do it now. Hawesome stuff abounds in there, thanks to the killer users and their tinkering. If you've got questions on the LTM VE, what it can do, getting started, limitations, concerns, etc. this is a good place to start. Laptop Load Balancing for The Developer With BIG-IP LTM VE http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1082333 This article from Joe is an absolute must read for anyone looking to get into the LTM VE with low resource usage. Whether you're trying to cram it into an already busy VM cluster or you're like Joe (and me) and want to get a workable dev environment up and running on your laptop but don't have room for 3 VMs, this article's for you. Joe walks you through just how to get things running with a single VM used to run the LTM VE, and all other needed components for a host/client test setup functioning from the native OS. This is something I hadn't thought of somehow, even though it was a glaringly obvious idea as soon as I saw him write about it (what..don't look at me like that, I WOULD have thought of it…I've been busy!), and is something that is going to make using this amazing technology a lot easier for a lot of people. Big kudos to Joe for taking the time to spoon feed this one to us, complete with a couple scripts to help you set things up because you know, Joe likes to script things. Whaddya Mean LTM VE Only Has Two Interfaces? http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1082331 Continuing the running theme of LTM VE awesomenitude and getting people info they really need to know to get their hands dirty, Jason delivers a solid hit with his demonstration of how to add interfaces to the VE. If you're one of those people that actually want to test networking type stuff then you'll quickly realize that a mere two (not including the management port) interfaces may be shy of what you need for your purposes. Luckily Jason steps in to solve that problem before it even exists by showing you how you can add additional interfaces without breaking a sweat. He even goes so far as to show you how to use VLAN tagging to remove the need for extra interfaces, so you have your choice of solutions. I hear he slices, dices, and cuts through cans, too. He's just that cool. If you've got the LTM VE this one is worth bookmarking and tucking away for later even if you haven't already run into the need for more ways to "plug" things in. TechDump - Managing multiple systems with pyControl v2 http://devcentral.f5.com/weblogs/dctv/archive/2010/02/24/techdump-managing-multiple-systems-with-pycontrol-v2.aspx While I could list about a bazillionty more killer things relating to the LTM VE because it's that cool, I thought I'd add a couple other links as well, as there were some things that warranted sharing for sure. First up, Matt delivers yet another cool tutorial on using his amazing pyControl v2 platform for system management. If you haven't checked out pyControl yet I strongly recommend it, obviously even more so if you're a python inclined type. In this tip he shows you how you can deal with multiple systems easily. I love the complete walk through showing code, configs and the process he uses to get things working. This one is easy enough for grandma to follow, but geeky enough for us propeller heads to not get bored. Nicely done. BIG-IP Logging and Reporting Toolkit - part one http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1082334 The other non LTM VE highlight I wanted to point out was the intro piece to what proves to be a wicked cool series brought to you by Joe Malek, one of the many stellar engineers here at F5. In this series Joe is going to walk us through some concepts behind logging and reporting using your BIG-IP, what your options are, how they compare, and then provide us with some tools to make it easier. This first post outlines the problems inherent, the desired outcome and really just sets the table for the juicy geek content sure to come. (I do mean "sure", I've seen it, it is coming) So take a look, figure out if it's of interest and then check back next week for the next installment. There's a whole world of information and options pertaining to logging and reporting that most people don't even think about when talking BIG-IP, and I'm really looking forward to getting some info out there from someone that's done the legwork to become an expert. That's it! Unfortunately I'm out of room in my list of 5 cool things to check out. I feel sad, honestly, as I could fill three more of these lists with stuff that's happened in the last two weeks alone, but that just means it's up to you to get out there to DevCentral and dig around, find the goodness yourself, and dig in. It's not hard, the site is veritably oozing with interesting content for you to stumble upon these days, so get to it. #Colin
Tuesday, February 23, 2010
#
Many people in the networking world are aware of BIG-IP as a powerful load balancing and security device. Those that don’t dig deeper, however, are truly missing out on the incredible features just below the surface. Sure load balancing and security policies are interesting and important, but what truly makes BIG-IP stand out from the crowd, at least in my opinion, is the immense breadth of functionality available via the programmatic interfaces of the system, namely iRules, iControl and now tmsh. To me these are the most exciting, intriguing things happening in the market right now. Network side scripting, full API access, on box shell control and customization…how is that stuff not wicked cool? Unfortunately some people haven’t caught up quite yet. For whatever reason they’re being left behind while the rest of us push forward and try out the newest, coolest iRule hoolio posts to the codeshare, or checking out what the new pycontrol bits from Matt can do. If you’re one of the people who has been watching from the sidelines, now is the time to dive in. I’ve seen the same few arguments from people countless times about why they aren’t trying to get the most out of their network by using some of these cool technologies. I understand that some people don’t have a full test or development lab, I understand that there are often strict change control policies, I get that your boss might not be keen on spending the money on the systems if you’re not already a customer, because they don’t understand just how powerful this stuff is. I get it, I really do. Now is your chance, though, to change all that. With the release of the BIG-IP LTM VE all of these roadblocks have been laid asunder with a free, easy to use, readily downloadable and did I mention free LTM environment. Now in just a few minutes you can have that test environment you’ve been pining for so you can start testing crazier iRule-foo. You can get to work on building out custom tmsh commands in 10.1 so they’re ready to go when you finally get to upgrade your production systems. You can even put a BIG-IP in front of your test environment to show people what it is you’ve been trying to tell them unsuccessfully all this time while trying to convince them you need some F5 gear: this stuff rocks, and can do amazing stuff. Getting started is easy, just go check out the trial page to get started with the download. While that’s going, get on over to the DevCentral LTM VE page and start browsing around. The forums are already exploding with comments, questions and user experiences. See what other people are up to, what environments they’ve managed to shoe-horn the VE into for their needs, or what cool stuff they’re doing with it. In just a few minutes you’ll have a shiny, new LTM VE, and no more excuses. If I sound like a bit of a fanboy, it’s because I am. I make it no secret how awesome I think F5 development technologies are, and it just got about a thousand percent easier (perhaps over 9000) to get access to them. Heck, I have 2 BIG-IP systems within arm’s reach, and I still use my LTM VE for some of my testing and dev. That’s got to mean something, right? Sure, it’s rate limited. Sure it’s only LTM and not the other modules. Sure there are limitations, but it’s a free trial…what do you expect? If you’re looking for more features, there’s more to come in future releases. Whether you’re a long-time customer, new to the ADC world with F5, are trying to work our gear into your network or you’re just trying to figure out what the heck this stuff does, it doesn’t matter. Get out there, get the trial, get it installed and start using it. Check out the getting started docs, grab a few iRule examples from the CodeShare (requires login) and start playing with the possibilities. I’m more than a little bit excited about the sudden and broad availability of LTM to any interested party as not only a traffic management device, but as a development platform. I’m sure you couldn’t tell, though… #Colin
Friday, February 19, 2010
#
What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head. With the announcement of the BIG-IP LTM VE this week, the iRules world just got a little more interesting. Between the new commands and features that have come out in the past several months, and now the ability to build and test iRules from your laptop, without having to connect to the internet/network at all, the possibilities just keep expanding. I’m excited to see what kinds of things people come up with and the scenarios I hear about with VEs running all sorts of wacky iRules that people didn’t dare try out on their systems before. Amidst the amazing news of the BIG-IP LTM VE release and the ensuing rush of content, comments and questions surrounding it, the iRules world moves along just as it does every week. As such, I’ve got some more cool examples of iRules goodness exemplifying the brevity I’ve come to seek out. Strip HTTP Server Looking for a simple way to remove all headers containing a given string? Perhaps you don’t want to use the sanitize command because you’re leaving in more headers than you’re taking out, but you want to remove some specific headers? Well here you go. A simple little loop that’ll go through all your headers and remove those that match whatever criteria you lay out. In this case it’s removing all headers that begin with x-. when HTTP_RESPONSE {
# Remove all instances of the Server header
HTTP::header remove Server
# Remove all headers starting with x-
foreach header_name [HTTP::header names] {
if {[string match -nocase x-* $header_name]}{
HTTP::header remove $header_name
}
}
}
Change Content Disposition
I’m pretty certain I’ve posted a way to do this here before, or maybe that was a tech tip..they all blur together. This is a very quick, elegant way to do so however, so I wanted to share (even if it’s sharing the same concept again).
when HTTP_REQUEST {
set querystring URI::query
}
when HTTP_RESPONSE {
if { $querystring contains "attachment=1" } {
HTTP::header replace Content-Disposition [string map -nocase "inline attachment" [HTTP::header Content-Disposition]]
}
}
Particularly Tricky Path Parsing
Someone was looking to parse the first two letters of the HTTP path, and came up with a very neat way of doing just that. They’re performing structured matches based on character sets in a glob style match with switch. Very inventive and it looks quite efficient & functional. Nicely played.
when HTTP_REQUEST {
# Parse the first then second character in the path
switch -glob [string tolower [HTTP::path]] {
"/a[a-l]*" {
pool reward-uat5.123.com_AA2AL
}
"/a[m-z]*" -
"/b[a-l]*" {
pool reward-uat5.123.com_AM2BL
}
"/b[m-z]*" -
"/c[a-d]*" {
pool reward-uat5.123.com_BM2CD
}
default {
# Requested URI was a leading forward slash only
pool reward-uat5.123.com_AA2AL
}
}
}
There’s your 20LoL for the week. Thanks for keeping up with the awesome examples guys. See you next week for three more.
#Colin
Wednesday, February 10, 2010
#
What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head. It’s been hectic here in DCland and finding time to write has been more difficult than normal, though that shouldn’t be a problem much longer. Fortunately for all of us this awesome community keeps kicking out the jams so I can rely on their hawesome knowledge to provide cool iRule snippets. This week we’ve got two iRules from the forums and one from my own collection. URI Rewriting done differently http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1167775&view=topic First up, URI rewriting…with style. I made a tweet recently about my newly rekindled love for the scan command and it was great to see someone else making use of it as well. Aaron brings us a very cool example of switching on file types which is standard fare, but then he shows off a very cool way to use scan to strip out the first URI segment between the first two slashes. I like it. when HTTP_REQUEST {
# Check the requested path (URI minus query string)
switch -glob [string tolower [HTTP::path]] {
"*.gif" -
"*.js" -
"*.css" -
"*.jpg" -
"*.bmp" {
# Read in everything after the first / that is not a /.
# Save that to $session_id and everything else to $uri_to_save
# scan will return the number of matches
if {[scan [HTTP::uri] {/%[^/]%s} session_id uri_to_save] == 2}{
# Rewrite the URI without the session ID
#log local0. "$session_id"
HTTP::uri $uri_to_save
}
}
}
} Class ordering and search lengths http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1167433&view=topic User FishNiX brings a wicked cool look at searching not by a given parameter but by the length of the string being matched. By first sorting a class by element length they were able to ensure they always get the longest (most complete) match. Very inventive and something I haven’t seen before. Nicely done. rule set_pool_by_host_and_uri {
when HTTP_REQUEST {
# Class order isn't guaranteed to come back in the order entered in the bigip.conf...
log local0. "list: $::host_uri_pool_selector_class"
log local0. "lsort: [lsort -decreasing -index 0 $::host_uri_pool_selector_class]"
foreach row [lsort -decreasing -index 1 $::host_uri_pool_selector_class] {
log local0. "\$row: $row"
if { [string tolower [HTTP::host]] equals [getfield $row " " 1] }{
if { [string tolower [HTTP::uri]] starts_with [getfield $row " " 2] }{
pool [getfield $row " " 3]
break
}
}
}
}
} Partial Portal Access Something that’s been bouncing around in my head for a while was the idea of being able to limit access to given applications based on a combination of criteria. Say for instance you wanted to limit access to the URIs that make up your intranet to only internal IPs, but allow access to everything else from anyone, well that’s exactly what this iRule is designed to do. You end up with two classes, one for the list of allowed IPs, and one for the list of page IDs you want to restrict. Fun stuff. when HTTP_REQUEST {
if { !([matchclass [IP::client_addr] equals $::InternalIPs])} {
if {[scan [URI::decode [string tolower [HTTP::uri]]] "/default.aspx?tabid=%d" tabid] == 1 } {
if { [matchclass $tabid equals $::intranet_pages] } {
drop
log local0. "Dropped request from IP: [IP::client_addr]"
}
}
}
} If you’ve got ideas or examples of iRules doing a lot in a little bit of space, send them my way. Otherwise, see you next 20LoL. #Colin
Friday, January 22, 2010
#
Wow! What a whirlwind it's been the past few weeks. Between holidays and vacation and people traveling out of town, it's been an absolute zoo around here. Though I've been out the past week or so there has been an avalanche of content. I've hemmed and hawed and finally managed to slim my picks down to just five, though there are at least a dozen awesome things worth checking out on DevCentral in the past week or so. So don't be shy, get out there and poke around for yourself. For now, though, here are my top 5 picks for the week: v10.1 - The table Command - The Basics http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2375 The new table command introduced in 10.1 is so hawesome and powerful it's hard for me to decide where to even begin describing the grandeur that is the table command. I've decided to begin at the beginning, and point you to the basics first. There are nine (yes, 9) tech tips published in the past week or so having to do with the new table command. They range from this intro doc to some pretty powerful, in depth, well explained examples. They are all penned by the creator of the command and go into amazing detail. This series has instantly become a contender for one of my favorite batches of content ever released on DevCentral, which is saying something. If you're looking for a way to store data, store data in a structured format, perform counting operations or about a bagillion other things dealing with data storage and manipulation in iRules, you must read about the table command. Huge thanks to spark for the work on the command and going above and beyond on the documentation. TMSH Scripting in v10.1 http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2374 This week's Top5 has not one, but two awesome docs regarding scripting on your BIG-IP. While iRules are near and dear to my heart, TMSH is quickly catching my interest as well. The new shell along with the powerful new scripting capabilities are wicked cool and have the potential to do some pretty amazing things. TMSH crams a huge amount of utility into an easily approachable package. This great doc Jason wrote up gets you started in style with an excellent description of where to begin, then takes you quite a bit further giving you examples of just how to build your own script. The possibilities seem rather limitless so I'm excited to see what people start doing once they get the hang of it. Check this one out for sure, and if you like what you see I'd recommend taking a look at the TMSH wiki and maybe giving this week's podcast where we spoke with Mark Crosland in depth about TMSH a listen. ARX Config, Day One http://devcentral.f5.com/weblogs/dmacvittie/archive/2010/01/18/arx-config-day-one.aspx In the first installment of what I'm hoping proves to be a long, detailed series describing his experiences with his ARX, Don dishes out a great intro post about getting his ARX out of the box and working. He's honest and gives plenty of details about both what he loved and what he…didn't, which I appreciate. It sounds like he also plans to go into detail about any troubles he's having or things that he finds that stand out to him and the users should know about. With his vast experience in the storage world, getting to see an ARX through his eyes is just about the next best thing to getting to fiddle with one yourself. So if you have any interest in learning what it's like to set up and start using an ARX device, I recommend keeping a keen eye on this series. Having no ARX experience myself I'm quite interested to get his impressions, so I'll be one of the subscribed readers too. iRule Editor - Offline Editing http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2385 Joe's amazing creation, the iRule Editor, just got better. He's released a couple new features for it recently but the one that caught my attention the most is something that people have been asking about for quite some time now: offline editing. The iRule Editor has previously been a 100% online tool. You'd fire it up, connect to your device and start editing away. But what if you're on a plane or just don't have a device to connect to? Well, you were out of luck. Even though you could save the iRules themselves to your on disk archive, the editor wouldn't allow you to edit them offline before. But now, you can. Keep in mind that you won't be able to use any syntax checking because that uses tmm on the BIG-IP to test compile the code, but you can edit to your heart's content along with all the handy features of the iRule Editor you've grown to love. Joe even took the time to go through a walkthrough of how this works and show you how to use the cool new feature in this video. This is a very cool improvement…thanks Joe! Following Google's Lead on Security? Don't Forget to Encrypt Cookies http://devcentral.f5.com/weblogs/macvittie/archive/2010/01/15/google-gmail-ssl-cookie-encryption.aspx Last but certainly not least is Lori's post talking about SSL and why it isn't the only thing you need to think about when working on securing an application. Yes, SSL is an excellent and pretty standard first step to securing an online application these days. I, just like Lori, completely agree that you should be using SSL encryption as a security measure if you're at all concerned about your users or their data. Something Lori mentions though is spot on, "it’s not a panacea, especially where cookies are involved". Just because something is being encrypted across the wire doesn't mean that you can necessarily assume that it's going to be 100% safe once it gets where it's going. Data being stored on a client system, such as cookies that carry auth information, are a prime target for many malicious attacks trying to pry at user info. Cooke Encryption can be a powerful agent in stopping this and stepping up your security one more level. Have a look for yourself for a more detailed description of how this works. There you have this week's DevCentral Top5. As always, feedback is welcomed and you can check out previous versions of the Top5 here - http://devcentral.f5.com/Default.aspx?tabid=101 #Colin
|
Posts:179
Comments:318
Stories:0
Trackbacks:0
|
|
August, 2010 (1) |
|
|
June, 2010 (1) |
|
|
May, 2010 (3) |
|
|
March, 2010 (5) |
|
|
February, 2010 (4) |
|
|
January, 2010 (2) |
|
|
December, 2009 (2) |
|
|
November, 2009 (3) |
|
|
October, 2009 (3) |
|
|
September, 2009 (5) |
|
|
August, 2009 (4) |
|
|
July, 2009 (3) |
|
|
June, 2009 (2) |
|
|
May, 2009 (6) |
|
|
April, 2009 (9) |
|
|
March, 2009 (5) |
|
|
January, 2009 (7) |
|
|
December, 2008 (6) |
|
|
November, 2008 (4) |
|
|
October, 2008 (3) |
|
|
September, 2008 (13) |
|
|
August, 2008 (4) |
|
|
July, 2008 (10) |
|
|
June, 2008 (7) |
|
|
May, 2008 (12) |
|
|
April, 2008 (6) |
|
|
March, 2008 (1) |
|
|
February, 2008 (5) |
|
|
January, 2008 (1) |
|
|
September, 2007 (2) |
|
|
August, 2007 (3) |
|
|
March, 2007 (1) |
|
|
February, 2007 (1) |
|
|
December, 2006 (1) |
|
|
November, 2006 (1) |
|
|
August, 2006 (1) |
|
|
June, 2006 (3) |
|
|
May, 2006 (16) |
|
|
April, 2006 (6) |
|
|
January, 2006 (2) |
|
|
December, 2005 (2) |
|
|
September, 2005 (1) |
|
|
August, 2005 (2) |
|
