This week I bring to you a full house of content, docs over blogs. To say there have been more than a few pairs on DevCentral lately though would be an understatement. The rush of content could be likened to an avalanche but without the messy death and destruction bits to deal with. From interviews to tech tips to blog posts to original songs pertaining to cloud computing (no, I'm not joking, and no, the link isn't in here…go find it yourself), DevCentral never seems to sleep these days, which is just how we like it. In case you're overwhelmed and looking for a place to get started, here are my Top5 picks for the week:

Citrix XenApp 5.0 Implementation Tips

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1082335

Naladar, one of the esteemed MVPs of the DevCentral community, comes to us with this piece on XenApp this week. He's looking to share his recent experiences and given his track record, he's the kind of person you want to listen to when he decides to share something with the community. While there are deployment guides out there for Presentation Server 4.5, Naladar takes the time to walk you through the differences in implementation that you'll need to pay attention to for v5. With some almost immediate positive feedback it's obvious that other people out there have found this one useful already. Combine that with the fact that I'm always eager for a chance to show off how awesome our users are, even to the point of contributing killer content for the masses, and this one had to be my top pick this week.

Configuring a multi-tier Testing Environment with VMware Teams and BIG-IP LTM VE

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1084344

There have been many a post about LTM VE over the past few weeks, many of them very cool, but Don took a slightly different angle by showing you how to set up a VMware team so you can spin up and down your entire test team (VE, client, server) with the push of a single button. Pretty neat stuff. Not only that, but he goes into enough detail with screenshots and step by step instructions that you should be able to re-create the environment pretty easily if you're still looking for a way to get up and running with your VE deployment. Whether you were waiting for the right walk-through on setting up LTM VE to come along or you're just interested in seeing yet another way of doing things, this article was a goodie.

BIG-IP Logging and Reporting Toolkit - part two

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1084341

The second installment of Joe Malek's awesome Logging and Reporting Toolkit series is out, and worth a read. Here he talks about the two vendor options he investigated when looking into advanced options for BIG-IP logging and reporting, Splunk and Q1 Labs. He talks a bit about each of their offerings, their strengths and what to expect from them. He then goes onto give us an extensive list of the different information these systems are going to be made to handle in the soon to come resolution to this technological tease wherein we'll finally get to see the results of his testing, his analysis of the options, and some fun charts. If you didn't catch the first installment yet, I highly recommend going and checking that one out as well.

If I Had a Hammer…

http://devcentral.f5.com/weblogs/macvittie/archive/2010/03/10/if-i-had-a-hammer.aspx

Despite the title Lori does not go on to talk about carpentry or construction. Instead she fills us in on her take on Carr's analogy and why the "pay as you use" model is really more like a "pay for the minimum required in CASE you need it" model. It's not a negative slant on things, just realistic, to remember that there is an inherent cost in things that have to be running before requests actually come in. To fool ourselves into thinking that we're paying only for what we use, like electricity, when we're paying a set cost just to have the resources available when needed is..well..just that, fooling ourselves. I like her points here and thought it was worth passing on. The cloud can be awesome and effective and even cheap for many people, but don't get caught off-guard thinking it's going to be free until you need it while really being billed.

20 Lines or Less #37 - Hex, HTTPS, and SNATing

http://devcentral.f5.com/weblogs/cwalker/archive/2010/03/12/20-lines-or-less-37.aspx

I'm so sorry, 20LoL, I didn't mean to leave you out last time, there was just too much good stuff! I never meant to hurt you, you know how I love you, I just couldn't justify bumping one of the other hawesome topics for your iRuley goodness. You're back, though, this week, with 3 more examples of iRules fu at its finest. *cough* Check out what the forums & samples section have to offer this week in less than 21 lines of code. We've got payloads being converted to hex, yet another take on https redirection and some pretty nifty snating stuff happening. These are always a cool look at what people in the community are up to, so check it out.

Well, there it is, another week, another 5 from DC. Hopefully you liked reading as much as I liked writing. Come back next week for more, and feel free to drop me a line with any feedback.

#Colin

What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

I bring to you your weekly dose of short yet cool iRule goodness.  Check out what these iRule fu masters have crammed into less than 21 lines of code.  This week we’ve got hex translation of HTTP payloads, intelligent redirection including port handling, and some snat intelligence in just a few lines of code.  Dig it.

Log binary HTTP payload in hex

http://devcentral.f5.com/wiki/default.aspx/iRules/Log_binary_HTTP_payload_in_hex.html

Here’s one that we touched on briefly in the podcast last week.  Hoolio decided that it would be fun or handy or…something, to convert and log the entire HTTP payload in hex for every response.  I couldn’t tell you when this would be needed, but it was a pretty darn cool thought, and I thought I’d share it.  Maybe he’ll come tell us what it was for. ;)

when HTTP_REQUEST {

   # Log debug? 1=yes, 0=no
   set debug 1

   # Collect up to the first 1MB of POST data
   if {[HTTP::method] eq "POST"}{

      set clength 0

      # Check if there is a content-length header and the value is set to less than 1Mb
      if {[HTTP::header exists "Content-Length"] && [HTTP::header Content-Length] <= 1048576}{
         set clength [HTTP::header Content-Length]
      } else {
         set clength 1048576
      }
      if {[info exists clength] && clength > 0} {
         if {$debug}{log local0. "[virtual name]: Collecting $clength bytes"}
         HTTP::collect $clength
      }
   }
}

when HTTP_REQUEST_DATA {

   # Log the payload converted to hex
   binary scan [HTTP::payload] H* payload_hex

   if {$debug}{log local0. "[virtual name]: $payload_hex: $payload_hex"}
}

SNAT based on incoming IP

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1170490&view=topic

Matt dished out a great little example of how to effectively control which snat address a connection is assigned based on the IP range the request is coming in from. It’s simple, it’s efficient, it’s effective, and it’s short.  Those are a few of my favorite things in iRules, so here you go.

when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals 10.9.9.0/26] }{
    snat 1.1.1.1
  } elseif { [IP::addr [IP::client_addr] equals 10.9.9.65/26] }{
      snat 2.2.2.2
  } elseif { [IP::addr [IP::client_addr] equals 10.9.9.128/26] }{
    snat 3.3.3.3
  } else { 
    forward
  }
}

Intelligent HTTP to HTTPS redirection…now with port handling!

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1168453&view=topic

This is a topic (HTTP to HTTPS redirection) that I’ve shown off at least a few times in the 20LoL, but that’s because it comes up so darn often in the forums and elsewhere.  Here is yet another take on how to do it, and a darn good one at that. Note the use of string map, which I heart, and the fact that this one can actually handle requests that specifically have the port declared in the hostname.  If you try to redirect to HTTPS but still have a :80 in your host, things might not go as swimmingly as you’d like.

when HTTP_RESPONSE { 
  # Check if server response is a redirect 
  if { [HTTP::header is_redirect]} { 
    # Log original and updated values 
    log local0. "Original Location header value: [HTTP::header value Location],\ 
           updated: [string map -nocase "http:// https:// :80/ /" [HTTP::header value Location]]" 
    # Do the update, replacing http:// with https:// and  :80/ with /
    HTTP::header replace Location \ 
        [string map -nocase "http:// https:// :80/ /" [HTTP::header value Location]] 
  } 
} 

There you go, 3 more examples of iRules goodness in 20 Lines or Less each.  See ya next time.

#Colin

The new LTM VE has opened up the possibilities for writing, testing and deploying iRules in a big way.  It’s easier than ever to get a test environment set up in which you can break things develop to your heart’s content.  This is fantastic news for us iRulers that want to be doing the newest, coolest stuff without having to worry about breaking a production system. 

That’s all well and good, but what the heck do you do to get all of your current stuff onto your test system?  There are several options, ranging from copy and paste (shudder) to actual config copies and the like, which all work fine.  Assuming all you’re looking for though is to transfer over your iRules, like me, the easiest way I’ve found is to use the iRule editor’s export and import features.  It makes it literally a few clicks and super easy to get back up and running in the new environment.

First, log into your existing LTM system with your iRule editor (you are using the editor, right? Of course you are…just making sure).  You’ll see a screen something like this (right) with a list of a bagillionty iRules on the left and their cool, color coded awesomeness on the right.  You can go through and select iRules and start moving them manually, but there’s really no need.

All you need to do is go up to the File –> Archive –> Export option and let it do its magic.  All it’s doing is saving text files to your local system to archive off all of your iRuley goodness.  Once that’s done, you can then spin up your new LTM VE and get logged in via the iRule editor over there.  Connect via the iRule editor, and go to File –> Archive –> Import, shown below.

Once you choose the import option you’ll start seeing your iRules popping up in the left-hand column, just like you’re used to.  This will take a minute depending on how many iRules you have archived (okay, so I may have more than a few iRules in my collection…) but it’s generally pretty snappy.  One important thing to note at his point, however, is that all of your iRules are bolded with an asterisk next to them. This means they are not saved in their current state on the LTM.  If you exit at this point, you’ll still be iRuleless, and no one wants that. Luckily Joe thought of that when building the iRule editor, so all you need to do is select File –> Save All, and you’ll be most of the way home.

I say most of the way because there will undoubtedly be some errors that you’ll need to clean up. These will be config based errors, like pools that used to exist on your old system and don’t now, etc.  You can either go create the pools in the config or comment out those lines. I tend to try and keep my iRules as config agnostic as possible while testing things, so there aren’t a ton of these but some of them always crop up.  The editor makes these easy to spot and fix though. The name of the iRule that’s having a problem will stay bolded and any errors in that particular code will be called out (assuming you have that feature turned on) so you can pretty quickly spot them and fix them. 

This entire process took me about 15 minutes, including cleaning up the code in certain iRules to at least save properly on the new system, and I have a bunch of iRules, so that’s a pretty generous estimate.  It really is quick, easy and painless to get your code onto an LTM VE and get hacking coding. An added side benefit, but a cool one, is that you now have your iRules backed up locally. Not only does this mean you’re double plus sure that they won’t be lost, but it means the next time you want to deploy them somewhere, all you have to do is import from the editor.  So if you haven’t yet, go download your BIG-IP LTM VE and get started. I can’t recommend it enough.  Also make sure to check out some of the really handy DC content that shows you how to tweak it for more interfaces or Joe’s supremely helpful guide on how to use a single VM to run an entire client/LTM/server setup.  Wicked cool stuff. 

Happy iRuling.

#Colin

The hits just keep on coming. Between the release of the LTM VE, some internal DC projects that are brewing, some new site stuff we're trying to polish up, and all that daily stuff that just keeps showing up out of nowhere, there has been no shortage of distractions. There has also, however, been no shortage of amazing content cruising through DevCentral, so this week's Top5 is packed full of it. You know there's a lot of cool stuff out there when I actually had to make a list of about 15 things I'd like to highlight and start whittling it down to just five, and the 20LoL didn’t even make the cut. That’s unheard of in my “iRules ‘till I die” multiverse. So you can rest assured there are many things not in this list worth checking out, but this is the Top5, not the Top13…so here you go:

Post of the Week - The triumphant return, thanks to LTM VE

http://devcentral.f5.com/weblogs/dctv/archive/2010/02/24/post-of-the-week-ndash-the-triumphant-return-thanks-to.aspx

First on the list of hits is a personal favorite that hasn't been around in a while, the post of the week. This one has historically been not only a personal favorite but a fan favorite as well. This has been a highly requested series that lapsed for a while, so now like those kids today say, I'm bringing it back. I've been meaning to get this back on wheels and moving for a while and the amazing (seriously…amazing) response in the LTM VE forum was the perfect impetus to get this going again. You have checked out the LTM VE forum, right? I'll pretend like you said yes. If you haven't, go do it now. Hawesome stuff abounds in there, thanks to the killer users and their tinkering. If you've got questions on the LTM VE, what it can do, getting started, limitations, concerns, etc. this is a good place to start.

Laptop Load Balancing for The Developer With BIG-IP LTM VE

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1082333

This article from Joe is an absolute must read for anyone looking to get into the LTM VE with low resource usage. Whether you're trying to cram it into an already busy VM cluster or you're like Joe (and me) and want to get a workable dev environment up and running on your laptop but don't have room for 3 VMs, this article's for you. Joe walks you through just how to get things running with a single VM used to run the LTM VE, and all other needed components for a host/client test setup functioning from the native OS. This is something I hadn't thought of somehow, even though it was a glaringly obvious idea as soon as I saw him write about it (what..don't look at me like that, I WOULD have thought of it…I've been busy!), and is something that is going to make using this amazing technology a lot easier for a lot of people. Big kudos to Joe for taking the time to spoon feed this one to us, complete with a couple scripts to help you set things up because you know, Joe likes to script things.

Whaddya Mean LTM VE Only Has Two Interfaces?

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1082331

Continuing the running theme of LTM VE awesomenitude and getting people info they really need to know to get their hands dirty, Jason delivers a solid hit with his demonstration of how to add interfaces to the VE. If you're one of those people that actually want to test networking type stuff then you'll quickly realize that a mere two (not including the management port) interfaces may be shy of what you need for your purposes. Luckily Jason steps in to solve that problem before it even exists by showing you how you can add additional interfaces without breaking a sweat. He even goes so far as to show you how to use VLAN tagging to remove the need for extra interfaces, so you have your choice of solutions. I hear he slices, dices, and cuts through cans, too. He's just that cool. If you've got the LTM VE this one is worth bookmarking and tucking away for later even if you haven't already run into the need for more ways to "plug" things in.

TechDump - Managing multiple systems with pyControl v2

http://devcentral.f5.com/weblogs/dctv/archive/2010/02/24/techdump-managing-multiple-systems-with-pycontrol-v2.aspx

While I could list about a bazillionty more killer things relating to the LTM VE because it's that cool, I thought I'd add a couple other links as well, as there were some things that warranted sharing for sure. First up, Matt delivers yet another cool tutorial on using his amazing pyControl v2 platform for system management. If you haven't checked out pyControl yet I strongly recommend it, obviously even more so if you're a python inclined type. In this tip he shows you how you can deal with multiple systems easily. I love the complete walk through showing code, configs and the process he uses to get things working. This one is easy enough for grandma to follow, but geeky enough for us propeller heads to not get bored. Nicely done.

BIG-IP Logging and Reporting Toolkit - part one

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1082334

The other non LTM VE highlight I wanted to point out was the intro piece to what proves to be a wicked cool series brought to you by Joe Malek, one of the many stellar engineers here at F5. In this series Joe is going to walk us through some concepts behind logging and reporting using your BIG-IP, what your options are, how they compare, and then provide us with some tools to make it easier. This first post outlines the problems inherent, the desired outcome and really just sets the table for the juicy geek content sure to come. (I do mean "sure", I've seen it, it is coming) So take a look, figure out if it's of interest and then check back next week for the next installment. There's a whole world of information and options pertaining to logging and reporting that most people don't even think about when talking BIG-IP, and I'm really looking forward to getting some info out there from someone that's done the legwork to become an expert.

That's it! Unfortunately I'm out of room in my list of 5 cool things to check out. I feel sad, honestly, as I could fill three more of these lists with stuff that's happened in the last two weeks alone, but that just means it's up to you to get out there to DevCentral and dig around, find the goodness yourself, and dig in. It's not hard, the site is veritably oozing with interesting content for you to stumble upon these days, so get to it.

#Colin

Many people in the networking world are aware of BIG-IP as a powerful load balancing and security device.  Those that don’t dig deeper, however, are truly missing out on the incredible features just below the surface.  Sure load balancing and security policies are interesting and important, but what truly makes BIG-IP stand out from the crowd, at least in my opinion, is the immense breadth of functionality available via the programmatic interfaces of the system, namely iRules, iControl and now tmsh. To me these are the most exciting, intriguing things happening in the market right now. Network side scripting, full API access, on box shell control and customization…how is that stuff not wicked cool?

Unfortunately some people haven’t caught up quite yet. For whatever reason they’re being left behind while the rest of us push forward and try out the newest, coolest iRule hoolio posts to the codeshare, or checking out what the new pycontrol bits from Matt can do. If you’re one of the people who has been watching from the sidelines, now is the time to dive in.  I’ve seen the same few arguments from people countless times about why they aren’t trying to get the most out of their network by using some of these cool technologies.  I understand that some people don’t have a full test or development lab, I understand that there are often strict change control policies, I get that your boss might not be keen on spending the money on the systems if you’re not already a customer, because they don’t understand just how powerful this stuff is. I get it, I really do.  Now is your chance, though, to change all that.

With the release of the BIG-IP LTM VE all of these roadblocks have been laid asunder with a free, easy to use, readily downloadable and did I mention free LTM environment.  Now in just a few minutes you can have that test environment you’ve been pining for so you can start testing crazier iRule-foo. You can get to work on building out custom tmsh commands in 10.1 so they’re ready to go when you finally get to upgrade your production systems.  You can even put a BIG-IP in front of your test environment to show people what it is you’ve been trying to tell them unsuccessfully all this time while trying to convince them you need some F5 gear: this stuff rocks, and can do amazing stuff.

Getting started is easy, just go check out the trial page to get started with the download. While that’s going, get on over to the DevCentral LTM VE page and start browsing around.  The forums are already exploding with comments, questions and user experiences. See what other people are up to, what environments they’ve managed to shoe-horn the VE into for their needs, or what cool stuff they’re doing with it. In just a few minutes you’ll have a shiny, new LTM VE, and no more excuses.

If I sound like a bit of a fanboy, it’s because I am. I make it no secret how awesome I think F5 development technologies are, and it just got about a thousand percent easier (perhaps over 9000) to get access to them. Heck, I have 2 BIG-IP systems within arm’s reach, and I still use my LTM VE for some of my testing and dev. That’s got to mean something, right?  Sure, it’s rate limited. Sure it’s only LTM and not the other modules. Sure there are limitations, but it’s a free trial…what do you expect?  If you’re looking for more features, there’s more to come in future releases.

Whether you’re a long-time customer, new to the ADC world with F5, are trying to work our gear into your network or you’re just trying to figure out what the heck this stuff does, it doesn’t matter. Get out there, get the trial, get it installed and start using it. Check out the getting started docs, grab a few iRule examples from the CodeShare (requires login) and start playing with the possibilities. I’m more than a little bit excited about the sudden and broad availability of LTM to any interested party as not only a traffic management device, but as a development platform. I’m sure you couldn’t tell, though…

#Colin

What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

With the announcement of the BIG-IP LTM VE this week, the iRules world just got a little more interesting.  Between the new commands and features that have come out in the past several months, and now the ability to build and test iRules from your laptop, without having to connect to the internet/network at all, the possibilities just keep expanding.  I’m excited to see what kinds of things people come up with and the scenarios I hear about with VEs running all sorts of wacky iRules that people didn’t dare try out on their systems before.  Amidst the amazing news of the BIG-IP LTM VE release and the ensuing rush of content, comments and questions surrounding it, the iRules world moves along just as it does every week. As such, I’ve got some more cool examples of iRules goodness exemplifying the brevity I’ve come to seek out. 

Strip HTTP Server

Looking for a simple way to remove all headers containing a given string? Perhaps you don’t want to use the sanitize command because you’re leaving in more headers than you’re taking out, but you want to remove some specific headers?  Well here you go. A simple little loop that’ll go through all your headers and remove those that match whatever criteria you lay out. In this case it’s removing all headers that begin with x-.

 when HTTP_RESPONSE { 
  
    # Remove all instances of the Server header 
    HTTP::header remove Server 
  
    # Remove all headers starting with x- 
    foreach header_name [HTTP::header names] { 
  
       if {[string match -nocase x-* $header_name]}{ 
  
          HTTP::header remove $header_name 
       } 
    } 
 } 

Change Content Disposition

I’m pretty certain I’ve posted a way to do this here before, or maybe that was a tech tip..they all blur together.  This is a very quick, elegant way to do so however, so I wanted to share (even if it’s sharing the same concept again). 

 when HTTP_REQUEST {  
  set querystring URI::query  
 } 
  
 when HTTP_RESPONSE {  
  if { $querystring contains "attachment=1" } {  
   HTTP::header replace Content-Disposition [string map -nocase "inline attachment" [HTTP::header Content-Disposition]]   
  }  
  
 } 

Particularly Tricky Path Parsing

Someone was looking to parse the first two letters of the HTTP path, and came up with a very neat way of doing just that.  They’re performing structured matches based on character sets in a glob style match with switch. Very inventive and it looks quite efficient & functional.  Nicely played.

 when HTTP_REQUEST { 
    # Parse the first then second character in the path 
    switch -glob [string tolower [HTTP::path]] { 
       "/a[a-l]*" { 
          pool reward-uat5.123.com_AA2AL 
       } 
       "/a[m-z]*" - 
       "/b[a-l]*" { 
          pool reward-uat5.123.com_AM2BL 
       } 
       "/b[m-z]*" - 
       "/c[a-d]*" { 
          pool reward-uat5.123.com_BM2CD 
       } 
       default { 
          # Requested URI was a leading forward slash only 
          pool reward-uat5.123.com_AA2AL 
       } 
    } 
 }

There’s your 20LoL for the week. Thanks for keeping up with the awesome examples guys. See you next week for three more.

#Colin

What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

It’s been hectic here in DCland and finding time to write has been more difficult than normal, though that shouldn’t be a problem much longer. Fortunately for all of us this awesome community keeps kicking out the jams so I can rely on their hawesome knowledge to provide cool iRule snippets.  This week we’ve got two iRules from the forums and one from my own collection.

URI Rewriting done differently

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1167775&view=topic

First up, URI rewriting…with style.  I made a tweet recently about my newly rekindled love for the scan command and it was great to see someone else making use of it as well.  Aaron brings us a very cool example of switching on file types which is standard fare, but then he shows off a very cool way to use scan to strip out the first URI segment between the first two slashes.  I like it.

when HTTP_REQUEST {
   # Check the requested path (URI minus query string)
   switch -glob [string tolower [HTTP::path]] {
      "*.gif" -
      "*.js" -
      "*.css" -
      "*.jpg" -
      "*.bmp" {
         # Read in everything after the first / that is not a /. 
     # Save that to $session_id and everything else to $uri_to_save
     # scan will return the number of matches
         if {[scan [HTTP::uri] {/%[^/]%s} session_id uri_to_save] == 2}{
            # Rewrite the URI without the session ID
            #log local0. "$session_id"
            HTTP::uri $uri_to_save
         }
      }
   }
}

Class ordering and search lengths

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1167433&view=topic

User FishNiX brings a wicked cool look at searching not by a given parameter but by the length of the string being matched.  By first sorting a class by element length they were able to ensure they always get the longest (most complete) match.  Very inventive and something I haven’t seen before. Nicely done.

rule set_pool_by_host_and_uri {  
    when HTTP_REQUEST {  
     # Class order isn't guaranteed to come back in the order entered in the bigip.conf... 
     log local0. "list: $::host_uri_pool_selector_class" 
     log local0. "lsort: [lsort -decreasing -index 0 $::host_uri_pool_selector_class]"
     foreach row [lsort -decreasing -index 1 $::host_uri_pool_selector_class] {  
       log local0. "\$row: $row"
       if { [string tolower [HTTP::host]] equals [getfield $row " " 1] }{  
         if { [string tolower [HTTP::uri]] starts_with [getfield $row " " 2] }{  
           pool [getfield $row " " 3]
           break
         }  
       }  
     }  
   }  
} 

Partial Portal Access

Something that’s been bouncing around in my head for a while was the idea of being able to limit access to given applications based on a combination of criteria. Say for instance you wanted to limit access to the URIs that make up your intranet to only internal IPs, but allow access to everything else from anyone, well that’s exactly what this iRule is designed to do.  You end up with two classes, one for the list of allowed IPs, and one for the list of page IDs you want  to restrict. Fun stuff.

when HTTP_REQUEST { 
  if { !([matchclass [IP::client_addr] equals $::InternalIPs])} {
    if {[scan [URI::decode [string tolower [HTTP::uri]]] "/default.aspx?tabid=%d" tabid] == 1 } {
      if { [matchclass $tabid equals $::intranet_pages] } { 
        drop 
        log local0. "Dropped request from IP:  [IP::client_addr]"
      }
    }
  }
}

If you’ve got ideas or examples of iRules doing a lot in a little bit of space, send them my way. Otherwise, see you next 20LoL.

#Colin

Wow! What a whirlwind it's been the past few weeks. Between holidays and vacation and people traveling out of town, it's been an absolute zoo around here. Though I've been out the past week or so there has been an avalanche of content. I've hemmed and hawed and finally managed to slim my picks down to just five, though there are at least a dozen awesome things worth checking out on DevCentral in the past week or so. So don't be shy, get out there and poke around for yourself. For now, though, here are my top 5 picks for the week:

v10.1 - The table Command - The Basics

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2375

The new table command introduced in 10.1 is so hawesome and powerful it's hard for me to decide where to even begin describing the grandeur that is the table command. I've decided to begin at the beginning, and point you to the basics first. There are nine (yes, 9) tech tips published in the past week or so having to do with the new table command. They range from this intro doc to some pretty powerful, in depth, well explained examples. They are all penned by the creator of the command and go into amazing detail. This series has instantly become a contender for one of my favorite batches of content ever released on DevCentral, which is saying something. If you're looking for a way to store data, store data in a structured format, perform counting operations or about a bagillion other things dealing with data storage and manipulation in iRules, you must read about the table command. Huge thanks to spark for the work on the command and going above and beyond on the documentation.

TMSH Scripting in v10.1

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2374

This week's Top5 has not one, but two awesome docs regarding scripting on your BIG-IP. While iRules are near and dear to my heart, TMSH is quickly catching my interest as well. The new shell along with the powerful new scripting capabilities are wicked cool and have the potential to do some pretty amazing things. TMSH crams a huge amount of utility into an easily approachable package. This great doc Jason wrote up gets you started in style with an excellent description of where to begin, then takes you quite a bit further giving you examples of just how to build your own script. The possibilities seem rather limitless so I'm excited to see what people start doing once they get the hang of it. Check this one out for sure, and if you like what you see I'd recommend taking a look at the TMSH wiki and maybe giving this week's podcast where we spoke with Mark Crosland in depth about TMSH a listen.

ARX Config, Day One

http://devcentral.f5.com/weblogs/dmacvittie/archive/2010/01/18/arx-config-day-one.aspx

In the first installment of what I'm hoping proves to be a long, detailed series describing his experiences with his ARX, Don dishes out a great intro post about getting his ARX out of the box and working. He's honest and gives plenty of details about both what he loved and what he…didn't, which I appreciate. It sounds like he also plans to go into detail about any troubles he's having or things that he finds that stand out to him and the users should know about. With his vast experience in the storage world, getting to see an ARX through his eyes is just about the next best thing to getting to fiddle with one yourself. So if you have any interest in learning what it's like to set up and start using an ARX device, I recommend keeping a keen eye on this series. Having no ARX experience myself I'm quite interested to get his impressions, so I'll be one of the subscribed readers too.

iRule Editor - Offline Editing

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2385

Joe's amazing creation, the iRule Editor, just got better. He's released a couple new features for it recently but the one that caught my attention the most is something that people have been asking about for quite some time now: offline editing. The iRule Editor has previously been a 100% online tool. You'd fire it up, connect to your device and start editing away. But what if you're on a plane or just don't have a device to connect to? Well, you were out of luck. Even though you could save the iRules themselves to your on disk archive, the editor wouldn't allow you to edit them offline before. But now, you can. Keep in mind that you won't be able to use any syntax checking because that uses tmm on the BIG-IP to test compile the code, but you can edit to your heart's content along with all the handy features of the iRule Editor you've grown to love. Joe even took the time to go through a walkthrough of how this works and show you how to use the cool new feature in this video. This is a very cool improvement…thanks Joe!

Following Google's Lead on Security? Don't Forget to Encrypt Cookies

http://devcentral.f5.com/weblogs/macvittie/archive/2010/01/15/google-gmail-ssl-cookie-encryption.aspx

Last but certainly not least is Lori's post talking about SSL and why it isn't the only thing you need to think about when working on securing an application. Yes, SSL is an excellent and pretty standard first step to securing an online application these days. I, just like Lori, completely agree that you should be using SSL encryption as a security measure if you're at all concerned about your users or their data. Something Lori mentions though is spot on, "it’s not a panacea, especially where cookies are involved". Just because something is being encrypted across the wire doesn't mean that you can necessarily assume that it's going to be 100% safe once it gets where it's going. Data being stored on a client system, such as cookies that carry auth information, are a prime target for many malicious attacks trying to pry at user info. Cooke Encryption can be a powerful agent in stopping this and stepping up your security one more level. Have a look for yourself for a more detailed description of how this works.

There you have this week's DevCentral Top5. As always, feedback is welcomed and you can check out previous versions of the Top5 here - http://devcentral.f5.com/Default.aspx?tabid=101

#Colin

What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

So here we are in the future.  Surely by 2010 we should have jetpacks and hover cars and personal teleporters, right?  Well, technological advancements may have fallen short on some of those things promised to us time and time again by the world of sci-fi, but advancements there have been.  After 100+ examples of iRules in 20 Lines or Less I’m continually impressed by what people can come up with to accomplish in a few lines of code.  With new versions, new commands and a continually growing community, I have nothing but high hopes for the 20LoL and the DC community in general in twenty-ten.

With that, let’s dig into a few of the first iRule examples to be shown off this decade.

Load balanced Redirection

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=814405&view=topic

In this example Aaron shows up my simple little outline of a rule with his more thought out logic.  Showing you how you might load balance to a pair of redirects rather than actual pools or nodes, he even shows you how to make sure that you aren’t redirecting to a downed location by making use of the LTM’s built-in features.  Very cool.

 when HTTP_REQUEST { 
  
    # For a load balancing selection from the VIPs default pool 
    # This assumes you've set the pool's load balancing algorithm to round robin 
    switch [LB::select] { 
       "1.1.1.1" { 
          # Send client a 302 redirect with the hostname which corresponds to the 1.1.1.1 server IP 
          HTTP::respond 302 Location "http://firsthost.domain.com" Cache-Control No-Cache Pragma No-Cache 
       } 
       "2.2.2.2" { 
          # Send client a 302 redirect with the hostname which corresponds to the 2.2.2.2 server IP 
          HTTP::respond 302 Location "http://secondhost.domain.com" Cache-Control No-Cache Pragma No-Cache 
       } 
       default { 
          # Take some default action if both servers are marked down? 
       } 
    } 
 }

Terminate TCP Sessions

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=814016&view=topic

In this extremely cool example we get a peek at how user millencol1n uses an iRule to fire Bigpipe commands.  By logging a particular string, then having his system fire a command based on that particular string when it’s found in the log, he’s able to effectively have his iRule firing off Bigpipe commands to clean his TCP sessions.  That’s some neat stuff. Thanks for the example.

 when RULE_INIT { 
     set ::count 0 
   } 
  
 when CLIENT_ACCEPTED { 
    if { [active_members pool_a] > 0 } { 
       pool pool_a 
      log local0. "primary active" 
    if { $::count == 1 } { 
        log "clean sessions" 
       set ::count 0 } 
      
    } else { 
       pool pool_b 
  log local0. "secondary active"  
  set ::count 1   
    } 
 } 
 when LB_FAILED { 
    pool pool_b 
  set ::count 1   
  log local0. "Selected member: [LB::server addr]"    
 } 

Restricting browser types

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=814336&view=topic

This example shows us how one could easily limit users to a particular user agent, which generally translates into a given browser type for those non-spoofing types.  If your application only works in IE or you only want users with FireFox accessing certain sections of your site, this simple little snippet will get you where you need to go.

 when HTTP_REQUEST { 
  
    # Check if the UA header does not contain MSIE 
    if { not ([HTTP::header "User-Agent"] contains "MSIE") } { 
  
       # Send an HTTP response indicating the UA isn't allowed? 
       HTTP::respond 200 content {<html>your browser isn't allowed</html>} 
    } 
 } 

I hope you had a great year last year and I’m looking forward to an even better one this year. As always all questions, comments & feedback are welcomed. Until next time, keep those examples coming and keep iRuling.

#Colin

There has been plenty to do the past couple of weeks, which means there's plenty to talk about today. Ranging from gaming to storage virtualization to interviews and more, I bring you my Top 5 picks of the week from DevCentral. And yes, of course there are some iRules in there. Here's your Top5:

Delivering SaaS Solutions with Hobsons Patrick McFadin

http://devcentral.f5.com/weblogs/interviews/archive/2009/12/07/delivering-saas-solutions-with-hobsons-patrick-mcfadin.aspx

In this interview with Patrick McFadin, Ken Salchow talks about software as a service, virtualization, spikes in traffic causing delivery challenges, and more. Perhaps more importantly the two talk about how F5's offerings, most notably in their case LTM, allow them to make the most out of their systems and applications, and handle the challenges that get thrown at them. This isn't a new story. Making use of F5 products and advanced technologies such as iRules has made this kind of leg-work a thousand times easier for many people. I just found it extremely cool to be able to listen in on such a candid chat with one such user. Patrick even went so far as to say, "I don't think we could do what we do without our F5 units in place". That's some pretty cool stuff, right there.

X marks the Games

http://devcentral.f5.com/weblogs/psilva/archive/2009/12/08/x-marks-the-games.aspx

In his 24^th offering in the great 26 Short Topics about Security series Pete Silva talks to us about gaming. I know, I know…g is not the 24^th letter of the alphabet. I'll allow Pete the stretch, though. He's talking about gaming, gaming security, gaming platforms, and steers us carefully towards Xbox. Well played, sir. Having satisfied his need to find a letter X to which security is related, he goes on to discuss some very real issues with security in a gaming world. Being an avid gamer myself this was of interest, and I found most of it to be pretty spot on. Letting your guard down simply because you're online gaming may result in a stolen credit card almost as fast as clicking a bad link in an email and "logging in". It's a dangerous web out there, keep your guard up.

File Virtualization… The short primer

http://devcentral.f5.com/weblogs/dmacvittie/archive/2009/12/06/file-virtualizationhellip-the-short-primer.aspx

Don chose to talk about storage over the past week. In one of a couple of posts in a somewhat heated thread with another storage space writer, Don talks about ARX, though you may have missed it if you weren't looking closely. It's not that he barely talks about it, it's more that you might not realize that he's talking about it past the dropping of the name in the beginning. The commentary is solid though, discussing File Virtualization and NAS vs. SAN concerns. I'm not a storage expert, and he clearly is, so I won't try and re-write his post, but I'd definitely recommend checking it out. Virtualization is big and getting bigger and file virtualization is an important yet often overlooked part of any large-scale virtualization story. This one's worth a read.

Next-Generation Management of Data Centers Should be Modeled on Social Networking

http://devcentral.f5.com/weblogs/macvittie/archive/2009/12/04/next-generation-management-of-data-centers-should-be-modeled-on-social.aspx

Leave it to Lori to draw a correlation between Facebook and NMS. I mean, really? I love it, don't get me wrong, but never in a million years would I have thought to suggest it in such a manner, let alone create a pretty cool mock-up of just how "infrabook" might look. She makes some strong points though, if you think about it. Networking is networking, whether you're connecting people or servers, and the idea of building "relationships" between objects is germane in both the social networking and "networking networking" worlds as well. I like her thought process and some of the points she raises. Am I ready to log into Facebook and manage my Ubuntu systems for a corp. net there? No, but neither is she. That doesn't mean some of the same ideas and utilities wouldn't apply. Check this one out, it's fun and makes you think.

20 Lines or Less #33 - Killer contest entries in 20 Lines or Less

http://devcentral.f5.com/weblogs/cwalker/archive/2009/12/11/20-lines-or-less-33-ndash-killer-contest-entries.aspx

With three more entries to the 20 Lines or Less series, I'm happy to announce that we've broken the century mark. With over 100 cool examples of what iRules can do for you in just a few short lines of code, the 20LoL is now gunning for 200 entries. What's more is that that this week's 20LoL is a special iRule Do You? contest edition. Three of the entries into the contest that either won or received honorable mention were perfect examples for this series, so I figured I'd highlight them again. With two winners and an honorable mention in this year's contest weighing in at less than 21 lines of (actual) code each, there should be no doubt as to just how much power you can pack into a small iRules package. This series continues to be a blast to write, so look out for more small iRules kicking serious butt heading your way.

There are my Top5 picks for the week. Hopefully you found them helpful. Shoot me some feedback if you have it, otherwise thanks for reading and I hope you'll be back next week for more. As always, you can check out older versions of the Top5 here - http://devcentral.f5.com/Default.aspx?tabid=101

#Colin

What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

This week the answer to that question is a good one – Win the iRule do You? contest!  Rather than trolling the forums, CodeShare and my personal archives, this week I bring to you a special 20LoL edition. This week’s entries are pulled from the winners and honorable mentions of the recently completed iRule Do You? contest here on DevCentral.

I absolutely love that I get to show you some short iRules that are not only neat or interesting, but they’re so innovative, creative and powerful that they won (or almost won) prizes in our annual contest.  If that’s not proof that you can do amazing things in just a few lines of code with iRules, then I don’t know what is.  This wasn’t planned, I didn’t trim these down, the stars just aligned right for me to be able to spotlight a few super cool rules from this year’s contest.  For complete contest results & entries, as well as full descriptions of each rule, check out the contest pages on DC.

Today’s 20LoL is doubly special, though. Not only do I get to highlight some clearly awesome contest entries, this also marks the edition where the 20LoL eclipses the 100 examples mark.  Over 100 examples of iRules doing what iRules do in under 21 lines of code. I’m stoked that I’ve gotten to continue with this feature this long, and I’m looking forward to hundreds more. Thanks for reading.

RTSP-redirect – by Jari Leppälä

http://devcentral.f5.com/Default.aspx?tabid=2227

In an attempt to build hash based persistence, Jari built this cool iRule that not only performs the needed persistence, but does so without forcing the traffic to ever even flow through the BIG-IP.  Using the BIG-IP as a logic device but not bothering it with the traffic is a slick concept to me in this case. Gotta love it.

when RTSP_REQUEST {
if { [RTSP::method] contains "OPTIONS" } {
  RTSP::respond 200 OK "Server: F5-redirector\r\nPublic: OPTIONS, SETUP\r\n\r\n"
}
if { [RTSP::method] contains "SETUP" or [RTSP::method] contains "DESCRIBE" } {
  set client [IP::remote_addr]
  regexp "rtsp://.*/(.*)$" [RTSP::uri] url file
  # MD5 Hash & Persistence
  set S ""
  foreach N [active_members -list vod] {
    if { [md5 $N$file] > $S } {
      set S [md5 $N$file]
      set W $N
    }
  }
  set vod [lindex $W 0]
  set newuri "rtsp://$vod:554/$file"
  RTSP::respond 302 MOVED_TEMPORARILY "Server: F5-redirector\r\nLocation: $newuri\r\nConnection: close\r\n\r\n"
  log "Client ($client) request to $file redirected to $newuri"
}
}

Encrypt Outgoing Soa Request – by Sake Blok

http://devcentral.f5.com/Default.aspx?tabid=2228

Looking for a way to make his outbound SOA traffic more secure, Sake came up with yet another iRule contest winner this year. No stranger to the winner’s circle, Sake continues to be an awesome contributor with innovative, original ideas for how to bend iRules to his whims. I always love seeing what he comes up with and this was no exception.

when RULE_INIT {
   # Debug off (0), Errors-only(1), On(2) or Verbose(3)
   set ::debug 3
   if { $::debug>=2 } { log local0. "Log level set to $::debug" }
}
when CLIENT_ACCEPTED {
   # Remember the address of the destination SOA server
   set SoaServerIP [IP::local_addr]
   if { $::debug>=3 } { log local0. "$SoaServerIP: Outgoing connection requested" }
}

when HTTP_REQUEST {
   # Extract the hostname of the SOA server from the HTTP request
   # This name will must match the common name in the certificate
   # of the SOA server when the SSL session is set up.
   set SoaServerName [string tolower [substr [HTTP::host] 0 ":"]]
   if { $::debug>=3 } { log local0. "$SoaServerIP: Hostname = $SoaServerName" }

   # Overrule the dummy address in the default pool of the virtual
   # and change it to the address of the SoaServer. Also change the
   # destination port from 80 to 443.
   node $SoaServer 443
}

when SERVERSSL_HANDSHAKE {
   # Extract the server certificate from the SOA server ServerHello message
   set SoaServerCert [SSL::cert 0]

   # Extract the common name from the server certificate
   set CommonName [string tolower [findstr [X509::subject $SoaServerCert] "CN=" 3 ","]]
   if { $::debug>=3 } { log local0. "$SoaServerIP: Common Name = $CommonName" }

   if { $CommonName ne $SoaServerName } {
      clientside {TCP::respond "HTTP/1.1 403 WRONG CERTIFICATE\r\n\r\nThe common name $CommonName `
in the certificate at $SoaServerIP does not match to hostname $SoaServerName in the SOA request.\r\n"}
      TCP::close
      if { $::debug>=1 } { log local0. "$SoaServerIP: Name mismatch CN=$CommonName, Hostname=$SoaServerName" }
   } else {
      # Create a log entry for this (successful) request
      if { $::debug>=2 } { log local0. "$SoaServerIP: Request to $SoaServerName successfully forwarded" }
   }
}

DSL Setup DNS – by Christopher Wood

http://devcentral.f5.com/Default.aspx?tabid=2229

Even though Christopher didn’t quite claim victory this year, his entry was one of my personal favorites and showed that he absolutely has the ability to do so. I have no doubt that he’ll be a force to be reckoned with in coming contests.  This very cool iRule shows how he was able to make the process of getting users with newly installed DSL modems online much simpler. Not only did it solve an immediate problem (getting users online with ease) it reduced support calls too. That’s a double win.

when RULE_INIT  {
  # Header generation (in hexadecimal)
  # qr(1) opcode(0000) AA(1) TC(0) RD(1) RA(1) Z(000) RCODE(0000)
  set ::header "8580"
  # 1 question, 1 answer, 0 NS, 0 Addition
  set ::header "${::header}0001000100000000"
  # Type = A
  set ::answerz "0001"
  # Class = IN
  set ::answerz "${::answerz}0001"
  # TTL = 1 minute
  set ::answerz "${::answerz}0000003c"
  # Data length = 4
  set ::answerz "${::answerz}0004"
  # Address = 0.0.0.0 (in hex)
  set ::answerz "${::answerz}00000000"
}
when CLIENT_DATA {
  binary scan [UDP::payload] H4@12A*@12H* id dname question
  # the drop statement below has to be in an if context
  if { 1 } {
    set ::questionx "${question}"
    set ::myl [string range ${::questionx} 0 end-8]
    set ::myllower [string tolower ${::myl}]
    # this is the decimal representation of the hex for lowercased "fake.com"
    if { [ string match "*1234567890abcdef123456" ${::myllower} ] } {
      pool internal-DNS
    } else {
      set payload [binary format H* ${id}${::header}${question}${::myl}${::answerz} ]
      # drops the incoming connection
      drop
      UDP::respond $payload
    }
  }
}

Thanks again to everyone who participated in this year’s iRule Do You? contest. I hope to see even more entries next year, and more people doing hawesome things in just a few lines of code. Here’s your proof that it’s possible, see what you can do to top them.

#Colin

What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

SIP topology hiding forward proxy

http://devcentral.f5.com/wiki/default.aspx/iRules/SIP_topology_hiding_and_forward_proxy.html

If you’re passing SIP traffic and want a way to mask the via & or from headers when passing traffic to the outside world, this might be just the rule you’ve been waiting for.  It’s a cool look at using iRules for an off the wall issue with a non-HTTP protocol. This is a simplified version of the original iRule to cram it down to less than 21 lines, but the functionality is identical.  Just a lot less comments and a few less variables being set.  Good stuff.

when SIP_REQUEST {
        set originator_ip [IP::remote_addr]
        node [IP::local_addr]:[TCP::local_port]
}
when SIP_REQUEST_SEND {
        set snat_ip [serverside {IP::local_addr}]
        set ip_map [list [findstr [SIP::header From] "@" 1 ">"] $snat_ip]
        SIP::header remove from
        SIP::header insert from "[string map $ip_map  [SIP::header "From"]]"
        SIP::header remove via
        SIP::header insert via [string map $ip_map  [SIP::header "Via"]]
}
when SIP_RESPONSE {
        set ip_map [list $snat_ip $originator_ip]
        SIP::header remove from
        SIP::header insert from "[string map $ip_map  [SIP::header "From"]]"
        SIP::header remove via
        SIP::header insert via [string map $ip_map [SIP::header "Via"]]
}

 

 

CMP v10 Compatible counters using the session table

http://devcentral.f5.com/wiki/default.aspx/iRules/CMP_v10_compatible_counters_using_the_session_table.html

In this codeshare entry hoolio outlines two different ways to set up counters using the session table in v10.  The benefit to this is that it’s fully CMP compliant which in certain systems will up performance considerably. It’s also much cooler because the second of the two examples packed into a single iRule shows how to make virtual specific variables for your counters, which is a trick I like a lot.  I’m just highlighting the virtual specific version though Aaron showed you how to do both a virtual specific version and a global version in the original post, linked above.

when HTTP_REQUEST {
   set vip [virtual name]
   set value [session lookup uie "${vip}_my_counter"]
   if {$value eq ""}{
      session add uie "${vip}_my_counter" 0
   } else {
      session add uie "${vip}_my_counter" [expr {$value + 1}]
   }
}

 

 

v10 Class matching

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=86237&view=topic

In version 10 iRules were given a whole new way to access data groups: the class command.  The class command offers a host of new and powerful abilities and Aaron’s making use of  one of them in this example.  I want to dig into this more and see what other options there might be to achieve what he’s gunning for, but this one isn’t a bad one at all, so I thought I’d highlight it.

# Loop through each class line
for {set i 0} {$i < [class size my_dgl]} {incr i} {                       
   # Use scan to parse the two fields from the class
   scan [class element -name $i my_dgl] {%[^ ]%s} my_pattern my_value
   # Use string match to evaluate the pattern against the string
   if {[string match -nocase $my_pattern [HTTP::uri]]}{
      # Found a match
      log local0. "Matched $my_pattern, using $my_value"
      break
   }
}

That’s it for this week.  I’ll be out next week for vacation/holiday so check back the week after for more condensed iRule goodness!

#Colin

While ramping up for "The Next Big Thing" continues amongst the DC staff, there is much to talk about in regards to content that's happening in the here and now, not just in the eagerly awaited future (with jet-packs and stuff…). DevCentral has seen its share of cool content this week, as it does every week, so let's talk about what needs talking about. Bringing you everything from TCL strings to a philosophical discussions of when vs. where and which is more important, I'm here with my Top5 picks for the week. And here they are:

When Is More Important Than Where in Web Application Security

http://devcentral.f5.com/weblogs/macvittie/archive/2009/11/06/when-is-more-important-than-where-in-web-application-security.aspx

In this post Lori was as insightful and informative as ever, discussing why being timely is more important, in general, than being perfect when it comes to application security. It's a pretty simple concept to me. When it comes right down to it, no one really cares where you solve a security problem, they care about when you solve it. It's well and good that you want to argue that things should be solved at the app layer vs. the WAF, but if I can provide a solution in 10 minutes...how long is it going to take you to patch every single application for even a miniscule security flaw? I agree just as much with Lori's reminder that WAF and app security models shouldn't compete. They are complimentary in the war against attacks, not mutually exclusive, and should be treated as such.

Every time someone tries to tell you which method is more "proper" or "correct", though, I'd ask them just how much they care about being proper in very real terms. How much is it worth in terms of hours (or days) of their application being exposed? At what point is it worth trading 20, 40, 120 hours of being exposed to a known exploit for an ounce of being "proper", which is already debatable at best, as opposed to getting the fix in place in a fraction of the time? Lori being insightful and informative isn't anything new. She knew she had a solid point to make and I tend to agree. What she didn't know was just how timely she was in setting the stage for her point to be illustrated, but we'll get to that in a moment. They call that foreshadowing, I think. I can tell you're on pins and needles.

20 Lines or Less #31 - Traffic shaping, header re-writing, and TLS renegotiation

http://devcentral.f5.com/weblogs/cwalker/archive/2009/11/06/20-lines-or-less-31-ndash-traffic-shaping-header-re-writing.aspx

Behold, your suspense is relieved! I unveil before your very eyes the payoff to Lori's unintentional setting of the stage. But how, you ask, does the 20LoL tie in with the When vs. Where of App Security? Via the much discussed TLS renegotiation vulnerability that has been burning up the net, of course. When a security measure as deeply rooted and common as TLS encryption is found to be susceptible to attacks, there is much to talk about, and talk they have. It turns out that via a man in the middle attack would-be ne'er-do-wells have the potential to insert information into a renegotiated SSL connection. This is very bad. What's very good, however, is that a user from the DevCentral community drafted a simple fix, at least in their deployment, the very next day. That's the power of iRules. Agility at its very finest, if I've ever seen it. We could debate all day where the best place, technically speaking, to implement the fix is. Or we could just fix it in about 10 minutes of coding and another 30 minutes of testing, and be done with it. That's just one of the rules in the 20LoL, of course. There are two more very cool examples of iRules doing the cool things they do in less than 21 lines of code. Check them out.

iRules 101 - #16 - Parsing Strings with the TCL Scan Command

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=2346

Jason digs into the amazingly powerful yet often overlooked scan command in his latest contribution to the iRules 101 series. The scan command has some pretty staggeringly powerful capabilities to parse strings in an ultra efficient manner. It takes a little getting used to but it's definitely a command that has potential beyond what's obvious at first glance. Jason does a good job of breaking down some of the options and giving clear examples of not only the command itself but how you might use it in the context of an iRule. Very cool stuff, and worth a read for any current or would be iRulers out there.

Operations Manager Debugging Part I: Top 10 Tools for Developing and Debugging Management Packs

http://devcentral.f5.com/weblogs/jhendrickson/archive/2009/11/04/operations-manager-debugging-part-i-top-10-tools-for-developing.aspx

You've been hearing a lot about the Management Pack lately. That's not likely to change, especially if they keep putting out not only consistent, timely releases with new features, but awesome documentation and commentary along the way. Case in point, Joel Hendrickson put up a blog post this week about his Top 10 favorite tools for the kind of debugging he ends up doing often times as a member of that team. Whether or not you're directly involved with the Management Pack, this is a very cool list. It's interesting to see him walk through each tool, what it does and in some cases how he uses them. I'm always a sucker for hearing a geek talk about … well … being a geek, and that's just what Joel's up to in this informative post. Take a look for all your code debugging needs.

pyControl Just as Happy on Linux

http://devcentral.f5.com/weblogs/jason/archive/2009/11/04/pycontrol-just-as-happy-on-linux.aspx

In response to the many questions asking about pyControl and whether or not it's viable as a Linux solution to iControl programming, Jason put together this tidy little post that not only answers the question (yes, by the way), but shows you just how to get started. This was a cool reminder to me not only of how awesome the pyControl project is, but of just how easy it can be to get started digging into iControl and all the cool things that it can do. With just a few commands, outlined in Jason's post, you can have an environment up and running, ready to start developing. I'm even more excited to see what's coming in pyControl2, whenever I get a chance to play with that. But that's a post for another day.

There you have it, five picks for this week that you just really should not miss. As always, don't be shy with your feedback, and check out previous versions here: http://devcentral.f5.com/Default.aspx?tabid=101

#Colin

What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

This week not only are the examples cool and interesting, but one of them at least is extremely timely. You’ve no doubt heard about the client-initiated MITM attack for TLS that was recently disclosed.  It’s front-page news around the web and for good reason.  While research needs to be done and a real fix needs to be put in place, one crafty community member was quick to draft up a simple fix to at least help mitigate their own issues. And in under 20 lines, no less. Here are this week’s offerings:

Simple traffic shaping

http://devcentral.f5.com/wiki/default.aspx/iRules/Simple_traffic_shaping.html

User JackofallTrades brings us a great example of iRules simplicity via the codeshare. If you’re looking for a way to send folks to different rateclasses based on their usage, this is one way you can get there. It’s highly customizable, too, since it’s an iRule.

when SERVER_DATA {
                set srvAge [IP::stats age]
                set srvBytes [IP::stats bytes in]
                # change 10000ms/10s to your desired time        
                if {$srvAge > 10000 } {
                                # change the recieved bytes if needed
                                if {$srvBytes > 3000000 } { 
                                                 # makesure you create the rate class
                                                rateclass bandHog
                                                #log local0. "Bandwidth Hog: [IP::client_addr] server bytes $srvBytes"
                                }

}              
                
                #log local0. " [IP::client_addr]:[TCP::client_port] server age: $srvAge server bytes: $srvBytes"
}

Rewrite Host header to server name

http://devcentral.f5.com/wiki/default.aspx/iRules/rewrite_host_header_to_server_name.html

Hoolio’s at it again with his latest codeshare entry.  In this example he shows how you can write in custom host address headers based on the destination server your request is being sent to.  Fun stuff.

when HTTP_REQUEST_SEND {

   # Need to force the host header replacement and HTTP:: commands into the clientside context
   #  as the HTTP_REQUEST_SEND event is in the serverside context
   clientside {

      if {$::host_debug}{log local0. "[IP::client_addr][TCP::client_port]: New [HTTP::method] request to [HTTP::host][HTTP::uri]"}

      # Look up the selected server IP in the datagroup to get the host header value
      set host_header_value [findclass [LB::server addr] $::ip_to_host_class " "]

      if {$::host_debug}{log local0. "[IP::client_addr][TCP::client_port]: Looked up [LB::server addr], found: $host_header_value."}

      # Check if the lookup returned a value
      if {$host_header_value ne ""}{
   
         # Replace the host header value
         HTTP::header replace Host $host_header_value
         if {$::host_debug}{log local0. "[IP::client_addr][TCP::client_port]: Replaced Host header with $host_header_value."}
      }
   }
}

Mitigating the TLS client-initiated renegotiation MITM attack

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=86456&view=topic

Last but certainly not least, user Lupo comes to us with a simple yet hawesome iRule to show an easy way to put a stop to renegotiation MITM attacks in your environment…just so long as you have iRules handy (and don’t need to renegotiate your SSL connections). I love it when users share cool things they’re doing. I love it even more when those cool things are timely, interesting, and almost certainly useful to many other people.  Way to go Lupo, thanks for sharing. Note that this, as with all 20LoL entries, isn’t tested/guaranteed/endorsed, etc. But it’s pretty sound logic and I don’t see any good reason it shouldn’t work.  Test it in your environment and see for yourself.

when CLIENT_ACCEPTED { 
   # initialize TLS/SSL handshake count for this connection 
   set sslhandshakecount 0 
 } 
  
 # if you have lower priority iRules on the CLIENTSSL_HANDSHAKE event, you have to make sure, that they don't interfere with this iRule 
 when CLIENTSSL_HANDSHAKE priority 100 { 
   # a handshake just occurred 
   incr sslhandshakecount 
  
   # is this the first handshake in this connection? 
   if { $sslhandshakecount != 1 } { 
     # log (rate limited) the event (to /var/log/tmm) 
     log "\[VS [virtual] client [IP::client_addr]:[TCP::client_port]\]: TLS/SSL renegotiation occurred, dropping connection" 
     # close the clientside connection 
     TCP::close 
   } 
 }

There are three more awesome examples for you.  20 lines of code or less packed with all sorts of iRuley goodness to make your lives easier, better, faster or safer.  How can you not love that?  See you next time.

#Colin

Released into the wild, the DevCentral team is back from our week of being sequestered in a conference room discussing the meaning of life, the universe and everything. Well…everything as it pertains to DC, at least. We even rolled successfully to save against being mauled by zombies or turned into newts (hey…it's almost Halloween, gimme a break…). As such there is plenty of content to pour through this week, including a very cool talk with a newbie to the F5 family. As always I'll give you my picks and hope they serve you well. Here is the Top5 for this week:

Cast Your Vote for Best iRule for the 2009 Contest

http://devcentral.f5.com/weblogs/JeffB/archive/2009/10/29/6170.aspx

We're almost there! I'm sure some of you that were paying close attention have been looking at your calendars with all of the days marked off, waiting with baited breath for the announcement of the winners of this year's iRule Do You? contest. There is but one more person that needs to vote before we can be finished - you! We've made our picks, cast our ballots and bet on our respective ponies, as it were, and now it's time for the community to get involved. Take a minute to go look at the top 6 iRule entries this year. You'll get to feast your eyes on what people are doing with the coolest coding language in the networking world, then vote for your favorite to win the grand prize. Not only is this post informative, but it's interactive as well. Take a few minutes and go take a look at what the community is up to.

DevCentral Weekly Roundup Episode 109 - Branch Cache Chumby

http://devcentral.f5.com/weblogs/dcpodcast/archive/2009/10/29/devcentral-weekly-roundup-episode-109-branch-cache-chumby.aspx

It's all right, I have no idea what the heck "Branch Cache Chumby" means either. Regardless of the title, this week's podcast was very cool. We talked about a few of the usual things as well as Jeff mentioning the above post wherein the community gets to help steer the ship directly for a change, rather than indirectly. Most interesting of all, though, was the in-depth discussion that we had with the guest this week, F5's own James Hendergart. James is a relatively new player on the F5 team but he's got plenty of experience, so he comes across as anything but new. We talked at length about what he and the Business Development team are up to with Microsoft, ranging from Sharepoint to Exchange to Branch Caching and beyond. It's always good to hear what other teams are up to and James has some definite passion about what he's doing, so it turned into a great talk. This one is worth a listen.

A First Look at the F5 PRO-Enabled Management Pack for Microsoft Virtual Machine Manager 2008

http://devcentral.f5.com/weblogs/jhendrickson/archive/2009/10/27/a-first-look-at-the-f5-pro-enabled-management-pack-for.aspx

Speaking of Microsoft, the guys on the Management Pack team are on a roll. They just keep dropping release after release with new, cool features for you to play with. In this post Joel Hendrickson, one of the devs on that team, walks through some of the new bells and whistles in their newest deployment. I love seeing what these guys are going to come up with next, and they haven't disappointed so far. If you've been following or have interest in the management pack at all, I think this is definitely worth a read.

To Take Advantage of Cloud Computing You Must Unlearn, Luke.

http://devcentral.f5.com/weblogs/macvittie/archive/2009/10/28/to-take-advantage-of-cloud-computing-you-must-unlearn.aspx

The unlearning Lori is talking about is all that knowledge you have about application scaling and sizing. It's common practice to over-supply resources for an application. You think the app needs x amount of CPU and y amount of RAM to comfortably run at normal operating levels? Great. Now go buy servers with 2-3x those resources so you can be sure that things are always running smoothly, even during spikes in usage. That might not sound so bad, but what if "x cpu and y RAM" ends up being 40 physical machines worth once you've tripled it? Now scale that out across many applications and you start to see the problem that companies running their own infrastructure have often had to deal with. They have all this capacity going to waste a huge percentage of the time, but they have to have it for those 5 or 6 times a year when usage spikes. This, as Lori says, is one of the large draws to the cloud computing and virtualization model(s). There are a few hiccups, of course, if you treat your options for virtualized resources in the cloud the same as you always have your physical systems. Lori goes into much more depth in her post, I suggest you give it a read to find out more.

20 Lines or Less #30

http://devcentral.f5.com/weblogs/cwalker/archive/2009/10/30/20-lines-or-less-30.aspx

Back at it this week the 20LoL is here with three more great iRules examples courtesy of the community. In this particular case when I say "community" I mean "hoolio". I didn't realize it until after I'd pulled all three examples that they all ended up being from one guy. That's less shocking, though, if you look at the 5,000+ posts Aaron has put out there for the iRulers worldwide. This week I grabbed a couple good ones dealing with pre-loading search queries via http redirects, even more fun with the ever popular nested switch statement, and updating referrer headers in-line. We're darn close to breaking 100 unique iRule examples under 21 lines of code in this series, and every week I love digging around to see what I can find that people are up to in just a few short commands. Take a look if you want to get some ideas on how to use small iRules to have a big impact.

That’s it for this week. As always, check out previous versions here: http://devcentral.f5.com/Default.aspx?tabid=101 and don't be shy with your feedback.

#Colin