BIG-IP

BIG-IP Configuration Object Naming Conventions

Jason Rahm — Mon, 28 Nov 2011 23:19:02 GMT

George posted an excellent blog on hostname nomenclature a while back, but something we haven’t discussed much in this space is a naming convention for the BIG-IP configuration objects. Last week, DevCentral community user Deon posted a question on exactly that. Sometimes there are standards just for the sake of having one, but in most cases, and particularly in this case, having standards is a very good thing. Señor Forum, hoolio, and MVP hamish weighed in with some good advice.

[app name]_[protocol]_[object type]

Examples:

www.example.com_http_vs
www.example.com_http_pool
www.example.com_http_monitor

As hoolio pointed out in the forum, each object now has a description field, so the metadata capability is there to establish identifying information (knowledge base IDs, troubleshooting info, application owners), but having an object name that is quickly searchable and identifiable to operational staff is key. Hamish had a slight alternative format for virtuals:

[fqdn]_[port]

For network virtuals, I’ve always made the network part of the name, as hamish also recommends in his guidance:

network VS's tend to be named net-net.num.dot.ed-masklen. e.g. net-0.0.0.0-0 is the default address. Where they conflict (e.g. two defaults depending on src clan, it gets an extra descriptor between net- and the ip address. e.g. net-wireless-0.0.0.0-0 (Default network VS for a wireless VLAN). I don't currently have any network VS's for specific ports. But they'd be something like net-0.0.0.0-0-port

Your Turn

What standards do you use? Share in the comments section below, or post to the forum thread.

Technorati Tags: F5 DevCentral,Standards,Nomenclature,BIG-IP,George Watkins,Jason Rahm,hoolio,hamish

Stop that F5 Key From Refreshing the Page

Jason Rahm — Wed, 16 Nov 2011 22:08:23 GMT

No, not “us” F5, the F5 key on the keyboard. You know, the one you hit relentlessly to refresh the page (well, the one I hit relentlessly during NFL games to update my fantasy football stats). Anyway, I was perusing the forums today, trying to catch up from a week attending our very excellent annual sales conference, and I noticed a thread that had to be shared.

The Question

Is there a way of preventing users from using the F5 button to refresh a web page? – DevCentral user ringoseagull (nice handle, btw!)

The Solution

F5er and very active forum patrolman nitass posted back within 30 minutes with a solution, featuring iRules of course! We’ve seen javascript insert iRules before, but this is a pretty handy use case, so I thought I’d share.

when HTTP_REQUEST {
STREAM::disable
if {[HTTP::version] eq "1.1"} {
    if { [HTTP::header is_keepalive] } {
      HTTP::header replace "Connection" "Keep-Alive"
    }
    HTTP::version 1.0
}
}
when HTTP_RESPONSE {
if {[HTTP::header Content-Type] starts_with "text/"} {
    STREAM::expression "@</\[Hh]\[Ee]\[Aa]\[Dd]>@<script language=javascript>function document.onkeydown() { if (event.keyCode==116) { event.keyCode=0; event.cancelBubble=true; return false; } }</script></head>@"
    STREAM::enable
}
}
when STREAM_MATCHED {
STREAM::disable
}

This iRule uses the stream profile to find the head tag and insert the javascript necessary to control the F5 keycode behavior. Curl testing shows the javascript successfully delivered:

[root@ve1023:Active] config # curl -i http://172.28.65.152
HTTP/1.1 200 OK
Dat e: Fri, 11 Nov 2011 15:24:33 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head><script language=javascript>function document.onkeydown() { if (event.keyCode==116) { event.keyCode=0; event.cancelBubble=true; return false; } }</script></head>
<body>
This is 101 host.
</body>
</html>

Nice work, nitass!

Related Articles

Technorati Tags: F5 DevCentral,iRules,Jason Rahm

So Yeah, Regex is Bad

Jason Rahm — Wed, 22 Jun 2011 21:12:00 GMT

Don’t get me wrong, regex is awesome, and entirely useful—sometimes it’s the only option, it’s just not the best tool of choice for wire speed applications. Often the sys-admin and network type converts to BIG-IP will find the regexp tcl command and go that route because it’s familiar. If that describes you, please let me introduce you to a couple more appropriate commands:

scan
string

These two commands will cover a great percentage of regexp’s use cases, and will save significant resources on the system. Don’t buy it? Here’s an example:

% set ip "10.10.20.200"

10.10.20.200

% time { scan $ip {%d.%d.%d.%d} a b c d} 10000

2.1713 microseconds per iteration

% time {regexp {([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})} $ip matched a b c d} 10000

34.2604 microseconds per iteration

Two approaches, same result. The time to achieve that result? The scan command bests regexp by far. I’ll save you the calculation…that’s a 93.7% reduction in processing time. 93.7 percent! Now, mind you, the difference between 2 and 34 microseconds will be negligible to an individual request’s response time, but in the context of a single system handling hundreds of thousands or even millions of request per second, the difference matters. A lot.

Thanks to (who else?) hoolio for the example. For other optimization considerations, check out the iRules Optimization 101 series.

Related Articles

Technorati Tags: F5 DevCentral,regex,regexp,scan,string,tcl,iRules,performance,Jason Rahm

Changing the BIG-IP Default Syslog-NG Facilities

Jason Rahm — Mon, 20 Jun 2011 15:44:26 GMT

DevCentral community member geffr had a problem. The BIG-IP Application Security Manager module logs to the local3 facility but he needs to send them to the local7 facility on a remote server. Before giving up entirely, he posted to this thread in the Monitoring & Management group forum, where user nitass helped him jump through the syslog-ng hoops (click here for tips & tricks on syslog-ng) to the working solution posted below. It’s pretty straight forward. Define a template, a filter, and a destination, and then put the pieces together in a log statement.

b syslog include '"

filter f_local3a {
facility(local3);
};

template t_asm {
template(\"<190> $MSGHDR$MSG\n\");
template_escape(no);
};

destination d_loghost5a {
udp(\"2.2.2.2\" port (514) template(t_asm));
};

log {
source(local);
filter(f_local3a);
destination(d_loghost5a);
};

"'

Note: The b syslog include ‘ “ “ ‘ wrapper around the custom configuration is merely for importing the configuration, it’s note part of the configuration itself.

Related Articles

LTM 9.4.2+: Custom Syslog Configuration > DevCentral > F5 ...

setting up syslog? - DevCentral - F5 DevCentral > Community ...

DevCentral Wiki: Syslog NG Email Configuration

Configuring syslog-ng to email messages > DevCentral > F5 ...

Syslog Priority Translation > DevCentral > F5 DevCentral > Tech Tips

Deb Allen - syslog

Customizing syslog-ng f_local0 filter - DevCentral - F5 DevCentral ...

Syslog locally and remote with specific facility level ...

Duplicate syslog traffic to multiple destinations - DevCentral ...

Custom syslog-ng facility - DevCentral - F5 DevCentral > Community ...

Technorati Tags: F5 DevCentral,BIG-IP,ASM,Application Security Manager,syslog,syslog-ng,Jason Rahm

BIG-IP Configuration Conversion Scripts

Jason Rahm — Mon, 28 Mar 2011 16:06:35 GMT

Two of our biggest internal contributors, Kirk Bauer and John Alam, are at it again with a handful of perl scripts aimed at easing your migration from some of the “other guys” to BIG-IP. While they aren’t going to map every nook and cranny of the configurations to a BIG-IP feature, they will get you well along the way, taking out as much of the human error element as possible. I built a few pages in the Advanced Design & Configuration wiki to host these scripts.

Migrating from Cisco ACE, CSM, or CSS

Migrating from Citrix Netscaler

Migrating from Radware

Obviously with these being perl scripts you’ll need a copy of perl, or just load the script on your BIG-IP and do the migration there!
Related Articles

DevCentral Wiki: Perl

If Radware Succeeds in Purchasing Alteon, Will Anyone Care?

64-bit numbers in perl

DevCentral Wiki: Perl Ltm Config To Xml

GTM Network Map - Perl - DevCentral - F5 DevCentral > Community ...

DevCentral Wiki: CSS To BIGIP Conversion Script

Perl script to parse Siebel lbconfig.txt file update for BIG-IP ...

Convert Cisco CSS config to Big IP 3600 - DevCentral - F5 ...

Perl script to dump API response->result - DevCentral - F5 ...

Cisco CSS cookie persistency - DevCentral - F5 DevCentral ...

another potential 64 bit conversion issue in perl - DevCentral ...

DevCentral Wiki: Radware

CSS Config to F5 Config - DevCentral - F5 DevCentral > Community ...

Technorati Tags: F5 DevCentral,BIG-IP LTM,Perl,Migration,Jason Rahm,John Alam,Kirk Bauer

IP::addr and IPv6

Jason Rahm — Wed, 23 Mar 2011 15:26:50 GMT

Did you know that all address internal to tmm are kept in IPv6 format? If you’ve written external monitors, I’m guessing you knew this. In the external monitors, for IPv4 networks the IPv6 “header” is removed with the line:

IP=`echo $1 | sed 's/::ffff://'`

IPv4 address are stored in what’s called “IPv4-mapped” format. An IPv4-mapped address has its first 80 bits set to zero and the next 16 set to one, followed by the 32 bits of the IPv4 address. The prefix looks like this:

0000:0000:0000:0000:0000:ffff: (abbreviated as ::ffff:, which looks strickingly simliar—ok, identical—to the pattern stripped above)

Notation of the IPv4 section of the IPv4-formatted address vary in implementations between ::ffff:192.168.1.1 and ::ffff:c0a8:c8c8, but only the latter notation (in hex) is supported. If you need the decimal version, you can extract it like so:

% puts $x
::ffff:c0a8:c8c8
% if { [string range $x 0 6] == "::ffff:" } {
scan [string range $x 7 end] "%2x%2x:%2x%2x" ip1 ip2 ip3 ip4
set ipv4addr "$ip1.$ip2.$ip3.$ip4"
}
192.168.200.200

Address Comparisons

The text format is not what controls whether the IP::addr command (nor the class command) does an IPv4 or IPv6 comparison. Whether or not the IP address is IPv4-mapped is what controls the comparison. The text format merely controls how the text is then translated into the internal IPv6 format (ie: whether it becomes a IPv4-mapped address or not). Normally, this is not an issue, however, if you are trying to compare an IPv6 address against an IPv4 address, then you really need to understand this mapping business. Also, it is not recommended to use 0.0.0.0/0.0.0.0 for testing whether something is IPv4 versus IPv6 as that is not really valid a IP address—using the 0.0.0.0 mask (technically the same as /0) is a loophole and ultimately, what you are doing is loading the equivalent form of a IPv4-mapped mask. Rather, you should just use the following to test whether it is an IPv4-mapped address:

if { [IP::addr $IP1 equals ::ffff:0000:0000/96] } { log local0. “Yep, that’s an IPv4 address” }

These notes are covered in the IP::addr wiki entry. Any updates to the command and/or supporting notes will exist there, so keep the links handy.

Related Articles

F5 Friday: 'IPv4 and IPv6 Can Coexist' or 'How to eat your cake ...

Service Provider Series: Managing the ipv6 Migration

IPv6 and the End of the World

No More IPv4. You do have your IPv6 plan running now, right ...

Question about IPv6 - BIGIP - DevCentral - F5 DevCentral ...

Insert IPv6 address into header - DevCentral - F5 DevCentral ...

Business Case for IPv6 - DevCentral - F5 DevCentral > Community ...

We're sorry. The IPv4 address you are trying to reach has been ...

Don MacVittie - F5 BIG-IP IPv6 Gateway Module

Technorati Tags: F5 DevCentral,iRules,IPv6,IP::addr,class,Jason Rahm

Microsoft Exchange 2010 iRule Workflow Visualized

Jason Rahm — Tue, 15 Mar 2011 16:04:01 GMT

F5’s own John Alam sent over his latest Visio creation to share with the DevCentral community. This diagram details the workflow of the comprehensive exchange services iRule described in the Microsoft Exchange 2010 Deployment Guide. Enjoy.

For visio, pdf, png, & svg versions of this image, click here.

Related Articles

Microsoft Exchange 2010: HELO New Architecture

Webcast - Microsoft Exchange Server Availability And Scalability

Exchange Persistence Duality and iRules > DevCentral > F5 ...

How Microsoft deployed Exchange Server 2010 with hardware load ...

Planning an Exchange Migration? - DevCentral - F5 DevCentral ...

Exchange 2010 with F5 BIG-IP and Dell Article Published

devconnections 2010: Attendee discusses Exchange and Cloud Computing

F5 with mixed Exchange 2007 and 2010 Client Access Servers ...

Trying to implement Exchange 2010 - DevCentral - F5 DevCentral ...

Exchange 2010 Monitors for LTM - DevCentral - F5 DevCentral ...

Exchange 2010/LTM10.2 RPC mail delivery delay ? - DevCentral - F5 ...

Exchange 2010 Global address list issue - DevCentral - F5 ...

F5 solution for Microsoft Exchange

DevCentral Weekly Roundup | Audio Podcast - Exchange

Exchange 2007 - What Type of SSL certificate required (single ...

Technorati Tags: F5 DevCentral,iRules,Visio,Exchange,Exchange 2010,Jason Rahm,John Alam

Mitigate Java Vulnerability with iRules

Jason Rahm — Thu, 03 Feb 2011 16:28:28 GMT

I got a request yesterday morning to asking if there was a way to drop HTTP requests if a certain number was referenced in the Accept-Language header. The user referenced this post on Exploring Binary. The number, 2.2250738585072012e-308, causes the Java runtime and compiler to go into an infinite loop when converting it to double-precision binary floating-point. Not good. Twitter is ablaze on the issue, and there is a good discussion thread on Hacker News as well. So how do you stop it? At first, this appeared to be a no-brainer, just copy that string and drop if found in that header, right? Well, there’s a catch. A few actually. This number can be represented in many ways:

Decimal point placement => 0.00022250738585072012e-304

Leading Zeroes => 00000000002.2250738585072012e-308

Trailing Zeroes => 2.225073858507201200000e-308

Leading Zeroes in the Exponent => 2.2250738585072012e-00308

Superfluous Digits past digit 17 => 2.2250738585072012997800001e-308

String match seemed the perfect fit for this as I need a few wildcards to sort this out. I started in the Tcl shell just to make sure all the use cases matched:

% set a "Accept-Language: en-us;q=2.2250738585072012e-308"

Accept-Language: en-us;q=2.2250738585072012e-308

% set b "Accept-Language: en-us;q=0.00022250738585072012e-304"

Accept-Language: en-us;q=0.00022250738585072012e-304

% set c "Accept-Language: en-us;q=00000000002.2250738585072012e-308"

Accept-Language: en-us;q=00000000002.2250738585072012e-308

% set d "Accept-Language: en-us;q=2.225073858507201200000e-308"

set e "Accept-Language: en-us;q=2.2250738585072012e-00308"

Accept-Language: en-us;q=2.225073858507201200000e-308

% Accept-Language: en-us;q=2.2250738585072012e-00308

% set f "Accept-Language: en-us;q=2.2250738585072012997800001e-308"

Accept-Language: en-us;q=2.2250738585072012997800001e-308

% string match *2*2250738585072012* [lindex [split [lindex [split $a "="] 1] "e"] 0]

1

% string match *2*2250738585072012* [lindex [split [lindex [split $b "="] 1] "e"] 0]

1

% string match *2*2250738585072012* [lindex [split [lindex [split $c "="] 1] "e"] 0]

1

% string match *2*2250738585072012* [lindex [split [lindex [split $d "="] 1] "e"] 0]

1

% string match *2*2250738585072012* [lindex [split [lindex [split $e "="] 1] "e"] 0]

1

% string match *2*2250738585072012* [lindex [split [lindex [split $f "="] 1] "e"] 0]

1

For the first attempt at an iRule, I looked only at the Accept-Language header and replaced the lindex/split mess with getfield:

when HTTP_REQUEST {

set num [getfield [getfield [HTTP::header "Accept-Language" "=" 2] "e" 1]

if { [string match *2*2250738585072012* $num] } {

drop

}

}

Using the Firefox Modify Headers plugin, I was able to confirm the desired behavior. However, it was brought to my attention that any header could contain this, so I reworked the iRule to look at all headers:

when HTTP_REQUEST {

foreach header [HTTP::header names] {

if { [string match *2*2250738585072012* [HTTP::header $header]] } {

drop

return

}

}

}

The Solution (UPDATED!)

And finally, hoolio (of course!) suggested that if I’ve looking at all the headers, why not just use HTTP::request and match against that. Duh. So that simplifies significantly.

~~when HTTP_REQUEST {~~

~~if { [string match *2*2250738585072012* [HTTP::request]] } {~~

~~drop~~

~~return~~

}

}

So that worked for all the cases except for the decimal point placement when trending right as Balbus pointed out in the comments below. An update to the string match recommended by hoolio drives the CPU slightly harder in that it also requires a string map command, but still not so much as the foreach loop.

when HTTP_REQUEST {

if { [string match "*2225073858507201*" [string map {. ""} [HTTP::request]]] } {

drop

return

}

}

From an efficiency standpoint, the final (revised) rule was 3x (still) more efficient that the foreach loop on a BIG-IP 3900. Hopefully this helps more until a patch is available, or at least the vulnerability can be mitigated in the applications. Consider this a living post as I’m sure there are additional attack vectors I haven’t considered.

Technorati Tags: F5 Devcentral,iRules,string match,Java,Java Vulnerability,DBL_MIN,2.2250738585072012e-308,Exploring Binary,Jason Rahm

iRules Community Spotlight: Same Segment Load Balancing

Jason Rahm — Thu, 19 Aug 2010 15:57:16 GMT

This has been a perplexing issue for many users. How do you introduce an intermediary (LTM going forward) between client and server when in the same network segment? It’s easy when the LTM sits at gateways, but within a segment, it doesn’t work that well without some help. Why? Well, with tcp-based connection-oriented protocols, a handshake (consisting of a client syn packet, a server syn-ack packet, and a server ack packet) sets up the connection. When you introduce the LTM, a problem arises:

Client –> syn –> BIG-IP

BIG-IP –> syn-ack –> Client

Client –> ack –> BIG-IP

BIG-IP –> syn –> Server

Server –> syn-ack –> Client

Client –> reset –> Server

Do you see the problem? It’s actually in the step prior to the reset. Because the server and client are on the same segment, the server sees the client’s source IP, and because it is local, sends an arp (if not already cached) and then forwards directly to the client, bypassing the BIG-IP. The client then resets this connection because it has no established service with the server. So how do you address this issue? Enter address translation. By translating the client’s source address before sending traffic to the server, the BIG-IP ensures that the server relays the responses back through it before forwarding on to the client. The downside here, however, is that now the server cannot see the client source address, which impacts reporting and potentially some functionality. With HTTP, this is easily addressed with the X-Forwarded-For header, but it’s problematic for other protocols.

Check out this thread, it’s a great discussion on some of the issues and solutions for same segment load balancing. BTW, some of the other names for this deployment are VIP Bounceback, BIG-IP on a Stick, and One-Armed Configuration.

Technorati Tags: F5 DevCentral,BIG-IP,iRules,Jason Rahm

Benefits of Desktop Virtualization

Jason Rahm — Fri, 09 Jul 2010 12:56:54 GMT

There is an abundance of mature desktop virtualization solutions that are outright free or at least reasonable. From VMware’s Workstation (at cost after 30-day trial, but entirely worth it) to Oracle’s VirtualBox and Microsoft’s Virtual PC, you can get started in literally minutes. Why would you want to?

Trivial backups. Tired of losing a drive and having to restore first the OS, then the applications, and finally your files? Once everything is hosted on a virtual disk, keeping that backed up frequently means a physical disk failure costs you only the time to restore the hardware OS and your virtualization. Major time saver. For enterprise environments, this also makes hardware changes for employees a cinch. New desktop? A single file copy and a short vm configuration, and the IT folks can move on to something more important.

Snapshots prior to patching, new applications. Ever had an antivirus or OS patch destroy your system? Snapshot your virtual machine prior to making changes, and if anything goes wonky, simply revert to the last snapshot.

Minimal, purposeful systems for online banking (or remote vpn access, shopping, etc). Do you know the malware that threads its tentacles into your system over time from browsing the internet? Keep one virtual machine that has nothing installed except the browser and plugins necessary to do your banking and investing, and once you’re done, shutting down the virtual machine restores it to original state so any potential malware threats are eliminated.

For the geeks in the audience (all of you?), quick test setups with teaming (VMware Desktop for sure, check on the others). Don had a great article on this relating to a BIG-IP LTM VE test setup. This is great becuase you mock up complete test environments and spin them together, but only when you need them. With several linux-based appliances, you can get virtual switches, routers, firewalls, lamp servers, all purpose-built and ready to go for your test environments.

Run nothing on the host OS except the hypervisor and antivirus. This ensures a minimal rebuild time should there be a failure. My exceptions to this rule are audio/video tools like skype, jing, camtasia, and iTunes. Lest you think I’ll need a file rebuild for iTunes, that library is off box anyway.

There are far more benefits, but these are the ones that jump out at me. Assuming you’re on windows, you can convert your physical disk to virtual with disk2vhd, another great tool from the Sysinternals team. Note that if you plan to use Virtual PC, you’ll need to resize the drive to less than 127G with diskpart and then tell the drive it has shrunk as well with a tool like VHD Resizer. If you want to use VMware Workstation, you’ll need an additional step that converts the drive from vhd format to vmdk with a tool like WinImage.

Technorati Tags: F5 DevCentral,Virtualization,Desktop Virtualization,VMware Workstation,Virtualbox,VirtualPC,WinImage,disk2vhd,SysInternals,diskpart,VHD Resizer,Don MacVittie,Jason Rahm