Forum Discussion
Kai_Wilke
Jan 26, 2016MVP
Hi Leo,
TCL pretty much loves repetitive code! Its way faster than using [proc] (aka. procedures), [eval] (aka. TCL code macros), or storing results in variable and let the later error handle perform the desired action.
But unfortunately Humans don't like repetitive code. Its somewhat hard to maintain if you need to change it.
But your code has some potential to avoid the repetive code while keeping an identical performance. It trick would be to change the default action of your iRule to send the "Forbidden" response and [TCP::close] the connection and just return the good actions. See the code below for an example how this could be done...
Note: I guess the iRule below should be fine. But I haven't tested the iRule at all^^
when RULE_INIT {
Set environment domain
set static::DOMAIN_ID ".mydomain"
Set debug logging on/off (0 for none, 1 for deny/error and 2 for all logging)
set static::DEBUG 2
}
when HTTP_REQUEST {
Check if our customer exists
if { [class match [string tolower [HTTP::host]] equals CUSTOMER_DGL] }{
Use the first string that comes before the environment domain to set our customer ID variable
set CUSTOMER_ID [getfield [HTTP::host] $static::DOMAIN_ID 1]
Debug Logging
if {$static::DEBUG==2}{log local0. "[virtual name] - Allow - Source IP [IP::client_addr] - The requested subdomain customer ID is:$CUSTOMER_ID"}
Set a variable to check for the customer ID resource DGL
append CUSTOMER_CLASS [string toupper $CUSTOMER_ID] "_RESOURCE_DGL"
Set a variable to check for the customer ID allowed source IP
append WHITELIST_CLASS [string toupper $CUSTOMER_ID] "_WHITELIST_DGL"
Determine if the whitelist DGL exists
if { [class exists $WHITELIST_CLASS] }{
Check if connection is from an allowed Source IP
if { [class match [IP::client_addr] equals $WHITELIST_CLASS] } {
Debug Logging
if {$static::DEBUG==2}{log local0. "[virtual name] - Allow - Source IP [IP::client_addr] - Is a permitted IP for customer $CUSTOMER_ID"}
Determine if the resource DGL exists
if { [class exists $CUSTOMER_CLASS] }{
If the resource DGL exists, check if we have a valid resource pool
if { [class match [string tolower [HTTP::uri]] starts_with $CUSTOMER_CLASS] } {
Set our pool selection variable
set POOLSELECTION [class match -value [string tolower [HTTP::uri]] starts_with $CUSTOMER_CLASS]
A valid resource exists but the pool it references doesn't exist
if [ catch { pool $POOLSELECTION } ] {
Debug Logging
if {$static::DEBUG>=1}{log local0. "[virtual name] - Error - Source IP [IP::client_addr] - A pool named $POOLSELECTION doesn't exist for customer ID $CUSTOMER_ID and the resource [HTTP::uri]"}
The pool exists
} else {
Debug Logging
if {$static::DEBUG==2}{log local0. "[virtual name] - Allow - Source IP [IP::client_addr] - The pool selected was [LB::server]"}
Stop processing iRule event
return
}
A valid resource and it's associated pool doesn't exist
} else {
Debug Logging
if {$static::DEBUG>=1}{log local0. "[virtual name] - Deny - Source IP [IP::client_addr] - No pool was found for customer ID $CUSTOMER_ID and the resource [HTTP::uri]"}
}
The resource DGL doesn't exist
} else {
Debug Logging
if {$static::DEBUG>=1}{log local0. "[virtual name] - Error - Source IP [IP::client_addr] - A DGL named $CUSTOMER_CLASS does not exist"}
}
Request is not coming from an allowed source IP
} else {
Debug Logging
if {$static::DEBUG>=1}{log local0. "[virtual name] - Deny - Source IP [IP::client_addr] - This IP isn't permitted for customer $CUSTOMER_ID"}
}
The whitelist DGL doesn't exist
} else {
Debug Logging
if {$static::DEBUG>=1}{log local0. "[virtual name] - Error - Source IP [IP::client_addr] - A DGL named $WHITELIST_CLASS does not exist"}
}
Our customer doesn't exist
} else {
Debug Logging
if {$static::DEBUG>=1}{log local0. "[virtual name] - Deny - Source IP [IP::client_addr] - Blocked accessing HTTP host:[HTTP::host] - client does not exist"}
}
Issue 403 response
HTTP::respond 403 -version auto content "Forbidden" noserver
Gracefully close the connection here
TCP::close
}
Cheers, Kai