Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Cookie persistence + i-rule "switch" command question.

Hi all.I am facing a problem with a strange behavior. I've got 1 virtual server where cookie persistence (cookie insert) is used as primary method and source IP address as a fallback. On this VS an irule is used in order to allow access to specific paths.

when HTTP_REQUEST
{
    set lowCaseURI [string tolower [HTTP::uri]]
    if {[HTTP::host] equals "mysite"}
    {
        switch -glob $lowCaseURI
        {
            "/api/test1/*" -
            "/api/test2/*"
            {
            log local0. "permit"
            pool test
            }
            "/home/myhome.asmx*"
            {
            log local0. "permit2"
            pool home
            }
        }   
    }
    else
    {
    drop
    log local0. "drop"
    }     
}

The issue is that when someone access for example the /api/test1 url then user is able to access as well other urls ander api such as /api/test12345/ok. What we observed is that in case someone goes directly to /api/test12345/ok then irule works and the request is not allowed. In my mind something is related to the persistence but even if we delete the cookie, source address is the fallback. Does anyone know why is this happening ? Is the event default drop missing from the switch command ?

Thanks

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

"/api/test1/*" does not match /api/test12345/ok.

You must have an HTTP profile to use that iRule, so every HTTP request will trigger the iRule. If you use the pool commands as you are doing, that overwrites the persistence.

0
Comments on this Answer
Comment made 05-Mar-2018 by HG 341

Hi leonardo. You are right. We also use an http profile associated to this VS.There are also no pools associated to this VS.The issue described above only happens when a user successfully access one of the allowed uris. After that when user tries to access /api/test12345/ok then irule is not triggered and user is able to access it which is something strange.

0
Comment made 05-Mar-2018 by Leonardo Souza 3174

Ok, now make sense.

The user gets the persistence in the first request, even if the second does not run the pool command, the user will get the page because of the persistence.

Add a default to the switch with a drop.

https://devcentral.f5.com/wiki/irules.switch.ashx

0