Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

I-rule help -route incoming traffic based on source subnet & URL contains string admin or intra

Dear users, I need your help to set up a specific configuration on live environment . The purpose of this setting is to isolate the traffic (identified by IP source subnet & string match over the URI) from legitimate live traffic and forward (transparently for the user) this traffic to a specific pool In a nutshell all I want to do is catching traffic coming from a specific user/tester identified by its source IP and then evaluate url whether that contains either "admin" or "intra" ..if IP & uri matches then forwarding this traffic to a to dedicated pool would request assistance to modify the following code along with logging to match string admin & intra if either of the string matches an dedicated cookie to be inserted for persistence & route to pool pool-alu_.com ...as there are large range of IP subnets would like to have the code modified to have the data group instead of having 192.0.0.0/8...VIP has X-forwarded enabled

when HTTP_REQUEST { if { [active_members "pool-alu_.com"] > 0 } { if { [IP::addr [IP::client_addr] equals 192.0.0.0/8] } { if { [string tolower [HTTP::uri]] contains "Admin" } #need to match either admin or intra ...if URI has either of the string matches then insert an cookie abc123 & persist the sessions to the pool pool-alu_.com
pool-alu_.com & the cookie value should be encrypted after insert..... { pool pool-alu_.com
return } } }

Thanks for your help

1
Rate this Discussion
Comments on this Discussion
Comment made 21-Aug-2015 by Stephan Manthey 3803
Hi weblead, the F5 technology provides a huge amount of features right out of the box. Click and run, done. Event pretty complex requirements in http-environments can be solved by using http-classes / policy rules. Personally I prefer using iRules to get most granular and predictable control over traffic. Using iRules requires both to have an exact understanding of the involved protocols and of TCL including the extensions provided by F5. Getting used to iRules takes a while as the engineers knowledge and skills around the protocols, traffic flow, event handling and scripting evolve. Even as I am writing iRules since 2002 I still start from scratch with each new iRule by analyzing the exact requirements, putting down a decision matrix and start to code step by step including comments and excessive logging. I used to figure out side effects not taken into account initially and this way the iRule improves step by step. DevCentral is of great help, as it provides not only detailed wiki pages including code samples, a well commented code share section, teaching articles and last but not least an incredible amount of threads around coding. DevCentral is a community but not a service organization. Stansilas, Vernon and all the other spend their spare time to support others to get up to speed, help to fix code, provide alternative solutions. Wonder why? They want to help and to share their knowledge. By the way, this is a pretty cool approach to improve and structure the own knowledge. Love to think about and answer smart questions and see other peoples knowledge gain. And my own. # Should I highlight the following? But very likely they do not to provide on demand services free of charge around the clock. # Thousands of threads on DevCentral prove, that one gets a very relevant answer on a reasonable question. So if you are facing a complex requirement, break it in smaller pieces and solve them one after the other. Read the wiki pages, read the articles and posts, do labs and if you cannot find the answer feel free to post a new question. If code is posted, it should be anonymized to protect your employer or your clients. Further the input form allows proper code and text formatting. Following some well-known general guidelines helps the volunteers to get a quick understanding of the subject. Thats it. DevCentral provides the tools and community support to solve requirements like this on your own. For everything else you will very likely involve well-trained F5 system integrators, contractors or last but not least F5s professional services (not cheap but they definitely know their stuff and get it done in time). Global regards, Stephan
1
Comment made 21-Aug-2015 by weblead 146
Stephan-Thanks! for the advise this does n't sounds good at all ...please refrain from such comments ...this is n't professionalism at all...I have n't forced anyone ....it was always a request though to help ....
0
Comment made 22-Aug-2015 by Stephan Manthey 3803
Hi Sivani, thanks for the straight and open reply. I respect your opinion. So feel free, to flag down my response (the button to the left) but do not be surprised if others see it as the right answer. It took me approximately an hour to put my response down in the most polite way my german nature and my knowledge of the language allows me. (It adds to the many hours I already spent in our side conversation on the same technical subject, which I gave up now.) I just tried to explain my perspective of how developing iRule and the give & take in DevCentral works. Maybe I am really wrong. Enjoy weekend & kind regards, Stephan
1
Comment made 22-Aug-2015 by Patrik Jonsson 3524
Well put Stephan. You sir, deserves an upvote!
1
Comment made 22-Aug-2015 by Stephan Manthey 3803
Thanks, mate & greetings to Sweden! :-)
0

Replies to this Discussion

placeholder+image

I would request assistance in modifying the below piece of code to include the string match telesales along with salestool so I would like to match either string salestool or telesales instead of only set uri_match [subst {salestool}] & then persist to the pool pool_telesales.alu​.com_http using cookie tele_12345f706c656e6f766f original code which is working with string match salestool but would like to include the string telesales as well if either of the string matches the traffic goes to telesales pool working code with URi evaluation salestool as below which gives the desired outcome


when HTTP_REQUEST { log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>" if { not [class match [IP::client_addr] equals class_alu_telesales] } { log local0. "client ip <[IP::client_addr]> does not match , no further processing" } else { # set string to match in http uri set uri_match [subst {salestool}] set cookie_match [subst {tele_12345f706c656e6f766f}] log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_alu_telesales], uri will be evaluated versus <${uri_match}>" if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } { log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_alu_telesales] but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no further processing" } else { log local0. "Went to pool telesales due to matching client IP <[IP::client_addr]> and URI <[HTTP::uri]> or matching persistence cookie" persist cookie insert ${cookie_match} pool pool_telesales.alu.com_http return } }


But as per requirement need to compare string telesales along with salestool.If source IP matches & uri has string either salestool or telesales the traffic should be routed to pool_telesales.alu.com_http Modified code by adding elseif block to match uri with string telesales but ended up with syntax error & unable to fix

Error during I-rule compilation- 01070151:3: Rule [irule_routingv] error: line 1: [parse error: missing close-brace: possible unbalanced brace in comment] [{ log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>" if { not [class match [IP::client_addr] equals class_alu_telesales] } { log local0. "client ip <[IP::client_addr]> does not match network of data-group class_alu_telesales, no further processing" } elseif { # set string to match in http uri set uri_match [subst {salestool}] set cookie_match [subst {tele_12345f706c656e6f766f}] #log local0. "client ip <[IP::client_addr]> matches network of ${class_alu_telesales}, uri will be evaluated versus <${uri_match}>" if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } { #log local0. "client ip <[IP::client_addr]> matches network of ${network_match} but uri <[HTTP::uri]> did not match or no cookie ${cookie_match

Line 19- if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } {

​when HTTP_REQUEST { log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>"

 if { not [class match [IP::client_addr] equals class_alu_telesales] } {

    log local0. "client ip <[IP::client_addr]> does not match network of data-group class_alu_telesales, no further processing"

elseif {

    # set string to match in http uri

    set uri_match [subst {salestool}]

    set cookie_match [subst {tele_12345f706c656e6f766f}]

    #log local0. "client ip <[IP::client_addr]> matches network of ${class_alu_telesales}, uri will be evaluated versus <${uri_match}>"

    if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } {

        #log local0. "client ip <[IP::client_addr]> matches network of ${network_match} but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no furter processing"

    } 

elseif {

    # set string to match in http uri

    set uri_match_tele [subst {telesales}]

    set cookie_match [subst {tele_12345f706c656e6f766f}]

    #log local0. "client ip <[IP::client_addr]> matches network of ${class_alu_telesales}, uri will be evaluated versus <${uri_match_tele}>"

    if { not (([string tolower [HTTP::uri]] contains ${uri_match_tele}) or ([HTTP::cookie exists ${cookie_match}])) } {

        #log local0. "client ip <[IP::client_addr]> matches network of ${network_match} but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no furter processing"

    } 

else {

        log local0. "Went to pool telesales due to matching client IP <[IP::client_addr]> and URI <[HTTP::uri]> or matching persistence cookie"

        persist cookie insert ${cookie_match}

        pool pool_telesales.alu.com_http

        return

    }

}

0
placeholder+image

Hi @weblead, looks like you have a few syntax issues in the code with missing braces as well as elseif statements without a condition. By adding the braces before the elseif's and then changing the elseif's to else's, it will compile. As for the logic, that's hard for me to verify.

when HTTP_REQUEST {
    log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>"
    if { not [class match [IP::client_addr] equals class_dell_telesales] } {
        log local0. "client ip <[IP::client_addr]> does not match network of data-group class_dell_telesales, no further processing"
    } else {
        # set string to match in http uri
        set uri_match [subst {salestool}]
        set cookie_match [subst {tele_73686f706c656e6f766f}]
        #log local0. "client ip <[IP::client_addr]> matches network of ${class_dell_telesales}, uri will be evaluated versus <${uri_match}>"
        if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } {
            #log local0. "client ip <[IP::client_addr]> matches network of ${network_match} but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no furter processing"
        } else {
            # set string to match in http uri
            set uri_match_tele [subst {telesales}]
            set cookie_match [subst {tele_73686f706c656e6f766f}]
            #log local0. "client ip <[IP::client_addr]> matches network of ${class_dell_telesales}, uri will be evaluated versus <${uri_match_tele}>"
            if { not (([string tolower [HTTP::uri]] contains ${uri_match_tele}) or ([HTTP::cookie exists ${cookie_match}])) } {
                #log local0. "client ip <[IP::client_addr]> matches network of ${network_match} but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no furter processing"

            } else {
                log local0. "Went to pool telesales due to matching client IP <[IP::client_addr]> and URI <[HTTP::uri]> or matching persistence cookie"
                persist cookie insert ${cookie_match}
                pool pool_telesales.dell.com_http
                return
            }
        }
    }
}

Hope this helps...

-Joe

0
placeholder+image

This post is a bit confusing because I think there are two separate questions in there. @Joe I think has started an answer for the second; I'll try and tackle the first.

In your request, you ask to match when "the URL matches admin or intra", but you are using the term "URL" a bit loosely. A URL consists of the following parts:

scheme://user:password@host:port/xxx/yyy?aaa=bbb&ccc=ddd

The /xxx/yyy is the uri-path and everything starting with the question mark (?) are query parameters. Are you interested in matching "admin or intra" in the host part, the uri-path part and/or the query part? I assume it is the path part. If so, the string tolower should be unnecessary, since, strictly speaking, uri-paths are case-sensitive. Here's a stab:

when HTTP_REQUEST { 
    switch -glob [HTTP::path] {
        "*admin*" -
        "*intra*" {
            if { [active_members "pool-alu_.com"] > 0 and [IP::addr [IP::client_addr] equals 192.0.0.0/8] } {
                set condition_match 1
                persist cookie
                pool "pool-alu_.com"
            }
         }
     }
}

when HTTP_RESPONSE {
    if { [info exists condition_match] } {
        HTTP::cookie insert name abc123 value "some_value" path "your_path" domain "your_domain"
    }
}

I assume you intend to use Cookie Persistence on the match, and that you're fine using the default cookie persistence method. I assume that the insertion of the cookie abc123 is not related to Persistence and that you want to insert it on the server response.

0
Comments on this Reply
Comment made 14-Aug-2015 by weblead 146
Thanks! Joe & Veron for the response ...I am still stuck up with the syntax issue ...No luck! No luck folks ! still tied up with syntax issues ...working piece of code I-rule A as below which is matching string salestool & giving the desired outcome ...but we need to match the string telesales over the uri as well ....can anyone help me in modifying the code to replace this line set uri_match [subst {salestool}] to have both string telesales or salestool without having another else block so .... ******************************Irule A************************************* when HTTP_REQUEST { log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>" if { not [class match [IP::client_addr] equals class_dell_telesales] } { log local0. "client ip <[IP::client_addr]> does not match , no further processing" } else { # set string to match in http uri set uri_match [subst {salestool}] #the request is to match either string salestool or telesales in the request & persist to the pool pool_telesales.dell.com_http set cookie_match [subst {tele_19456f706c656e6f766f}] log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_dell_telesales], uri will be evaluated versus <${uri_match}>" if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } { log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_dell_telesales] but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no further processing" } else { log local0. "Went to pool telesales due to matching client IP <[IP::client_addr]> and URI <[HTTP::uri]> or matching persistence cookie" persist cookie insert ${cookie_match} pool pool_telesales.dell.com_http return } } switch -glob [string tolower [HTTP::uri]] { "/" { #log local0. "redirecting from /" if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { #persist none HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2] #pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0] #log local0. "Went to root ( / ), index 0 - WEC pool after index 2 url set with 301" } else { #log local0. "Static pool entry for xxxx[LB::server pool] not created yet" reject } return } "/iss_static*" { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { persist none pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1] #log local0. "Went to default, index 1 - Confarm pool" } else { #log local0. "Static pool entry for [virtual] not created yet" reject } return } default { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0] #log local0. "Went to default, index 0 - WEC pool" } else { #log local0. "Dynamic pool entry for [virtual] not created yet" reject } return } } } ******************************************** ***********while I am trying to modify the above I-rule for the first block to include the string telesales along with salestool (it would be an or condition if url has either of the string )when HTTP_RESPONSE for traffic filtering getting the following syntax issue as Error - 01070151:3: Rule [irule234] error: line 29: [command is not valid in the current scope] [switch -glob [string tolower [HTTP::uri]] { "/" { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { #persist none HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2] } else { reject } return } "/iss_static*" { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { persist none pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1] #log local0. "Went to default, index 1 - abc pool" } else { #log local0. " pool entry for [virtual] not created yet" reject } return ​..The other blocks of the I-rule is remians untouched If the outgoing traffic matches the IP subnet defined over the data group class_dell_telesales & request has the string “salestool” or “telesales” to be forwarded to the telesales-pool named pool_telesales.dell.com_http If the client IP is okay the request will be tested for “telesales” or salestool or the persistence cookie tele_19456f706c656e6f766f ***************************************Irule B***************************************************** when HTTP_REQUEST { log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>" if { not [class match [IP::client_addr] equals class_dell_telesales] } { log local0. "client ip <[IP::client_addr]> does not match network of data-group class_dell_telesales, no further processing" } else { # set string to match in http uri set uri_match [subst {salestool}] set cookie_match [subst {tele_19456f706c656e6f766f}] #log local0. "client ip <[IP::client_addr]> matches network of ${class_dell_telesales}, uri will be evaluated versus <${uri_match}>" if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } { #log local0. "client ip <[IP::client_addr]> matches network of ${network_match} but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no furter processing" } else { # set string to match in http uri set uri_match_tele [subst {telesales}] set cookie_match [subst {tele_19456f706c656e6f766f}] #log local0. "client ip <[IP::client_addr]> matches network of ${class_dell_telesales}, uri will be evaluated versus <${uri_match_tele}>" if { not (([string tolower [HTTP::uri]] contains ${uri_match_tele}) or ([HTTP::cookie exists ${cookie_match}])) } { #log local0. "client ip <[IP::client_addr]> matches network of ${network_match} but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no further processing" } else { log local0. "Went to pool telesales due to matching client IP <[IP::client_addr]> and URI <[HTTP::uri]> or matching persistence cookie" persist cookie insert ${cookie_match} pool pool_telesales.dell.com_http return } } } } switch -glob [string tolower [HTTP::uri]] { "/" { #log local0. "redirecting from /" if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { #persist none HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2] #pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0] #log local0. "Went to root ( / ), index 0 - WEC pool after index 2 url set with 301" } else { #log local0. "Static pool entry for xxxx[LB::server pool] not created yet" reject } return } "/iss_static*" { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { persist none pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1] #log local0. "Went to default, index 1 - static pool" } else { #log local0. "Static pool entry for [virtual] not created yet" reject } return } default { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0] #log local0. "Went to default, index 0 - pool" } else { #log local0. "Dynamic pool entry for [virtual] not created yet" reject } return } } }
0
placeholder+image

Can anyone review the info & help me in fix ....

0
Comments on this Reply
Comment made 14-Aug-2015 by weblead 146
Anyone have a suggestion as to what I 'am doing wrong here? can anyone reformat the I-rule & share thanks! in advance
0
placeholder+image

For iRule A, you need to change the following section:

    set uri_match [subst {salestool}]
    
    #the request is to match either string salestool or telesales in the request & persist to the pool pool_telesales.dell.com_http
    set cookie_match [subst {tele_19456f706c656e6f766f}]
    log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_dell_telesales], uri will be evaluated versus <${uri_match}>"
    if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } {
        log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_dell_telesales] but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no further processing"
    }

to this:

    log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_dell_telesales], uri will be evaluated versus <salestool or telesales>"
    if { not ([string tolower [HTTP::uri]] contains "salestool" or [string tolower [HTTP::uri]] contains "telesales") or not ([HTTP::cookie exists tele_19456f706c656e6f766f]) } {
        log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_dell_telesales] but uri <[HTTP::uri]> did not match or no cookie tele_19456f706c656e6f766f found, no further processing"
    }

(Notice that, in addition to the new conditional, I cut the two set commands completely and do not reference the variables that were created there).

Having said that, the code you provided has a number of issues.

Firstly, variables are used excessively. While, for coding in general, the use of variables is sensible because they reduce recomputation and can make code more readable, for iRules, variable assignment and expansion incurs cost that should be avoided whenever possible. iRules should always be optimized for speed, even at the expense of readability (though I'd argue that most of the variable assignments in your provided code block do not in fact make the code more readable, and generally, have the opposite effect).

Secondly, this pattern is commonly followed in the code:

set uri_match [subst {salestool}]

The subst is unnecessary. Mixed with the substitution operator, it incurs code with no benefit. This means exactly the same thing:

set uri_match "salestool"

Thirdly, variable expansions in your code are generally written this way:

${cookie_match}

While the squirly braces are not an issue per se, they're really only needed if the variable name contains characters that are ambiguous to the Tcl parser (like spaces). As long as one sticks to the good 'ole set [A-Za-z0-9_] for variable names, there is no need to use the braces. They are just extra visual noise.

Finally, for production code, local logging should always be completely avoided. It is costly. If logging is really needed, then you should employ High Speed Logging. In the case of your provided code, the logging makes it very hard to follow because the negation operators are generally used simply to provide a branch for logging.

0
placeholder+image

I'm confused about iRule B and your concern. Does iRule B not work as it is written? Do you wish to add or change something about it?

You do write that "... when HTTP_RESPONSE for traffic filtering getting the following syntax issue ...". Did you try to move that code block to HTTP_RESPONSE? If so, you can't do that. Things like HTTP::uri are not available in HTTP_RESPONSE because an HTTP Response message has no request-uri. Those are part of an HTTP Request message only. If you want, for example, the request-uri in the HTTP_RESPONSE event, you must do something like this:

when HTTP_REQUEST {
    set request_uri [HTTP::uri]
}

when HTTP_RESPONSE {
    if { $request_uri contains "foo" } {
        ...
    }
}

In other words, you must save it to a variable (this is one of those cases where, in an iRule, a variable is necessary). Be mindful that variables are scoped to the connection in which they are declared/set, and their lifetime is that of the connection (unless they are explicitly unset).

Actually, almost everything you have in your block cannot execute in the scope of HTTP_RESPONSE. For example, you cannot call the pool command here because the load-balancing decision has not only been made, the server-side connection has occurred and the server side of the proxy has already received the HTTP headers from the response.

0
placeholder+image

Thanks! For the revert ...irule a works and gives the desired outcome but it evaluates only salestool but as per requirement I need to put a filter to match either salestool or telesales ...so I added else block with match telesales and ended up with the error while trying to create irule B..i would request you to reformat the irule B to fix the syntax error and match string salestool and telesales to route to dedicated telesales pool...its source based routing matching source ip and string telesales or salestool.. The

0
placeholder+image

Thanks! For the revert ...irule a works and gives the desired outcome but it evaluates only salestool but as per requirement I need to put a filter to match either salestool or telesales ...so I added else block with match telesales and ended up with the error while trying to create irule B..i would request you to reformat the irule B to fix the syntax error and match string salestool and telesales to route to dedicated telesales pool...its source based routing matching source ip and string telesales or salestool.. The

0
placeholder+image

Hi,

your need seams to be simple, the irule complicated...

Does the irule only for specific ip addresses? because the switch condition are for all users... (out of else statement)

if the irule is only for specific addresses, the irule must begin like:

when HTTP_REQUEST {
    log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>"
    if { not [class match [IP::client_addr] equals class_dell_telesales] } {
        log local0. "client ip <[IP::client_addr]> does not match network of data-group class_dell_telesales, no further processing"
        return
    } 

after the "no further processing" log must be followed by return to leave the irule. you can remove the else statement after that.

the pool selection must be done even if cookie persistence exist. the persistence is per pool.

if 2 pools are assigned in the irule for 2 different request to the same user, the cookie persistence cannot have the same name because switch from one pool to another will override the previous cookie value.

0
Comments on this Reply
Comment made 15-Aug-2015 by weblead 146
Please note the so called data group class_dell_telesales only contains the IP subnet those are allowed but the strings "telesales " & salestool need to be matched over the I-rule ....the following piece of code works with string "salestool" in the request but I would like to have the logic to match either salestool or telesales & then persist to the telesales pool can anyone please reformat the code to include the string telesales ...I could n't figure out how to modify the line 7 which evaluates only string salestool ... # set string to match in http uri set uri_match [subst {salestool}] & ...can you please reformat the code & share ********************* when HTTP_REQUEST { log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>" if { not [class match [IP::client_addr] equals class_dell_telesales] } { log local0. "client ip <[IP::client_addr]> does not match , no further processing" } else { # set string to match in http uri set uri_match [subst {salestool}] #the request is to match either string salestool or telesales in the request & persist to the pool pool_telesales.dell.com_http set cookie_match [subst {tele_19456f706c656e6f766f}] log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_dell_telesales], uri will be evaluated versus <${uri_match}>" if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } { log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_dell_telesales] but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no further processing" } else { log local0. "Went to pool telesales due to matching client IP <[IP::client_addr]> and URI <[HTTP::uri]> or matching persistence cookie" persist cookie insert ${cookie_match} pool pool_telesales.dell.com_http return } } switch -glob [string tolower [HTTP::uri]] { "/" { #log local0. "redirecting from /" if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { #persist none HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2] #pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0] #log local0. "Went to root ( / ), index 0 - WEC pool after index 2 url set with 301" } else { #log local0. "Static pool entry for xxxx[LB::server pool] not created yet" reject } return } "/iss_static*" { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { persist none pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1] #log local0. "Went to default, index 1 - Confarm pool" } else { #log local0. "Static pool entry for [virtual] not created yet" reject } return } default { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0] #log local0. "Went to default, index 0 - WEC pool" } else { #log local0. "Dynamic pool entry for [virtual] not created yet" reject } return } } }
0
placeholder+image

I rule logic – If the outgoing traffic matches the IP subnet defined over the data group class_dell_telesales & request has the string “salestool” or “telesales” to be forwarded to the telesales-pool named pool_telesales.dell.com_http If the client IP is okay the request will be tested for “telesales” or salestool or the persistence cookie If one or both of the conditions match, the telesales pool will be selected. Data group was preferred as the best solution in case there are continuously changes to the list of IP networks from customer .....while tried to modified the code to include the request having string “telesales” having another else block in addition to salestool over encountered an syntax error

********I-rule with syntax error while adding else block to include logic for telesales" ****************** Line 29 giving the syntax error while saving I-rule...please note line 1-28 is the new logic which was included for traffic filtering for telesales or salestool...am clue less how to modify the line 7 set uri_match [subst {salestool}] to evaluate the string telesales (or condition ) ....

*************I-rule with syntax issue ****************************8 when HTTP_REQUEST { log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>" if { not [class match [IP::client_addr] equals class_dell_telesales] } { log local0. "client ip <[IP::client_addr]> does not match network of data-group class_dell_telesales, no further processing" } else { # set string to match in http uri set uri_match [subst {salestool}] set cookie_match [subst {tele_13789f706c656e6f766f}] #log local0. "client ip <[IP::client_addr]> matches network of ${class_dell_telesales}, uri will be evaluated versus <${uri_match}>" if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } { #log local0. "client ip <[IP::client_addr]> matches network of ${network_match} but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no furter processing" } else { # set string to match in http uri set uri_match_tele [subst {telesales}] set cookie_match [subst {tele_13789f706c656e6f766f}] #log local0. "client ip <[IP::client_addr]> matches network of ${class_dell_telesales}, uri will be evaluated versus <${uri_match_tele}>" if { not (([string tolower [HTTP::uri]] contains ${uri_match_tele}) or ([HTTP::cookie exists ${cookie_match}])) } { #log local0. "client ip <[IP::client_addr]> matches network of ${network_match} but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no further processing"

        } else {
            log local0. "Went to pool telesales due to matching client IP <[IP::client_addr]> and URI <[HTTP::uri]> or matching persistence cookie"
            persist cookie insert ${cookie_match}
            pool pool_telesales.dell.com_http
            return
        }
    }
}

} switch -glob [string tolower [HTTP::uri]] { "/" { #log local0. "redirecting from /" if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { #persist none HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2] #pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0] #log local0. "Went to root ( / ), index 0 - app pool after index 2 url set with 301" } else { #log local0. "Static pool entry for xxxx[LB::server pool] not created yet" reject } return } "/iss_static*" { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { persist none pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1] #log local0. "Went to default, index 1 - static pool" } else { #log local0. "Static pool entry for [virtual] not created yet" reject } return } default { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0] #log local0. "Went to default, index 0 - pool" } else { #log local0. "Dynamic pool entry for [virtual] not created yet" reject } return } } }


*******************working I-rule with only string salestool but no telesales ************ when HTTP_REQUEST { log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>" if { not [class match [IP::client_addr] equals class_dell_telesales] } { log local0. "client ip <[IP::client_addr]> does not match , no further processing" } else { # set string to match in http uri set uri_match [subst {salestool}]

      #the request is to match either string salestool or telesales in the request & persist to the pool pool_telesales.dell.com_http
    set cookie_match [subst {tele_13789f706c656e6f766f}]
    log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_dell_telesales], uri will be evaluated versus <${uri_match}>"
    if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } {
     log local0. "client ip <[IP::client_addr]> matches network of [class match -name [IP::client_addr] equals class_dell_telesales] but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no further processing"
    } else {
        log local0. "Went to pool telesales due to matching client IP <[IP::client_addr]> and URI <[HTTP::uri]> or matching persistence cookie"
        persist cookie insert ${cookie_match}
        pool pool_telesales.dell.com_http
        return
    }
}
switch -glob [string tolower [HTTP::uri]] {
    "/" {
        #log local0. "redirecting from /"
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            #persist none
            HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2]
            #pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
            #log local0. "Went to root ( / ), index 0 - WEC pool after index 2 url set with 301"
        } else {
            #log local0. "Static pool entry for xxxx[LB::server pool] not created yet"
            reject
        }
        return
    }
    "/iss_static*" {
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            persist none
            pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1]
            #log local0. "Went to default, index 1 - Confarm pool"
        } else {
            #log local0. "Static pool entry for [virtual] not created yet"
            reject
        }
        return
    }
    default {
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
            #log local0. "Went to default, index 0 - WEC pool"
        } else {
            #log local0. "Dynamic pool entry for [virtual] not created yet"
            reject
        }
        return
    }
}

}


0
placeholder+image

Hi,

could you try the following irule:

when RULE_INIT {
   # create static variables instead of creating variable on each HTTP Request event
   set static::cookie_match "tele_13789f706c656e6f766f"
   # Log debug messages to /var/log/ltm ? 1=yes, 0=no
   set static::var_debug 1
}

when HTTP_REQUEST {
    if {$static::var_debug}{log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>"}
    if {
        set is_ip_allowed 0
    } else {
        set is_ip_allowed 1
    }

    switch -glob [string tolower [HTTP::uri]] {
        "*salestool*" -
        "*telesales*" {
            if {$is_ip_allowed} {
                if {$static::var_debug}{log local0. "client IP <[IP::client_addr]> matching allowed IP for URI [HTTP::uri]"}
                persist cookie insert $static::cookie_match 0
                pool pool_telesales.dell.com_http
            } else {
                if {$static::var_debug}{log local0. "Reject : client IP <[IP::client_addr]> not matching allowed IP for URI [HTTP::uri]"}
                reject
            }
        }
        "/" {
            #log local0. "redirecting from /"
            if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
                #persist none
                HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2]
                #pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
                #log local0. "Went to root ( / ), index 0 - WEC pool after index 2 url set with 301"
            } else {
                #log local0. "Static pool entry for xxxx[LB::server pool] not created yet"
                reject
            }
            return
        }
        "/iss_static*" {
            if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
                persist none
                pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1]
                #log local0. "Went to default, index 1 - Confarm pool"
            } else {
                #log local0. "Static pool entry for [virtual] not created yet"
                reject
            }
            return
        }
        default {
            if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
                pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
                #log local0. "Went to default, index 0 - WEC pool"
            } else {
                #log local0. "Dynamic pool entry for [virtual] not created yet"
                reject
            }
            return
        }
    }
}

And please, when you post code, select the code and add a tab (or click on code icon). it will be more readable...

0
Comments on this Reply
Comment made 15-Aug-2015 by weblead 146
Give me a few ...attempting this piece of code
0
placeholder+image

While saving I-rule getting syntax error

01070151:3: Rule [irule_pool_routing] error: line 10: [parse error: PARSE syntax 396 {syntax error in expression " set is_ip_allowed 0 ": variable references require preceding $}] [{ set is_ip_allowed 0 }] line 12: [undefined procedure: else] [else] line 12: [deprecated usage, use else or elseif] [ ]

0
Comments on this Reply
Comment made 15-Aug-2015 by Stanislas Piron 10677
sorry for the mistake, remove the previous line... "if {"
0
Comment made 15-Aug-2015 by Stanislas Piron 10677
and repace it by : if { not [class match [IP::client_addr] equals class_dell_telesales] } {
0
placeholder+image

I-rule got compiled w/o any error ..let me test the logic quickly & share the outcome

0
placeholder+image

Is this piece of code CPU insensitive ?guess it's not consume much LTM resources

0
placeholder+image

The pool member is 10.25.128.37:15080 ...The I-rule logic is failing to set the cookie to tele_13789f706c656e6f766f after URL is launched https://controller/e/web/salestool.workflow:Home.... so connections to the pool pool_telesales.dell.com_http is n't persistent & post login it's switching to default pool ..subsequent request to the pool pool_telesales.dell.com_http to be persisted... The request is being routed to default pool which has the cookie 13789f706c656e6f766f logs new incoming http request abc/salestool.workflow:Home> Rule irule_pool_routing : client IP <10.21.21.10> matching allowed IP for URI abc/salestool.workflow:Home ... server status (200) from 10.25.128.37:15080 for client 10.21.21.10:64548 requesting GET /controller/e/web/salestool.workflow:Home server status (200) from 10.25.128.27:12070 for client 10.21.21.10:64549 requesting GET /ISS_Static/WW/site/scripts/modernizr.js The request should n't switch to 10.25.128.27:12070 which is default pool ..The requirement is crystal clear...The purpose of this setting is to isolate the traffic (identified by IP source subnet & string match over the URI) from legitimate live traffic and forward (transparently for the user) this traffic to a specific pool pool_telesales.dell.com_http ....In a nutshell all we want to do is catching traffic coming from a specific user/tester identified by its source IP and then evaluate url whether that contains either "telesales" or "salestool" ..if IP subnet & uri matches then forwarding this traffic to the dedicated pool pool_telesales.dell.com_http. I rule logic – If the outgoing traffic matches the IP subnet defined over the data group class_dell_telesales & request has the string “salestool” or “telesales” to be forwarded to the telesales-pool named pool_telesales.dell.com_http & the sessions to be persisted to the pool pool_telesales.dell.com_http by dedicated cookie tele_13789f706c656e6f766f If the client IP is okay the request will be tested for “telesales” or salestool or the persistence cookie If one or both of the conditions match, the telesales pool will be selected

0
placeholder+image

replace the first test to:

if { not [class match [IP::client_addr] equals class_dell_telesales] } {
    set is_ip_allowed 0
} else {
    set is_ip_allowed 1
    if {[HTTP::cookie exists $static::cookie_match]} {
        persist cookie insert $static::cookie_match
        pool pool_telesales.dell.com_http
    }
}
0
placeholder+image

Thanks! Stanislas ...I would wait for your fix to set the cookie while IP & URI matches with string "telesales" or "salestool" over the incoming request ... Is there any opportunity to fine tune the following piece of code which is working & logging to include the URL evaluation with string ...set uri_match [subst {salestool}]

Can set uri_match [subst {salestool}] be modified to match either string salestool or telesales

Logs for the below I-rule client ip <106.206.155.141> new incoming http request https://controller/e/web/salestool.workflow:Home client ip <106.206.155.141> matches network of 106.206.155.141/32, uri will be evaluated versus Went to pool telesales due to matching client IP <106.206.155.141> and URI controller/e/web/salestool.workflow:Home> or matching persistence cookie request from 106.206.155.141:27012 forwarded to: member 10.25.128.37:15080 of pool pool_telesales.dell.com_http

Logs for above I-rule indicating salestool is being matched ...we just need to modify the code to match telesales over the following logic

*****I-rule working but no match for string telesales

when HTTP_REQUEST { log local0. "client ip <[IP::client_addr]> new incoming http request <[HTTP::uri]>"

 if { not [class match [IP::client_addr] equals class_dell_telesales] } {

    log local0. "client ip <[IP::client_addr]> does not match network of data-group class_dell_telesales, no further processing"


} else {

    # set string to match in http uri

    set uri_match [subst {salestool}]
    #Can the above line be modified to match either string salestool or telesales 

    set cookie_match [subst {tele_13789f706c656e6f766f}]

    log local0. "client ip <[IP::client_addr]> matches network of ${network_match}, uri will be evaluated versus <${uri_match}>"

    if { not (([string tolower [HTTP::uri]] contains ${uri_match}) or ([HTTP::cookie exists ${cookie_match}])) } {

        log local0. "client ip <[IP::client_addr]> matches network of ${network_match} but uri <[HTTP::uri]> did not match or no cookie ${cookie_match} found, no furter processing"

    } else {

        log local0. "Went to pool telesales due to matching client IP <[IP::client_addr]> and URI <[HTTP::uri]> or matching persistence cookie"

        persist cookie insert ${cookie_match}

        pool pool_telesales.dell.com_http

        return

    }

}

switch -glob [string tolower [HTTP::uri]] {
    "/" {
        #log local0. "redirecting from /"
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            #persist none
            HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2]
            #pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
            #log local0. "Went to root ( / ), index 0 - WEC pool after index 2 url set with 301"
        } else {
            #log local0. "Static pool entry for xxxx[LB::server pool] not created yet"
            reject
        }
        return
    }
    "/iss_static*" {
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            persist none
            pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1]
            #log local0. "Went to default, index 1 - Confarm pool"
        } else {
            #log local0. "Static pool entry for [virtual] not created yet"
            reject
        }
        return
    }
    default {
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
            #log local0. "Went to default, index 0 - WEC pool"
        } else {
            #log local0. "Dynamic pool entry for [virtual] not created yet"
            reject
        }
        return
    }
}

}

************************************Logs for above I-rule indicating salestool is being matched ...we just need to modify the code to match telesales ***************

client ip <106.206.155.141> new incoming http request https://controller/e/web/salestool.workflow:Home client ip <106.206.155.141> matches network of 106.206.155.141/32, uri will be evaluated versus Went to pool telesales due to matching client IP <106.206.155.141> and URI controller/e/web/salestool.workflow:Home> or matching persistence cookie

0
placeholder+image

Modified the code as below ...while i launch the url https://controller/e/web/salestool.workflow:Home the telesales cookie tele_13789f706c656e6f766f is being assigned but the subsequent request is n't resending the telesales cookie & switching to the default pool ..seems some issue with the logic & that needs to be modified to have persistent to the pool pool_telesales.dell.com_http once the cookie is set after http request while IP matches & url also matches with string either telesales or salestool ...

logs from current run as below where the subsequent request for the telesales user is being served from 10.25.128.27:12070 which is a default pool member as the persistent is failing & request is n't resending the dedicated telesales cookie as seen via fiddler ...

: client IP <10.21.21.10> matching allowed IP for URI /salestool.workflow:Home request received from client: 10.21.21.10:60491 GET /salestool.workflow:Home HTTP/1.1 server status (200) from 10.25.128.37:15080 for client 10.21.21.10:60491 requesting GET /salestool.workflow:Home server status (200) from 10.25.128.27:12070 for client 10.21.21.10:60493 requesting GET /ISS_Static/WW/wci2/us/en/pixeltags


when RULE_INIT { # create static variables instead of creating variable on each HTTP Request event set static::cookie_match "tele_13789f706c656e6f766f" # Log debug messages to /var/log/ltm ? 1=yes, 0=no set static::var_debug 1 }

when HTTP_REQUEST { if { not [class match [IP::client_addr] equals class_dell_telesales] } { set is_ip_allowed 0 } else { set is_ip_allowed 1 if {[HTTP::cookie exists $static::cookie_match]} { persist cookie insert $static::cookie_match pool pool_telesales.dell.com_http } }

switch -glob [string tolower [HTTP::uri]] {
    "*salestool*" -
    "*telesales*" {
        if {$is_ip_allowed} {
            if {$static::var_debug}{log local0. "client IP <[IP::client_addr]> matching allowed IP for URI [HTTP::uri]"}
            persist cookie insert $static::cookie_match 0
            pool pool_telesales.dell.com_http
        } else {
            if {$static::var_debug}{log local0. "Reject : client IP <[IP::client_addr]> not matching allowed IP for URI [HTTP::uri]"}
            reject
        }
    }
    "/" {
        #log local0. "redirecting from /"
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            #persist none
            HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2]
            #pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
            #log local0. "Went to root ( / ), index 0 - WEC pool after index 2 url set with 301"
        } else {
            #log local0. "Static pool entry for xxxx[LB::server pool] not created yet"
            reject
        }
        return
    }
    "/iss_static*" {
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            persist none
            pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1]
            #log local0. "Went to default, index 1 - Confarm pool"
        } else {
            #log local0. "Static pool entry for [virtual] not created yet"
            reject
        }
        return
    }
    default {
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
            #log local0. "Went to default, index 0 - WEC pool"
        } else {
            #log local0. "Dynamic pool entry for [virtual] not created yet"
            reject
        }
        return
    }
}

}

0
Comments on this Reply
Comment made 15-Aug-2015 by Stanislas Piron 10677
add following command after pool assignment: return it will ignore following code.
0
placeholder+image

Please confirm the following & can you please include the logging for event when HTTP_REQUEST to write cookie value for each requests along with URI match to the log so that we can nail down the issue as earlier it was reported This request did not send any cookie data ...

when RULE_INIT { # create static variables instead of creating variable on each HTTP Request event set static::cookie_match "tele_13789f706c656e6f766f" # Log debug messages to /var/log/ltm ? 1=yes, 0=no set static::var_debug 1 } when HTTP_REQUEST { if { not [class match [IP::client_addr] equals class_dell_telesales] } { set is_ip_allowed 0 } else { set is_ip_allowed 1 if {[HTTP::cookie exists $static::cookie_match]} { persist cookie insert $static::cookie_match pool pool_telesales.dell.com_http return

}

}

switch -glob [string tolower [HTTP::uri]] {
    "*salestool*" -
    "*telesales*" {
        if {$is_ip_allowed} {
            if {$static::var_debug}{log local0. "client IP <[IP::client_addr]> matching allowed IP for URI [HTTP::uri]"}
            persist cookie insert $static::cookie_match 0
            pool pool_telesales.dell.com_http
            return

        } else {
            if {$static::var_debug}{log local0. "Reject : client IP <[IP::client_addr]> not matching allowed IP for URI [HTTP::uri]"}
            reject
        }
    }
0
placeholder+image

I tested this code, and it works exactly as I would expect. When I make the following request from an IP in the datagroup class_dell_telesales:

curl http://<vs_ip>/salestool

The HTTP Response message includes this header:

Set-Cookie: tele_13789f706c656e6f766f=3369208330.20480.0000; path=/

That is, it sets a session-scoped cookie. It is the responsibility of the user-agent to resubmit the cookie on subsequent requests. The cookie is passed along to the server, as well. Here is the flow:

[1]  CLIENT [GET /salestool] [no cookie] ---> BIG-IP
[2]                                           BIG-IP  [GET /salestool] [no cookie] ---> SERVER
[3]                                           BIG-IP  <--- [no set-cookie] ------------ SERVER
[4]  CLIENT <--- [includes set-cookie] ------ BIG-IP

[5]  CLIENT [GET /] [includes cookie] ------> BIG-IP
[6]                                           BIG-IP  [GET /] [includes cookie] ------> SERVER

Do you wish for the BIG-IP to send the cookie to the SERVER in step [2]?

0
placeholder+image

Thanks! Stanislas for the help ...As the cookie tele_13789f706c656e6f766f is being set via I-rule can we look forward to encrypt the cookie from Load balancer to client (end user) via I-rule ....If we decide to do so what 'll be the performance impact ?

0
placeholder+image

Stanislas/Vernon/John/Joe-I rule seems to be giving the desired outcome while user starts the page as https://shop.dell.com/controller/salestool.workflow:Home but the condition fails when user takes the alternate route by accessing http://shop.dell.com/laptops & then access salestool workflow which sets the cookie as 13789f706c656e6f766f being inserted by persistent profile tied to VIP...I would request someone to help me in sharing the modified code to compare the cookie value while HTTP_REQUEST event ..The condition should be if IP matches check for the URI with string telesales or salestool & cookie value 13789f706c656e6f766f .If cookie value is 13789f706c656e6f766f then remove the cookie 13789f706c656e6f766f & assign tele_13789f706c656e6f766f to persist to the pool_telesales.dell.com_http ...As of now I am seeing multiple cookies as the default cookie 13789f706c656e6f766f is n't being deleted while user access http://shop.dell.com/laptops which is setting the cookie as 13789f706c656e6f766f ...after that even though user access salestool its not deleted the present cookie linked to default pool ideally it should delete & reassign...can anyone help in modifying the first block when HTTP_REQUEST to have the cookie evaluation ....If cookie exists then compare cookie value==13789f706c656e6f766f ..if cookie matches then delete the present cookie 13789f706c656e6f766f while IP & URI matches & assign the cookie tele_13789f706c656e6f766f to be routed to telesales pool pool_telesales.dell.com_http ...code as below

0
placeholder+image

when RULE_INIT { # create static variables instead of creating variable on each HTTP Request event set static::cookie_match "tele_13789f706c656e6f766f" # Log debug messages to /var/log/ltm ? 1=yes, 0=no set static::var_debug 1 }

when HTTP_REQUEST { if { not [class match [IP::client_addr] equals class_dell_telesales] } { set is_ip_allowed 0 } else { set is_ip_allowed 1 if {[HTTP::cookie exists $static::cookie_match]} { persist cookie insert $static::cookie_match pool pool_telesales.dell.com_http return #added } }

switch -glob [string tolower [HTTP::uri]] {
    "*salestool*" -
    "*telesales*" {
        if {$is_ip_allowed} {
            if {$static::var_debug}{log local0. "client IP <[IP::client_addr]> matching allowed IP for URI [HTTP::uri]"}
            persist cookie insert $static::cookie_match 0
            pool pool_telesales.dell.com_http
        } else {
            if {$static::var_debug}{log local0. "Reject : client IP <[IP::client_addr]> not matching allowed IP for URI [HTTP::uri]"}
            reject
        }
    }
    "/" {
        #log local0. "redirecting from /"
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            #persist none
            HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2]
            #pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
            #log local0. "Went to root ( / ), index 0 - WEC pool after index 2 url set with 301"
        } else {
            #log local0. "Static pool entry for xxxx[LB::server pool] not created yet"
            reject
        }
        return
    }
    "/iss_static*" {
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            persist none
            pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1]
            #log local0. "Went to default, index 1 - Confarm pool"
        } else {
            #log local0. "Static pool entry for [virtual] not created yet"
            reject
        }
        return
    }
    default {
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
            #log local0. "Went to default, index 0 - WEC pool"
        } else {
            #log local0. "Dynamic pool entry for [virtual] not created yet"
            reject
        }
        return
    }
}

}


0
placeholder+image

Another issue was noticed that it's unable to evaluate the source IP as the requests are being routed via Edgecast which is translating the IP's ...can anyone help in modifying the above I-rule shared to match source IP while the requests are being routed via EDGECAST & SNAT is enabled over VIP ...In addition to that would request to modify the code while HTTP_REQUEST to check whether cookie exists ..if exists then is cookie value==13789f706c656e6f766f & uri has string telesales or salestool then delete the cookie 13789f706c656e6f766f & assign the cookie tele_13789f706c656e6f766f which is for telesales pool ....any help would be appreciated

0
placeholder+image

User can access telesales workflow directly or indirectly ..I rule works for the Use case1 but fails for Use case2 as it's assigning multiple cookies (The default cookie 13789f706c656e6f766f is n't being deleted ) ... Use case1- Direct page - https://shop.dell.com/dellPortal/en_US/salestool.workflow:Home Use case2 user access My account page https://shop.dell.com/web/dellPortal/account.workflow:StartMyAccount​ & then access salestool ...when user takes Use case1 that's inserting the default cookie 13789f706c656e6f766f by persistent profile & while user access salestool or telesales it's not deleting the present cookie & inserting additional cookie for telesales tele_13789f706c656e6f766f as URI matches .... I-rule failing to compare the source IP as we have VIP with SNAT enabled ...so I would request to modify the code for the event when HTTP_REQUEST as when HTTP_REQUEST {HTTP::header insert X-Forwarded-For [IP::remote_addr]} ..As the requests are being routed via proxy Edgecast the source IP comparison is failing as seen ...please help fix the code ....

Logs-Line 56600: Aug 20 00:08:58 local/tmm info tmm[5239]: Rule irule_pool_routing : Reject : client IP <192.30.4.159> not matching allowed IP for URI

0
placeholder+image

Hi,

why do you need to remove a cookie?

there is not problem to have both 13789f706c656e6f766f and tele_13789f706c656e6f766f cookies.

As HTTP_REQUEST work with TCP source address of the client, the SNAT does not change anything of the irule behavior.

If some times the user is behind a proxy, you need to request the proxy to insert X-Forwarded-For header and modify the irule to add IP address condition with X-Forwarded-For value.

And please, look at the preview below to format your comments... each time, this is unreadable.

0
placeholder+image

Thanks! Yes there is a problem ...13789f706c656e6f766f belongs to the default pool but tele_13789f706c656e6f766f belongs to the telesales pool...while user access indirect url Ex: http://shop.dell.com/us/laptops/ this goes to default pool & assigns the cookie 13789f706c656e6f766f ...In the subsequent request when user access https://shop.dell.com/dellPortal/en_US/salestool.workflow:Home the logic is breaking as request is routing to default pool having two cookies 13789f706c656e6f766f as well tele_13789f706c656e6f766f ...Ideally it has to evaluate the cookie when IP & URI has string either telesales or salestool ...If cookie exists & equals to 13789f706c656e6f766f then delete & assign the cookie as tele_13789f706c656e6f766f to route to the telesales pool to persist the subsequent requests ....

0
placeholder+image

Sorry Stanislas as I am unable to demonstrate here...hope you 'll try go through notes & help modify the first block of code to have cookie evaluation & source IP match when SNAT is enabled for VIP & the requests are being routed via proxy Edgecast ....

0
placeholder+image

the cookie 13789f706c656e6f766f does not force the use of default pool!

it only specify that if the default pool is selected, there is a persistence of pool member.

that's why I always add both pool and persist cookie selection together.

0
placeholder+image

I would request you to help in fixing that bug in the code & have the cookie evaluation added over the logic... we have two issue; 1. The true client source IP address is not evaluated because the connections to the F5 are having the source IP address changed by an Edgecast CDN. 2. Upon the second request by the client a second cookie is being set. i want to delete the first cookie (13789f706c656e6f766f) if it exists, and set the cookie to tele_13789f706c656e6f766f

I-rule is failing to evaluate the source IP as seen from logs...The true client source IP address is not evaluated because the connections to the F5 are having the source IP address changed by an Edgecast CDN ...although I did see HTTP profile setup on the VIP have X-Forwarded enabled...LTM to pass the original client IP in a custom HTTP header in requests to the pool members which, in our case, happen to web servers (IIS ) but not to shop pool members ...Is there any other mechanism to modify the event when HTTP_REQUEST to get true client IP & evaluate against the values available over the data group class_dell_telesales ...

0
placeholder+image

Hi,

the X-Forwarded enabled in the profile will not help you as the X-Forwarded-For header must be set by the EdgeCast proxy.

If EdgeCast proxy add X-Forwarded-For header, you can modify the irule to check the IP address.

for the cookie, Why do you want to delete it? this will not change the browser behavior.

to do this, we need to add in response a new cookie value with expire date before local time.

the following irule do what you expect (if EdgeCast add the X-Forwarded-For header):

when RULE_INIT {
    # create static variables instead of creating variable on each HTTP Request event
    set static::cookie_match "tele_13789f706c656e6f766f"
    set static::cookie_default "13789f706c656e6f766f"
    # Log debug messages to /var/log/ltm ? 1=yes, 0=no
    set static::var_debug 1
}

when HTTP_REQUEST {
if { (not [class match [IP::client_addr] equals class_dell_telesales]) && (not [class match [HTTP::header value "X-Forwarded-For"] equals class_dell_telesales]) } {
    set is_ip_allowed 0
} else {
    if {[HTTP::cookie exists $static::cookie_default]} {
        HTTP::respond 302 https://[HTTP::host][HTTP::uri] Connection close Set-Cookie "$static::cookie_default=deleted;secure;expires=Thu, 01 Jan 1970 00:00:00 GMT"
        return
    }
    set is_ip_allowed 1
    if {[HTTP::cookie exists $static::cookie_match]} {
        persist cookie insert $static::cookie_match
        pool pool_telesales.dell.com_http
        return
    }
}

switch -glob [string tolower [HTTP::uri]] {
    "*salestool*" -
    "*telesales*" {
        if {$is_ip_allowed} {
            if {$static::var_debug}{log local0. "client IP <[IP::client_addr]> matching allowed IP for URI [HTTP::uri]"}
            persist cookie insert $static::cookie_match 0
            pool pool_telesales.dell.com_http
        } else {
            if {$static::var_debug}{log local0. "Reject : client IP <[IP::client_addr]> not matching allowed IP for URI [HTTP::uri]"}
            reject
        }
    }
    "/" {
        #log local0. "redirecting from /"
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            #persist none
            HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2]
            #pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
            #log local0. "Went to root ( / ), index 0 - WEC pool after index 2 url set with 301"
        } else {
            #log local0. "Static pool entry for xxxx[LB::server pool] not created yet"
            reject
        }
        return
    }
    "/iss_static*" {
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            persist none
            pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1]
            #log local0. "Went to default, index 1 - Confarm pool"
        } else {
            #log local0. "Static pool entry for [virtual] not created yet"
            reject
        }
        return
    }
    default {
        if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } {
            pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0]
            #log local0. "Went to default, index 0 - WEC pool"
        } else {
            #log local0. "Dynamic pool entry for [virtual] not created yet"
            reject
        }
        return
    }
}
0
Comments on this Reply
Comment made 21-Aug-2015 by weblead 146
Thanks! Stanislas for your help
0
placeholder+image

did n't request for 302 ...Can you please fine tune the code to have a condition when IP matches & url has telesales or salestool check for cookie ...if cookie value equals to 13789f706c656e6f766f then remove the cookie & insert cookie tele_13789f706c656e6f766f & persist to the telesales pool ...can you please modify the earlier code to have something like ...Ideally when IP matches to class_dell_telesales & URL has salestool or telesales then check for cookie existence ...If cookie value == 13789f706c656e6f766f remove cookie & persist cookie insert tele_13789f706c656e6f766f to persist to the pool pool_telesales.dell.com_http

if { [HTTP::cookie exists "13789f706c656e6f766f "] } { HTTP::cookie remove "13789f706c656e6f766f" persist cookie insert "tele_13789f706c656e6f766f" } } }

0
placeholder+image

Hi,

Can you try yourself instead of requesting other to do for you???

I helped you and provided to you one solution to remove the cookie: redirect the user to the same URL with an expiration date expired... the browser will remove the cookie...

As the cookie is added by the browser every requests, there are two ways to remove it :

  • HTTP redirect wich is the simplest way
  • add a the event HTTP_RESPONSE and add the same expiration date for this cookie. with this solution, we need to create a variable which is checked in the HTTP_RESPONSE Event to remove it.
0
Comments on this Reply
Comment made 22-Aug-2015 by weblead 146
Thanks! Stanislas for helping me till ....I am testing the code
0
placeholder+image

Please help with modification as 302 does n't work & n't giving the desired outcome ..as I could see multiple cookie 13789f706c656e6f766f & tele_13789f706c656e6f766f & application calls receiving 302 ....

when RULE_INIT { # create static variables instead of creating variable on each HTTP Request event set static::cookie_match "tele_13789f706c656e6f766f" # Log debug messages to /var/log/ltm ? 1=yes, 0=no set static::var_debug 1 }

when HTTP_REQUEST { if { not [class match [IP::client_addr] equals class_dell_telesales] } { set is_ip_allowed 0 } else { set is_ip_allowed 1 if {[HTTP::cookie exists $static::cookie_match]} { persist cookie insert $static::cookie_match pool pool_telesales.dell.com_http return #added } } switch -glob [string tolower [HTTP::uri]] { "salestool" - "telesales" { if {$is_ip_allowed} { if {$static::var_debug}{log local0. "client IP <[IP::client_addr]> matching allowed IP for URI [HTTP::uri]"} persist cookie insert $static::cookie_match 0 pool pool_telesales.dell.com_http } else { if {$static::var_debug}{log local0. "Reject : client IP <[IP::client_addr]> not matching allowed IP for URI [HTTP::uri]"} reject } }

0
placeholder+image

Can anyone help over ...when IP matches check URL for string telesales or salestool ...if url has either check for cookie 13789f706c656e6f766f .If it exists remove the cookie 13789f706c656e6f766f & persist cookie insert tele_13789f706c656e6f766f ...

when RULE_INIT { # create static variables instead of creating variable on each HTTP Request event set static::cookie_match "tele_13789f706c656e6f766f" # Log debug messages to /var/log/ltm ? 1=yes, 0=no set static::var_debug 1 }

when HTTP_REQUEST { if { not [class match [IP::client_addr] equals class_dell_telesales] } { set is_ip_allowed 0 } else { set is_ip_allowed 1 if {[HTTP::cookie exists $static::cookie_match]} { persist cookie insert $static::cookie_match pool pool_telesales.dell.com_http return #added } } switch -glob [string tolower [HTTP::uri]] { "salestool" - "*telesales" { if {$is_ip_allowed} { if {$static::var_debug}{log local0. "client IP <[IP::client_addr]> matching allowed IP for URI [HTTP::uri]"} persist cookie insert $static::cookie_match 0 pool pool_telesales.dell.com_http } else { if {$static::var_debug}{log local0. "Reject : client IP <[IP::client_addr]> not matching allowed IP for URI [HTTP::uri]"} reject } } "/" { #log local0. "redirecting from /" if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { #persist none HTTP::respond 301 Location [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 2] #pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0] #log local0. "Went to root ( / ), index 0 - WEC pool after index 2 url set with 301" } else { #log local0. "Static pool entry for xxxx[LB::server pool] not created yet" reject } return } "/iss_static" { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { persist none pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri] ","] 1] #log local0. "Went to default, index 1 - Confarm pool" } else { #log local0. "Static pool entry for [virtual] not created yet" reject } return } default { if { [class match [virtual] equals dg_set_default_pools_and_root_uri ] } { pool [lindex [split [class match -value [virtual] equals dg_set_default_pools_and_root_uri ] ","] 0] #log local0. "Went to default, index 0 - WEC pool" } else { #log local0. "Dynamic pool entry for [virtual] not created yet" reject } return } }

}

0
placeholder+image

Stanislas request your assistance to fix ..

0
placeholder+image

Tried the following piece of code but this is n't deleting the cookie as well .... when HTTP_REQUEST { if { not [class match [IP::client_addr] equals class_dell_telesales] } { log local0. "client ip <[IP::client_addr]> does not match network of data-group class_dell_telesales, no further processing" } else { if { [string tolower [HTTP::uri]] contains "salestool" or [string tolower [HTTP::uri]] contains "telesales" } { pool pool_telesales.dell.com_http } if { [HTTP::cookie exists "13789f706c656e6f766f"] } { HTTP::cookie remove "13789f706c656e6f766f" persist cookie insert "tele_13789f706c656e6f766f" } }

0
placeholder+image

Can anyone help fix the code for cookie evaluation & delete & reassign cookie

0
placeholder+image

@weblead: DevCentral is a community-driven forum for providing help and experience -- largely from F5 customers -- for F5 products. It is not a substitute for consulting services. Given that your request doesn't appear straight-forward to resolve, I strongly recommend that you contact your local F5 account team, and discuss your requirements with them. Your account SE may be able to assist you or connect you with F5 Professional Services for consulting help.

0
Comments on this Reply
Comment made 21-Aug-2015 by weblead 146
Vernon-Thanks! for the advise ...
0
placeholder+image

I agree with Vernon.

Some more advice:

  • Going around and hijacking other peoples posts in a forum is generally considered as bad manners. Especially when you already have gotten help from people already.
  • Please try to format the iRules properly. That would make people more inclined to help as well as it makes your posts readable.

Mark your iRule and click the button seen in the picture below:

Image Text

0
Comments on this Reply
Comment made 22-Aug-2015 by Patrik Jonsson 3524
And of course, good luck! :)
0
Comment made 22-Aug-2015 by weblead 146
Thanks! Patrik
0
placeholder+image

Hi Sivani,

You started on this forum to write on other questions to request help... I hesitated to answer because it is not the good manner...

first error, I answered and tried to help you. I added twice a comment to ask you to format the code uploaded because the first thing I needed to do before help you was to add newline...

You never undetstood it...

I published a solution and you got a problem... instead of searching why, you requested to correct it.

when you requested to remove the cookie:

  • I Asked you why you really need to remove it : No answer
  • I published a solution using a HTTP redirect : you answered "did n't request for 302" I explained why I did it... it seams you did not understand this is the best solution.

Now, you sent me an linked-in invitation, unfortunately, I accepted it and now you send me requests by email... it's a joke...

Now it's enough, I won't help you anymore. forget me! for your information, if you managed this question better, more people may helped you and you may have a working solution.

the goal of this forum is to ask for help sometimes, help other F5 experts, and share experience...

I will help you one last time :

search yourself how to resolve why the 302 is not working!!!

If you are not able to correct it yourself, request for F5 professional services.

0