Another FSE iRules Challenge, Even More Surprising Results

I have an awesome job. I get to play with cool technology, with good people, at an awesome company, and actually don’t get in trouble for doing so. I get to blend writing and talking and blathering on endlessly to anyone that will listen with completely geeking out and diving into the nuts and bolts of things to see what makes things work. This doesn’t suck.

One of the things that doesn’t suck the most is getting to kick on the light bulb for people that haven’t quite gotten their hands around our programmability technologies just yet. F5 is laden with opportunities to get your script on. From iRules to iControl to iCall and TMSH scripting, there is no shortage of opportunities to get down and dirty with some code. That being said, not everyone is up to speed on such things yet and I take particular joy in being able to help them connect the wires, get the first flickers of that “Holy crap this stuff is cool!” halogen, and then go on their merry.

Lucky as I am, what with the awesome job and all, I get many opportunities for just such interactions. More seasoned readers may be familiar with the one on which today’s post is focused, the FSE challenge. I haven’t posted one of these in a little bit so let’s have a refresher from days of yore.

First off, What is an FSE?

An FSE is a Field Sales Engineer. FSEs are the engineering lifeblood of the sales force here at F5. They’re the ones out in the trenches dealing with customer requirements and issues, building real world solutions, and generally doing all the cool stuff that I get to talk about theoretically, but in the real world. I’ve got mad respect for those FSEs that take their jobs seriously and learn how to build full fledged F5 solutions that leverage our crazy broad product set and, you guessed it, our out of the box tools like iControl and iRules. Those that choose to flex those muscles garner a special place in my encrypted little heart.

Next, What is with this challenge business?

Every time we get a new batch of FSEs in at corporate for brainwashing err, training we put them through what we lovingly refer to as a boot camp. This is, as you might expect given the name, a rapid way of getting folks up to speed on not only F5 technology but all of the surrounding whats-its and know-how that is expected of someone out in the field slinging our tech. This invariably includes a delve into iRules. There is formal training, of course, but the challenge is a different beast all together. I effectively pose as a customer in the field with a complex (at least complex by beginners’ standards) problem that needs solving. I present it to the batch of keyboard jockeys, give them time to ask questions, take notes, etc., then cut them loose. In their “free time” (See: sleepless hours well into the night) they get to hash out the solution to the problem. They are expected to write, test, and lightly document an iRules solution to eradicate the posed problem point by point. Points are awarded for effectiveness, efficiency, and exportability, meaning ease of use and hand-off. I come back in a week later, after pouring over the proffered code snippets, and announce the winners (top3) based on said criteria, who are then awarded fabulous cash and prizes! (Bold + italics means it must be true, right? Even when it’s not. Since it’s not. At all.)

Lastly, What was the challenge?

People are always curious to hear what the actual challenge was when looking at the submissions, so here you go:

Scenario:

A client has an https based application that is undergoing upgrades and large changes, and they need to create business logic in the network layer to allow for a smooth transition and consistent user experience.

Desired Solution:

Ensure that all requests from the client to the BIG-IP are SSL encrypted
Ensure all traffic to the back end is plain-text
For all canonical names of domain.com (I.E. bob.domain.com, app1.domain.com, etc.) remove the canonical name and prepend to URI (I.E. bob.domain.com/my/app becomes domain.com/bob/my/app).
Standard canonicals are excluded from this re-writing (mail, smtp, www, ns, ns1)
These host/uri changes must happen transparently to the clients accessing the application.
Anyone accessing the application from the internal network (10.1.*) with an appropriate auth cookie (Name: X-Int-Auth. Value=True) bypasses the above logic and accesses the old structure.
Log any request (IP of client and URI requested) to a canonical name x.domain.com that is non standard (mail, smtp, www, ns, ns1) so that data can be collected as to when users have fully transitioned.

So now that the table is set, on with the feast!

This time around I had another killer host of entries into the hopper. There were people of all experience levels from “newbie, never coded, what does this double equals thing do?” levels to one heck of a ringer, who would make himself known eventually, even though he flew under the radar at first, sly dog that he is. Out of the raft of valiant attempts and solid efforts, my arduous duty was to narrow it down to the top three and announce them to the group, and later (now) the world. Such was my task, and such was performed. I bring you this quarter’s FSE iRules Challenge winners:

3rd Place – Benn Alp

Complete with ASCII art, Benn put in an heroic effort on this submission. He ended up with a heck of a lot of code, and most of it was extremely valid, which just goes to show that while he didn’t have the most efficient solution, he stuck with things until he got where he wanted. I encourage less meandering approaches to coding, but I was impressed by the thought that went into this one and the potential that is apparent in his thought process, logic and effort. Way to go Benn!

   1: ###############################################################################

   2: #  _ ____        _              ____ _           _ _                         #

   3: # (_)  _ \ _   _| | ___  ___   / ___| |__   __ _| | | ___ _ __   __ _  ___   #

   4: # | | |_) | | | | |/ _ \/ __| | |   | '_ \ / _` | | |/ _ \ '_ \ / _` |/ _ \  #

   5: # | |  _ <| |_| | |  __/\__ \ | |___| | | | (_| | | |  __/ | | | (_| |  __/  #

   6: # |_|_| \_\\__,_|_|\___||___/  \____|_| |_|\__,_|_|_|\___|_| |_|\__, |\___|  #

   7: #                                                               |___/        #

   8: ##############################################################################

   9: #

  10: #  Benn Alp b.alp@f5.com

  11: #

12:

  13: when RULE_INIT {

  14: # CONFIGURABLE ITEMS

  15: #----------------------------------------------------------------------------------------------------------

  16: # Debug Logging. (Note: Irrispective of how this is set logs to satisfy requirement 6 will be sent -

  17: # 6 Log any request (IP of client and URI requested) to a canonical name x.domain.com that is non standard

  18: # (mail, smtp, www, ns, ns1) so that data can be collected as to  when users have fully transitioned" is irrespective of this setting.

  19: # 0 - Disabled

  20: # 1 - Enabled

  21: #----------------------------------------------------------------------------------------------------------

  22: set static::DebugLogging 1

  23: #----------------------------------------------------------------------------------------------------------

  24: # Behaviour when requirement 1 is violated for transformed apps (Ensure that all requests from the client to the BIG-IP are SSL encrypted)

  25: # Legacy apps continue to work as per normal.

  26: #  0 - Reject

  27: #  1 - Redirect to https

  28: #----------------------------------------------------------------------------------------------------------

  29: set static::SSLBehaviour 1

30:

  31: }

  32: when HTTP_REQUEST {

  33:         set Rewrite 0

  34:     if { $static::DebugLogging } { log local0. "Trigger HTTP_REQUEST"}

  35:         # Requirement 5 - Anyone accessing the application from the Internal Network (10.1.x.x) and with an appropriate auth cookie (Name: X-Int-Auth Value=True) bypassess the above logic and access the old structure, or anybody using domain.com bypass/return

  36:         if {[IP::client_addr] starts_with "10.1." and [HTTP::header "X-Init-Auth"] equals "True" or [string tolower [HTTP::host]] equals "domain.com" } {  if { $static::DebugLogging } { log local0. "Trigger return based on Requirement 5 or domain=domain.com"} return

  37:         } else {

  38:                 if { [HTTP::host] contains ".domain.com" } {

  39:                 # Requirement 3.1 Standard canonicals are excluded from this re-writing (mail, smtp, www, ns, ns1) and # Requirement 6 - Log any request (IP of Client and URI requested) to a canonical name x.domain.com that is non standard (Mail.smtp,www,ns,ns1) so that data can be collected as to when users have fully transitioned

  40:                 # Switch -exact was faster than data groups..

  41:                 switch -exact [string tolower [HTTP::host]] {

  42:                         "mail.domain.com" { log local0. "Legacy Connection - USERIP [IP::client_addr] - mail.domain.com/[HTTP::uri]" }

  43:                         "smtp.domain.com" { log local0. "Legacy Connection - USERIP [IP::client_addr] - smtp.domain.com/[HTTP::uri]" }

  44:                         "www.domain.com" { log local0. "Legacy Connection - USERIP [IP::client_addr] - URI www.domain.com/[HTTP::uri]" }

  45:                         "ns.domain.com" { log local0. "Legacy Connection - USERIP [IP::client_addr] - URI ns.domain.com/[HTTP::uri]" }

  46:                         "ns1.domain.com" { log local0. "Legacy Connection - USERIP [IP::client_addr] - URI ns1.domain.com/[HTTP::uri]" }

... And that's all I'm showing of Benn's solution. It goes on for a while, and was an awesome effort but it's...rather long. ;)

2nd Place – Max Iftikhar

Max set a high bar indeed with his submission which used the uber efficient stream profile, a solid cut at response re-writing, one of the pitfalls of this particular challenge, and some handy dandy string manipulation. This one was efficient, brief, and looked like it could have been the overall winner. All things being equal, in many other FSE classes this very well could have won, as it is a darn fine effort, and Max should hold his head high while coding. Unless of course he can’t see the monitor, then hold it rather normally and just know you kicked some tail, Max.

   1: when HTTP_REQUEST {

   2: if { [TCP::local_port] == 80 } {

   3:     # redirect to https

   4:     HTTP::redirect "https://[getfield [HTTP::host] ":" 1][HTTP::uri]"

   5: }

6:

   7: when HTTP_REQUEST {

8:

   9: set rewrite 0

  10: set canonical [getfield [HTTP::host] "." 1]

  11: set host1 [HTTP::host]

  12: set host2 [getfield [HTTP::host] "$canonical" 1]

  13: set uri1 "[HTTP::uri]"

  14: set uri2 ""/"$canonical[HTTP::uri]"

15:

  16: if {[IP::addr [IP::client_addr] equals 10.1.x.x/16] and [HTTP::cookie exists"X-Int-Auth"}

  17: {

  18:   pool http_pool

  19: }

20:

  21: else {

22:

  23: log local0. "Received request from [IP::client_addr] -> [HTTP::host][HTTP::uri]"}

24:

  25:    # Rewrite the Host header

  26:     HTTP::header replace "Host" $::host2

  27:                 # Make uri path start with /canoncial if it doesn't already

  28:     if { not ([HTTP::uri] starts_with "/$canonical") } {

  29:   HTTP::uri [string map -nocase {$uri1 $uri2} [HTTP::uri]]

  30:   set urlRewrite 1

31:

  32: }

33:

  34: when HTTP_RESPONSE {

35:

  36:                 if {$rewrite}{

37:

  38:                                 # Check if response is a redirect

  39:                                 if {[HTTP::is_redirect] and [HTTP::header Location] contains $find}{

  40:                                                 # Rewrite the redirect Location header value

  41:                                                 HTTP::header replace "Host" $::host1

  42:                                                 HTTP::header replace Location [string map -nocase "$url1 $url2" [HTTP::header Location]]

  43:                                 }

44:

  45:                                 # Check if response payload type is text

  46:                                 if {[HTTP::header value Content-Type] contains "text"}{

47:

  48:                                                 # Set the replacement strings

  49:                                                 STREAM::expression "@$url1@$url2@"

50:

  51:                                                 # Enable the stream filter for this response only

  52:                                                 STREAM::enable

  53:                                 }

  54:                 }

  55: }

Winner! – Joe Martin

Last but the exact inverse of least, our winner in fact, was Joe Martin. Joe seemed like a normal, average, every day FSE challenge entrant upon first blush. He didn’t even bother to out himself at the onset as having written iRules before when I asked for experience levels. Clever ploy, Joe, very clever. As I was later to find out Joe seemed to in fact be a cyborg-robot-iRules-ninja-hacker-dinosaur sent back from the future to bust the curve for all FSE iRules Challengees everywhere. Seriously, this guy knew what he was doing. This iRule is pretty darn close to the code I would churn out to solve this particular problem and, not to self aggrandize, but that’s not such a bad thing coming from the guy judging the challenge, amirite? Upon presenting the results and having shaken the hand of the Cylon (No windows, you may not autocorrect Cylon to colon. Go away, I’m making jokes here.) in charge of iRules affairs himself, I asked Joe how many iRules he’d written before, because it was obvious that he had done so. Much to his credit he admitted to having written hundreds, which makes a whole heck of a lot of sense, and makes me able to sleep just a bit better at night without keeping a light on to watch out for those cyborg iRules ninja invaders. Big congrats to Joe for a darn fine hunk of codey bits.

   1: when HTTP_REQUEST {

   2:   set request_rewrite 0

3:

   4:   #Check to see if this in an internal developer request (internal IP and X-Auth header)

5:

   6:   if { ([HTTP::header X-Int-Auth] equals "True") && ([IP::client_addr] equals "10.1.0.0/16") } {

   7:     pool http_pool

8:

   9:   } else {

10:

  11:     set orig_host [string tolower [HTTP::host]]

  12:     scan $orig_host %s.%s.%s host domain tld

  13:     set new_host "$domain.$tld"

14:

  15:     #Make sure "host" portion of DNS name is not in exclusion data group "class_no-rewrite"

16:

  17:     if { ![class match $host equals class_no-rewrite] } {

18:

  19:       #Flag connection as "request rewritten", rewrite host header and URI, and log request info"

20:

  21:       set request_rewrite 1

  22:       HTTP::header replace Host $new_host

  23:       HTTP::uri "/$host[HTTP::uri]"

  24:       log local0. "Request to $orig_host from [IP::client_addr] rewritten to [HTTP::uri]"

  25:       pool http_pool

  26:     }

  27:   }

  28: }

29:

  30: when HTTP_RESPONSE {

31:

  32:   #If the request was rewritten we need to rewrite Location headers and embedded URLs

33:

  34:   if {$request_rewrite} {

  35:     if { [HTTP::is_redirect] }{

  36:       HTTP::header replace Location [string map -nocase "$new_host $orig_host" [HTTP::header Location]]

  37:     } else {

  38:       STREAM::expression "@/$host/@/@ @http://$new_host@https://$orig_host@"

  39:       STREAM::enable

  40:     }

  41:   }

  42: }

All said and done it was another fine experience hosting the FSE iRules challenge. There was code, and fun, and fun code, and coding fun, and funny code, and…well you get the idea. I’m looking forward to the next crop and seeing what they’re capable of. I’ll be working on my cyborg detection methodologies in the meantime. Until then, remember kids: code hard.

#Colin

#iRules #iRulesChallenge #Cylons

Published Aug 29, 2013

Version 1.0