can this Irule be optimized?

Question

when HTTP_REQUEST {  
&nbsp;   if { [matchclass [string tolower [HTTP::uri]] starts_with $::legacyPaths] } { 
&nbsp;      checked for matchclass == legacyPaths and forward to Legacy_http_pool 
&nbsp;       snat 172.23.0.60 
&nbsp; HTTP::header insert X-Forwarded-For [IP::remote_addr] this was done to test i am trying to do it using http profile..  
&nbsp; used for debub 
&nbsp; HTTP::redirect http://www.google.com 
&nbsp;      pool Legacy_http_pool 
&nbsp;     }  else {   
&nbsp;        when uri matches admin in Literatum check for source ip 
&nbsp;             if { [HTTP::uri] starts_with "/admin" and (not [matchclass [IP::remote_addr] equals $::Admin])  } { 
&nbsp;             path for admin uri but not internal IP 
&nbsp;             log local0. "External IP ([IP::remote_addr]) attempting to access admin path ([HTTP::uri])"        
&nbsp;             HTTP::redirect http://redirect.com/404.html    
&nbsp;             } else { 
&nbsp;             pool Stage_http_pool 
&nbsp;             } 
&nbsp;        } 
&nbsp;  } 
&nbsp;  
&nbsp;  
&nbsp; ---------------Thanks 
&nbsp; Also I am using a custom http profile for this, where I am using insert X-forward-for. When I try to check for X-forward-for in fiddler (ie) or live headers in firefox I do not see it there... should I ? 
&nbsp;  
&nbsp; THanks

nicolas_menant · Answer

This iRule looks good. Maybe just add a [string tolower [HTTP::uri]] in your if statemement:

when HTTP_REQUEST { 
     if { [matchclass [string tolower [HTTP::uri]] starts_with $::legacyPaths] } { 
          checked for matchclass == legacyPaths and forward to Legacy_http_pool 
           snat 172.23.0.60 
           HTTP::header insert X-Forwarded-For [IP::remote_addr] this was done to test i am trying to do it using http profile.. 
           used for debub 
           HTTP::redirect http://www.google.com 
           pool Legacy_http_pool 
       } else { 
            when uri matches admin in Literatum check for source ip 
           if { [string tolower [HTTP::uri]] starts_with "/admin" and (not [matchclass [IP::remote_addr] equals $::Admin]) } { 
               path for admin uri but not internal IP 
               log local0. "External IP ([IP::remote_addr]) attempting to access admin path ([HTTP::uri])" 
               HTTP::redirect http://redirect.com/404.html 
           } else { 
                pool Stage_http_pool 
           } 
     } 
 }

X-Forwarded-For header will be insert in your request after it goes through the BIGIP. So if you want to check this header you need to have a look between the BIGIP and the web server

jay_41157 · Answer

Thanks I am not sure how the tolower got missed, i will add it.

jay_41157 · Answer

This is the updated IRULE for above .... thoughts / comments / suggestions please.  
&nbsp;  
&nbsp; when HTTP_REQUEST {  
&nbsp;     if { (not [matchclass [string tolower [HTTP::uri]] starts_with $::LegacyExceptions])  
&nbsp;          and ([matchclass [string tolower [HTTP::uri]] starts_with $::LegacyPaths]) } { 
&nbsp;            
&nbsp;            checked for matchclass != exceptions and == LegacyPaths and forward to Legacy_http_pool 
&nbsp;            use snatpool atypon_SNAT 
&nbsp;            log local0. "*****DEBUG SNAT applied"  
&nbsp;            
&nbsp;          snat 172.23.0.60 
&nbsp;          pool Legacy_http_pool 
&nbsp;   
&nbsp;            HTTP::redirect http://www.google.com   
&nbsp;           
&nbsp;     }  else {   
&nbsp;             when uri matches admin in Literatum check for source ip 
&nbsp;          if { [HTTP::uri] starts_with "/admin"  
&nbsp;             and (not [matchclass [IP::remote_addr] equals $::Admin])  } { 
&nbsp;            Literatum path for admin uri but not internal IP 
&nbsp;          log local0. "External IP ([IP::remote_addr]) attempting to access admin path ([HTTP::uri])"        
&nbsp;          HTTP::redirect http://redirect.com/404.html    
&nbsp;          } else { 
&nbsp;            pool Stage_http_pool 
&nbsp;          } 
&nbsp;        } 
&nbsp;  }

hooleylist · Answer

Assuming the logic works for your scenario, the syntax looks fine.

when HTTP_REQUEST { 
  
    if { (not [matchclass [string tolower [HTTP::uri]] starts_with $::LegacyExceptions]) and ([matchclass [string tolower [HTTP::uri]] starts_with $::LegacyPaths]) } { 
  
       checked for matchclass != exceptions and == LegacyPaths and forward to Legacy_http_pool 
       use snatpool atypon_SNAT 
       log local0. "*****DEBUG SNAT applied" 
  
       snat 172.23.0.60 
       pool Legacy_http_pool 
  
       HTTP::redirect http://www.google.com 
  
    } else { 
  
        when uri matches admin in Literatum check for source ip 
       if { [HTTP::uri] starts_with "/admin" and (not [matchclass [IP::remote_addr] equals $::Admin]) } { 
  
  Literatum path for admin uri but not internal IP 
          log local0. "External IP ([IP::remote_addr]) attempting to access admin path ([HTTP::uri])" 
          HTTP::redirect http://redirect.com/404.html 
  
       } else { 
          pool Stage_http_pool 
       } 
    } 
 }

Aaron

jay_41157 · Answer

Aaron thanks for verifying the syntax, I was more curious if there would be any optimization that can be done ....

Forum Discussion

can this Irule be optimized?

7 Replies

Recent Discussions

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

Related Content

Quick Optimizations for F5 BIG-IP Virtual Edition

Google Authenticator Verification iRule (TMOS v11.1+ optimized)

Optimizing the CVE-2015-1635 iRule

SSL Profiles Part 11: TLS Optimization

HSRP and VRRP Optimization