Forum Discussion

DM_5174's avatar
DM_5174
Icon for Nimbostratus rankNimbostratus
Mar 10, 2010

-- HELP PUTTING MULTIPLE IRULES TOGETHER

Hi All,

 

 

I was wondering if I can get the help of all the i-rule gurus here on this site.

 

We have 3 i-rules that i would like to put together as one, but for some reason

 

It is not working when I try to consolidate as one i--rule.

 

 

Here is the objective of the irule.

 

 

I-rule 1. This will send inbound connection to another server pool if the

 

URL ends with /APPxx

 

 

I-Rule 2. This will use the class data-group to only allow IP address that is defined for inbound connections to the WEBLOGIC pool during maintenance window, all other connections from external clients will need to get sent to the maintenance page "http://www.mainsite.com/maintenance/emergencydown.htm".

 

 

I-Rule 3. This is an additional monitor that will verify all members in the WEBLOGIC pool are up. If all the hosts are down, users regardless should get sent to the emergency downpage.

 

 

PROBLEM: When I consolidate the 3 i-rules together, I-Rule 1 does not seem to work. I connect, but when try to go to /APPxx, I get a error from the LTM that it can not find this directory. Please help, since rule 1 and 2 is most important and needs to work together.

 

 

 

I-RULE 1 Sends inbound connection to APACHE SVR POOL if URL ends with /APP.."

 

 

when HTTP_REQUEST {

 

switch -glob [string tolower [HTTP::uri]] {

 

"/APP01*" -

 

"/APP02*" -

 

"/APP03*" -

 

"/APP004*" -

 

"/APP5*"

 

{

 

use pool APACHE-SERVER-POOL

 

}

 

default {

 

use pool WEBLOGIC-SERVER-POOL

 

}

 

}

 

 

 

 

I-RULE 2 Check if client IP is in the datagroup

 

 

if {[matchclass [IP::client_addr] equals $::ALLOW-DURING-MAINTENANCE]}{

 

 

pool WEBLOGIC-SERVER-POOL

 

 

} else {

 

HTTP::redirect "http://www.mainsite.com/maintenance/sched-maintenance.htm"

 

}

 

 

 

 

 

I-RULE 3 monitor members of pool and if down will send to emergency notification page, will also set the timer to return client to host URL

 

 

set stime 10

 

 

If the WEBLOGIC POOL is down, redirect to the emergency notification page

 

if { [active_members WEBLOGIC-SERVER-POOL] < 1 } {

 

HTTP::redirect "http://www.mainsite.com/maintenance/emergencydown.htm"

 

 

 

}

 

}

 

 

 

Thank you in advance!
application delivery
dev
devops
iRules

9 Replies

Sort By
  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2010
    Can you post your consolidated rule? Also, you can eliminate 3 by defining a fallback host in a custom HTTP profile for your Weblogic VIP.

     

     

    -Matt
  • DM_5174's avatar
    DM_5174
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2010
    Here is the i-rule...For some reason, I get a 404 and it does not look like it is working..

     

     

     

     

     

    when HTTP_REQUEST {

     

    switch -glob [string tolower [HTTP::uri]] {

     

    "/APP01*" -

     

    "/APP02*" -

     

    "/APP03*" -

     

    "/APP004*" -

     

    "/APP05*"

     

    {

     

    use pool APACHE-SERVER-POOL

     

    }

     

    default {

     

    use pool WEBLOGIC-SERVER-POOL

     

    }

     

    }

     

     

     

     

     

    if {[matchclass [IP::client_addr] equals $::ALLOW-DURING-MAINTENANCE]}{

     

     

    pool WEBLOGIC-SERVER-POOL

     

     

    } else {

     

    HTTP::redirect "http://www.mainsite.com/maintenance/sched-maintenance.htm"

     

    }

     

     

     

    set stime 10

     

     

    If the WEBLOGIC POOL is down, redirect to the emergency notification page

     

    if { [active_members WEBLOGIC-SERVER-POOL] < 1 } {

     

    HTTP::redirect "http://www.mainsite.com/maintenance/emergencydown.htm"

     

    }

     

    }
  • DM_5174's avatar
    DM_5174
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2010
    This is what I have so far. It seems to work half way, but for some reason when I add a "/APPxx" after going to

     

    http://www.myportal.com/app01, it does not redirect me to the apache server pool. I get a "404" error from the LTM.

     

     

    What is working is, when I connect from an IP address listed in the data class, I get a 404 (this is good), and if I am coming from any other IP address not defined in this group, I get the "sched-maintenace.htm" page. This simulate that during our maintenance window, all connecting external users should see the maintenace page, however QA users connecting from one of our subnets defined in the data class group should not see the sched maintenance window. They are sent to the WEBLOGIC pool, and if the servers in this pool is down, they will see the 404, if it is up, they will see the regular login page.

     

     

    Please help with why I can not use the /APPxx string to get sent to the APACHE pool.

     

     

     

     

    when HTTP_REQUEST {

     

    set stime 10

     

     

    switch -glob [string tolower [HTTP::uri]] {

     

    "/APP01*" -

     

    "/APP02*" -

     

    "/APP03*" -

     

    "/APP004*" -

     

    "/APP05*"

     

    {

     

    use pool APACHE-SERVER-POOL

     

    }

     

     

    }

     

     

    Check if client IP is in the datagroup

     

    if {[matchclass [IP::client_addr] equals $::ALLOW-DURING-MAINTENANCE]}{

     

    pool WEBLOGIC-SERVER-POOL

     

     

    } else {

     

    HTTP::redirect "http://www.mainsite.com/maintenance/sched-maintenance.htm"

     

     

    }

     

    }
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2010
    Hi AH,

     

    The string map is still showing CAPs Use lower case. Also I am assuming that you want the IF statement to be checked first and not process the SWITCH statement. Here is what the code looks like

     

     

     

     
  
 when HTTP_REQUEST { 
  
  
  Check if client IP is in the datagroup 
    if {[matchclass [IP::client_addr] equals $::ALLOW-DURING-MAINTENANCE]}{ 
        pool WEBLOGIC-SERVER-POOL 
        return 
    } else { 
        HTTP::redirect "http://www.mainsite.com/maintenance/sched-maintenance.htm" 
        return 
   } 
  
   set stime 10 
   switch -glob [string tolower [HTTP::uri]] { 
   "/app01*" - 
   "/app02*" - 
   "/app03*" - 
   "/app004*" - 
   "/app05*" 
             { 
              use pool APACHE-SERVER-POOL 
             } 
    } 
  
 }

     

     

    I hope this helps

     

    Bhattman
  • DM_5174's avatar
    DM_5174
    Icon for Nimbostratus rankNimbostratus
    Mar 11, 2010
    Hi Bhattman,

     

     

    I tried the irule again, the IP address defined in the data group gets routed to the "WEBLOGIC-SERVRE-POOL" and all other client coming from IP addresses other than that gets the maintenace page. The problem still exist where if I come from the source network defined in the data group, when I go to HTTP://www.my-weblogic-server-pool.com/APP01 or /APP02, I get the follow error below. I does not seem I am getting correct sent to the "APACHE-SERVER-POOL" when I specify this in the URI.

     

     

     

    THIS ERROR IS PRODUCED WHEN YOU SPEFICY "/app01" etc..

     

    Error 404--Not Found

     

    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

     

    10.4.5 404 Not Found

     

     

     

    Thank you!
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 11, 2010
    The logic in iRule 2 is going to always either send clients to the weblogic pool or redirect them. So if you have that first, you'll never allow anyone to get to the apache pool.

     

     

    I think you need to clarify which actions you want to take and then try to combine the iRules. Do you want to check the request for the "app..." URIs first and select the apache pool. For non-matching URIs, do you then want to select either the weblogic pool or redirect the client based on client IP address? Also, do you actually want to perform the maintenance check all of the time? Or just during maintenance periods? If only during maintenance periods, it probably doesn't make sense to have the iRules combined.

     

     

    Aaron
  • DM_5174's avatar
    DM_5174
    Icon for Nimbostratus rankNimbostratus
    Mar 11, 2010
    Hi Aaron,

     

     

    Here is an example of our current Production Irule. When users connecting they get the weblogic login page first, however after successfully logging into the portal and clicking on the apps link (i.e. /APP..), they get redirected to the APACHE pool since those contents are hosted on the apache server and not the weblogic or if they enter https://www.my-weblogic-server.com/APP01 "with the /APP.." in the URI, they will get prompted to login first before they are served up the contents off of the APACHE servers.

     

     

    when HTTP_REQUEST {

     

    switch -glob [string tolower [HTTP::uri]] {

     

    "/APP01*" -

     

    "/APP02" -

     

    "/APP03" -

     

    "/APP04" -

     

    "/APP05*"

     

    {

     

    use pool APACHE-POOL

     

    }

     

    default {

     

    use pool WEBLOGIC-POOL

     

    }

     

    }

     

    }

     

     

     

    What we want to accomplish is.

     

     

    1. Allow only our QA dept to access the portal (it is not down during maintenance) to test. Their source IP is defined in the Data group.

     

    2. send all users with IP address not defined in the datat group/class to the maintenace page so they do not login by mistake.

     

    3. When the QA team login, they should be able to have the same ability to the portal as the i-rule defined above (they are able to get forwarded to the apche pool based on the /app... link they select.

     

     

    Thank you for your help.

     

     

    -AH
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Mar 11, 2010
    Hi AH,

    Here is the script reworked based on my understand of what you would like to do

    How it works is that if anyone NOT matching Datagroup ALLOW-DURING-MAINTENANCE is sent to the maintenance page. All others presumably in the ALLOW-DURING-MAINTENANCE datagroup will be sent to the either the APACHE-SERVER-POOL or WEBLOGIC-POOL based the URI.

    Does this sound more like what you wanted? 

     
 when HTTP_REQUEST {  
    
   Check if client IP is in the datagroup  
     if {!([matchclass [IP::client_addr] equals $::ALLOW-DURING-MAINTENANCE])}{  
         HTTP::redirect "http://www.mainsite.com/maintenance/sched-maintenance.htm"  
     } else { 
       set stime 10  
       switch -glob [string tolower [HTTP::uri]] {  
        "/app01*" -  
        "/app02*" -  
        "/app03*" -  
        "/app004*" -  
        "/app05*" { pool APACHE-SERVER-POOL }  
        default { pool WEBLOGIC-POOL }  
      } 
     } 
  }

    Bhattman
  • DM_5174's avatar
    DM_5174
    Icon for Nimbostratus rankNimbostratus
    Mar 11, 2010
    That did it...YOU ARE THE MAN BHATTMAN!

     

     

    Thanks again!