This iRule should be simple

Hi Milo,

 

 

Are you looking to secure all traffic that meets your HTTP::uri search pattern, or just certain portions of traffic?

I'm trying to secure traffic that meets my HTTP::uri search pattern. For instance, URIs starting with /abc/secure1, /abc/secure2, and /abc/secure3. All other traffic to the vip should be forwarded to the default pool.

I was able to resolve the issue by adding an Else statement to forward unsecure traffic to our pool. The pool was already defined in the virtual server config. I'm not sure why it needed to be referenced with an Else statement and now I can't apply it to other virtual servers which use different pools. Any thoughts on how to make this iRule more generic and functional would be appreciated.

 

 

when HTTP_REQUEST {

 

set secure_service 0

 

if { [HTTP::uri] contains "/abc/s" } {

 

set secure_req [findstr [HTTP::uri] "abc" 4]

 

set secure_service 1

 

}

 

if { $secure_service eq 1 } {

 

HTTP::uri /10521/$secure_req

 

snatpool secure_snat

 

pool secure

 

log "The secure request received is $secure_req"

 

log "The secure URL is [HTTP::uri]"

 

} else {

 

pool my.site.com

 

log "Client connected to default pool - [LB::server] "

 

log "The securentry URL is [HTTP::uri]"

 

}

 

}

 

when SERVER_CONNECTED {

 

if { $secure_service == 0 } {

 

SSL::disable

 

}

 

}

 

when HTTP_RESPONSE {

 

if { $secure_service == 1 } {

 

log "HTTP Status is [HTTP::status] from server [IP::remote_addr]"

 

log "Service is $secure_service"

 

}

 

}

The pool command affects the destination for the current TCP connection. Subsequent HTTP requests within the same connection will go to the selected pool unless you specifically tell it to go elsewhere. Looking over your iRule I can't see any large optimizations but here are some updates that may assist.

 Send traffic to a secure service when string found in URI
when HTTP_REQUEST { 
  set secure_service 0 
  if { [HTTP::uri] contains "/abc/s" } { 
    HTTP::uri "/10521/[findstr [HTTP::uri] {abc} 4]"
    snatpool secure_snat 
    pool secure 
    set secure_service 1 
    log "The secure request received is [findstr [HTTP::uri] {abc} 4]" 
    log "The secure URL is [HTTP::uri]" 
  } else { 
    pool my.site.com
    SSL::disable 
    log "Client connected to default pool - [LB::server] " 
    log "The securentry URL is [HTTP::uri]" 
  } 
} 
when HTTP_RESPONSE { 
  if { $secure_service } { 
    log "HTTP Status is [HTTP::status] from server [IP::remote_addr]" 
    log "Service is $secure_service" 
  } 
}

- results of commands inside an event are cached so you can use repeatedly

- zero is false, 1 is true

- the first "if" defines what is considered a secure service, the second "if" is redundant as a result.

- SSL::disable can be used in the HTTP event.

Jarvil

Jarvil, thanks for the optimization tips and the explanation of how the pool command affects the data stream. I had no idea the pool command affected the entire TCP stream. The sad thing is I watched it happen as I reviewed the logs and tcpdumps and I refused to accept what I was seeing.