Forum Discussion

bizooga's avatar
bizooga
Icon for Nimbostratus rankNimbostratus
Nov 07, 2015

Trying to combine 3 irules together or look for a better way to execute

Hi folks. I am a new F5 admin and I was having some issues to trying to get 3 irules to run nicely with each other on the same virtual server. My goals are this:

irule1: If you access a specific url on the virtual server and match a DG of allowed ip addresses, you get redirected to the pool. If you aren't in the DG you get redirected to a friendly forbidden page hosted on the F5.

if {( [string tolower [HTTP::host]] equals "abc.com" and [matchclass [IP::remote_addr] equals  $::abc_allow_dg ]) {
pool GSENT.abc.com
} 
else {
HTTP::respond 200 content [ifile get abc_ip_forbidden]
}
}

irule2: This is for name based hosting. My company hosts about a 100 sites on a single virtual server to save public IPs. Each website has its own pool and own HTTP monitor. If you access a site that is listed in a data group you will be directed to your corresponding pool. If the URL and pool are not in the DG the request is discarded.

when HTTP_REQUEST {
 good-DG-Prod is a string data-group where the entries are name:value pairs
 name is the requested HTTP host header, value is the associated pool-name

 check the requested HTTP host header against entries in data-group good-DG-Prod
if { [class match [string tolower [HTTP::host]] equals good-DG-Prod ] } {
     if the HTTP host header is in good-DG-Prod
     send the request to the pool associated with the good-DG-Prod entry
    pool [class match -value [string tolower [HTTP::host]] equals good-DG-Prod ]
} else {
     drop the request if the host header is not in good-DG-Prod
    drop
}
}

irule3: This is a basic maintenance page. If all pool members are down for a particular website then you get a maintenance page.

when HTTP_REQUEST {
if { [active_members [LB::server pool]] == 0} {
 switch [string tolower [HTTP::uri]] {
      "/" {
           HTTP::respond 200 content [ifile get testapp_index_txt] 
      }
      "/f5b_mini.png" {
           HTTP::respond 200 content [ifile get testapp_f5ball_img]

      }
 }
}
}

I can apply irule(s) 2 and 3 to a single virtual server and they seem to work correctly together with irule 2 at top of the list. If I apply all 3 rules to the VS like this 1,2,3. The first irule doesn't execute correctly.

Any help from or suggestions would be greatly appreciated.

Thanks,

Kevin

application delivery
deployment
devops
iRules
LTM

3 Replies

Sort By
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Nov 09, 2015

    After each HTTP response or redirect, you must use the "event disable" function to mitigate the TCL violation of multiple redirect/response actions per request. Add the "event disable" function to your iRule1 and iRule3. For clarity, also add the "event disable" function after the "drop" function in your iRule2 to prevent the possibility of action override by another iRule.

    Another recommendation is to replace "matchclass" function with "class match" in iRule1. The first function despite working as intended is obsolete. 

    [class match [IP::remote_addr] equals "abc_allow_dg" ]

    iRule priorities

    My personal observation is that a maintenance page iRule should take precedence over any security-related iRule (iRule1 and iRule2). Use the priority function "priority 100" for iRule3, use "priority 200" for iRule1 and "priority 300" for iRule2. In regards to iRule2 and iRule3, you may reverse the execution order, it's not as important.

  • bizooga's avatar
    bizooga
    Icon for Nimbostratus rankNimbostratus
    Nov 09, 2015

    Thanks Hannes. The event disable function did the trick. Also thank you Mark for your suggestion as well.