Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
Feb 08, 2013

httpclass vs irule uri priorities

Howdy,

 

 

I've a rule which is blocking or permitting access to certain URI's by means of a starts_with match. I can match "/testuri" against the request uri, e.g. /testuri/example and then reject the connection. This in itself is working well.

 

Seperately to this, I have an httpclass which redirects / to /home.

 

I was trying to set up my rule so that I would block / (i.e. every url by default) and then allow /testuri as a specfiic location underneath that. This again works fine, however the logic clashes with the redirect from / to /home.

 

Basically, the reject in the filtering irule is executed before the httpclass is processed, so as much as I can permit /home I can't perform the redirect to send the user there, meaning I can't use a default deny logic in my rule.

 

Is there any way to make the httpclass redirect happen before the iRule?

 

Frustraingly I recently replaced an iRule which was doing this / to /home redirect with an httpclass in order ot make the config more standard and readable, but as the processing is happening in a different stage in the process, I *seem* to be in a worse position now, as befhorehand I could just set a higher priority on one of the rules to execute the redirect before the block..

 

Thanks

 

 

Chris

 

application delivery
dev
devops
iRules

5 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Feb 08, 2013
    I don't think you're able to change the execution order for anything really (other than between iRules as you mention). I think your only route here is to do it all in an iRule I'm afraid.
  • Joshua_106551's avatar
    Joshua_106551
    Icon for Nimbostratus rankNimbostratus
    Feb 08, 2013
    What are others doing that would be in this same situation? Has anyone found a workaround?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Feb 10, 2013
    I was trying to set up my rule so that I would block / (i.e. every url by default) and then allow /testuri as a specfiic location underneath that. This again works fine, however the logic clashes with the redirect from / to /home.doesn't it work? did i miss something?

    e.g. 

    [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:80
   ip protocol 6
   rules myrule
   httpclass myhttpclass
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b profile myhttpclass list
profile httpclass myhttpclass {
   defaults from httpclass
   pool none
   redirect "http://[HTTP::host]/home"
   paths "/"
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   switch -glob [string tolower [HTTP::path]] {
      "/testuri*" { }
      default {
         reject
      }
   }
}
}

[root@ve10:Active] config  curl -I http://172.28.19.252
HTTP/1.0 302 Found
Location: http://172.28.19.252/home
Connection: Keep-Alive
Content-Length: 0

[root@ve10:Active] config  curl -I http://172.28.19.252/home
curl: (52) Empty reply from server

[root@ve10:Active] config  curl -I http://172.28.19.252/testuri/index.html
HTTP/1.1 200 OK
Date: Sun, 10 Feb 2013 07:43:28 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sun, 10 Feb 2013 07:30:55 GMT
ETag: "46801b-59-c5d949c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
  • Jnon's avatar
    Jnon
    Icon for Nimbostratus rankNimbostratus
    Feb 12, 2013
    I have not used the class much - since moving to 10.x - are the advantages behind the class, better performance or ??

     

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Feb 13, 2013
    I have not used the class much - since moving to 10.x - are the advantages behind the class, better performance or ?? you mean httpclass, don't you?

     

     

    i do not have any reference but i think it is. also, it is easier to configure and manage for a person who is not familiar with irule. anyway, irule is prefered for complexity requirement.