Forum Discussion

Dave_Noonan's avatar
Feb 17, 2020

Persistence for selected URIs on a VS

Looking for suggestions on the best way to accomplish this.

 

We want specific URIs to have cookie persistence enabled while the persistence on the virtual server is None.

 

I'm pretty sure this could be done with an iRule but wanted to check whether there's a better way since I'm returning to F5 after a five year absence.

 

These URIs need cookie persistence, any other URI will not use peristence:

/blahblah/app/

/blahblah/api/

 

 

Bonus question:

They want those same URIs blocked from public access. What's the easiest way to ACL those while leaving the rest of it open?

 

2 Replies

  • https://clouddocs.f5.com/api/irules/persist.html

     

     

    when HTTP_REQUEST {

     

    # Check the requested URI

    switch -glob [HTTP::uri] {

    "/path1/*" -

    "/path2/*" {

    # Request was for an IIS URI so select the pool and set a pool-specific cookie

    pool iis_pool

    persist cookie insert iis_persist 0

    }

    }

     

     

    For your second question,when you say "blocked form public access", what does "private" access mean? Only allowed from certain subnets? how many subnets? Something else?

  • Your code looks a lot like what I came up with after further searching, so that's reassuring.

    when HTTP_REQUEST {
        switch -glob [string tolower [HTTP::path]]  {
            "/blahblah/app/*" -
            "/blahblah/api/*" {
                # If client is public IP then send 404
                if { not ([class match [IP::client_addr] equals private_net]) } {
                    HTTP::respond 404 content "HTTP ERROR 404 Reason:Not Found" Mime-Type "text/html"
                    event disable
                    TCP::close
                } else {
                    # If client is private IP set cookie persistence
                    persist cookie insert blahblah_Cookie 0 
                }
            }
        }
    }

    The second question is just to block those from non-RFC1918 IP space. I included that in my irule but feel free to tell me if there's a better way.