Forum Discussion
benbenben_9082
Nimbostratus
NimbostratusAdvice on matching URI's
Hi,
I am using an F5 for quite a large website. I need to direct visitors to certain pages over SSL (I terminate SSL on the F5) and bounce them back to normal HTTP when they leave that particular area.
Currently, I'm using an irule like:
if {[matchclass [HTTP::uri] contains $::Make_SSL]} {
This works fine however it is rather loose and matches things it shouldn't. e.g. 'administrator' gets caught by 'admin' and so on.
I could break this up so I use 'contains/starts_with/ends_with' which still isn't perfect. I've been looking at using regular expressions, however I've read a few articles which say this should be avoided at all costs. I am however wondering if it would be the best solution as opposed to an irule which does 3 checks for 'contains/starts/ends' and checks the necessary data group.
With the 'contains/starts/ends' check there would be 28 items in the data groups, so potentially thats 84 checks on one request. With regex's I could get this down to 15 expressions.
I'd be interested in hearing your thoughts.
Thanks - Ben
Nicolas_MenantEmployee
Hi,
Regexp is more expensive in CPU that other command but may be worth sometimes. Huge and long regular expressions is expensive but from my understanding the different regular expression you'll use shouldn't be too complex. After it will be a question about how much traffic will be processed, what is the your CPU's level right now, etc...
You should try to use your matchclass command with matches_regex, never tested to put regexp in a class but if it works may be interesting to test it.
Moreover, you may use "switch -glob (or -regexp)" if you had to make long statement, it will be more efficient(than a sequence of if/elsei) and you can use regexp if needed (with the -regexp command). From my understanding you'll probably more need the -regexp option than glob.
Here is an example:
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=8740
If you need to evaluate the impact on performance of what you will try i would recommend to have a look at this article:
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=123
It is a guide to know how many cpu your irule will use (average value)
benbenben_9082Thanks - I think that link to performance testing will be really useful.
I also noticed that there is a 'match' option I could use. This will work for some of the regex's as I just need the wildcarding functionality. I imagine I can just use match_regex for the few short regex's I'll have left.
Regards - Ben- The_BhattmanHow about using SWITCH?
- benbenben_9082OK, looking into SWITCH, is there anything still to be gained from this as I would like all the regular expressions in a data group list which might mean I have to use matches_regex ?
I'm just after a very simple if statement and I think switch might be a bit overkill for what I'm trying to achieve? - Nicolas_MenantUsually we recommend to use SWITCH when you have less than 100 entries and data group for higher number.
