Forum Discussion

benbenben_9082's avatar
benbenben_9082
Icon for Nimbostratus rankNimbostratus
Feb 18, 2008

Advice on matching URI's

Hi,

 

 

I am using an F5 for quite a large website. I need to direct visitors to certain pages over SSL (I terminate SSL on the F5) and bounce them back to normal HTTP when they leave that particular area.

 

 

Currently, I'm using an irule like:

 

if {[matchclass [HTTP::uri] contains $::Make_SSL]} {

 

 

This works fine however it is rather loose and matches things it shouldn't. e.g. 'administrator' gets caught by 'admin' and so on.

 

I could break this up so I use 'contains/starts_with/ends_with' which still isn't perfect. I've been looking at using regular expressions, however I've read a few articles which say this should be avoided at all costs. I am however wondering if it would be the best solution as opposed to an irule which does 3 checks for 'contains/starts/ends' and checks the necessary data group.

 

 

With the 'contains/starts/ends' check there would be 28 items in the data groups, so potentially thats 84 checks on one request. With regex's I could get this down to 15 expressions.

 

 

I'd be interested in hearing your thoughts.

 

 

Thanks - Ben
application delivery
dev
devops
iRules

5 Replies

Sort By
  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Feb 18, 2008
    Hi,

     

     

    Regexp is more expensive in CPU that other command but may be worth sometimes. Huge and long regular expressions is expensive but from my understanding the different regular expression you'll use shouldn't be too complex. After it will be a question about how much traffic will be processed, what is the your CPU's level right now, etc...

     

     

    You should try to use your matchclass command with matches_regex, never tested to put regexp in a class but if it works may be interesting to test it.

     

     

    Moreover, you may use "switch -glob (or -regexp)" if you had to make long statement, it will be more efficient(than a sequence of if/elsei) and you can use regexp if needed (with the -regexp command). From my understanding you'll probably more need the -regexp option than glob.

     

     

    Here is an example:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&forumid=5&postid=8740

     

     

    If you need to evaluate the impact on performance of what you will try i would recommend to have a look at this article:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=123

     

     

    It is a guide to know how many cpu your irule will use (average value)
  • benbenben_9082's avatar
    benbenben_9082
    Icon for Nimbostratus rankNimbostratus
    Feb 18, 2008
    Thanks - I think that link to performance testing will be really useful.

     

     

    I also noticed that there is a 'match' option I could use. This will work for some of the regex's as I just need the wildcarding functionality. I imagine I can just use match_regex for the few short regex's I'll have left.

     

     

    Regards - Ben

     

     

  • benbenben_9082's avatar
    benbenben_9082
    Icon for Nimbostratus rankNimbostratus
    Feb 19, 2008
    OK, looking into SWITCH, is there anything still to be gained from this as I would like all the regular expressions in a data group list which might mean I have to use matches_regex ?

     

     

    I'm just after a very simple if statement and I think switch might be a bit overkill for what I'm trying to achieve?
  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Feb 19, 2008
    Usually we recommend to use SWITCH when you have less than 100 entries and data group for higher number.