Forum Discussion
NimbostratusAPM irule
Hi I needed an irule to allow traffic through an APM enabled virtual server without running it agaiast the access policy if the url is /ews
I thought this would work:
1st non-working irule________________________________________________________ when HTTP_REQUEST { if { [string tolower [HTTP::path]] starts_with "/ews" } { ACCESS::disable } }
But this does not work an EWS requests still seem to hit the APM policy and F5 requests preauth (which is part of access policy)
I found an irule to allow Skype traffic through which led me to create this irule instead:
2nd working irule_________________________________________________________ when HTTP_REQUEST { set is_disabled 0
if { [string tolower [HTTP::path]] starts_with "/ews" } { set is_disabled 1 set path [HTTP::path] ACCESS::disable HTTP::path _disable-$path pool /Common/outlook.mydomain.com.au.app/outlook.mydomain.com.au_edge_pool14 } } when HTTP_REQUEST_RELEASE { if { !$is_disabled } { return } HTTP::path $path unset is_disabled }
This second irule works as I intended and allows /ews traffic through as if there were no APM policy attached to the VS. But I dont understand why the first irule doesnt work as intended but the second one does. Why do you need these extra commands and event for request release? Can anyone explain why?
4 Replies
One difference is the presence of the pool command. If your original vip assigned the pool in the access policy, then disabling access would mean the pool wouldn't get assigned so then the traffic wouldn't go on to the backend pool.
The other difference is this is unsetting the flag after each request. This makes a difference if you want some requests to go through access and others not ON THE SAME CONNECTION. For example, your irule would work with an attached pool and as long as the /ews requests always came on a new connection. But if an /ews request came and then another request came on the same connection that you wanted to be handled by access it wouldn't be (and vice versa).
SteveVernau_132And what does this do? HTTP::path _disable-$path
Faruk_AYDINAltostratus
use ACCESS::restrict_irule_events disable in the CLIENT_ACCEPTED event to interfere before the access policy. Like this:
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable }
GeorgiWe worked with F5 Support and support provided us with the following solution to disable APM policy for Exchange Web Services (EWS).
priority 1 when HTTP_REQUEST { set is_disabled 0 if { [string tolower [HTTP::path]] starts_with "/ews" } { if { [string tolower [HTTP::uri]] contains "wssecurity" } { NTLM::disable set is_disabled 1 set path [HTTP::path] WEBSSO::disable ACCESS::disable HTTP::path _disable-$path pool Exchange_External_oa_pool7 } if { [string tolower [HTTP::uri]] contains "mrsproxy.svc"} { set is_disabled 1 set path [HTTP::path] NTLM::disable WEBSSO::disable ACCESS::disable HTTP::path _disable-$path pool Exchange_External_oa_pool7 COMPRESS::disable CACHE::disable } } if { [string tolower [HTTP::path]] starts_with "/autodiscover" } { if { [string tolower [HTTP::uri]] contains "wssecurity" } { NTLM::disable set is_disabled 1 set path [HTTP::path] WEBSSO::disable ACCESS::disable HTTP::path _disable-$path pool Exchange_External_ad_pool7 } if { [string tolower [HTTP::uri]] contains "autodiscover.svc"} { set is_disabled 1 set path [HTTP::path] NTLM::disable WEBSSO::disable ACCESS::disable HTTP::path _disable-$path pool Exchange_External_ad_pool7 COMPRESS::disable CACHE::disable } } } when HTTP_REQUEST_RELEASE { if { !$is_disabled } { return } HTTP::path $path unset is_disabled }
