Forum Discussion
AdminAppWorld DC Booth Kiosk Generator
Welcome to AppWorld, community! You may or may not be with us in person, but you can watch this thread for iRules that are either generated or described by the Distributed Cloud AI Assistant.
26 Replies
- JimmyPackets
Cirrus
AI-Generated iRule
Prompt: Encrypt a session cookie value on the response and decrypt it on subsequent requests for cookie security
Generated iRule (by F5 Distributed Cloud AI Assistant):
when HTTP_RESPONSE { # Encrypt the session cookie value before sending it to the client set session_cookie [HTTP::cookie "session"] set encrypted_cookie [encrypt $session_cookie] # Call to a custom encrypt function HTTP::cookie "session" $encrypted_cookie } when HTTP_REQUEST { # Decrypt the session cookie value on subsequent requests set encrypted_cookie [HTTP::cookie "session"] if { $encrypted_cookie ne "" } { set session_cookie [decrypt $encrypted_cookie] # Call to a custom decrypt function HTTP::cookie "session" $session_cookie } } - JimmyPackets
iRule Explanation - from the iRules Toolbox
Source: cookie_encryption_gateway.txt
when CLIENT_ACCEPTED priority 500 { # Exposed passphrase, but this key can be synchronized to the peer LTM set PASSPHRASE "secret" # Private passphrase, but it isn't synchronized. On LTM failover to # its peer, applications relying on the encrypted cookies will break. # set passphrase [AES::key] } when HTTP_REQUEST priority 500 { foreach { cookieName } [HTTP::cookie names] { HTTP::cookie decrypt $cookieName $PASSPHRASE } } when HTTP_RESPONSE priority 500 { foreach { cookieName } [HTTP::cookie names] { HTTP::cookie encrypt $cookieName $PASSPHRASE } }Explanation (generated by F5 Distributed Cloud AI Assistant):
Objective
• Define a shared passphrase on connection setup.
• Decrypt all HTTP cookies arriving from clients.
• Encrypt all HTTP cookies sent back in responses.
• Ensure backend sees plaintext cookies while clients store encrypted ones.Execution Flow
• when CLIENT_ACCEPTED priority 500
– set PASSPHRASE "secret" establishes a cookie encryption key per connection (see set command docs).
• when HTTP_REQUEST priority 500
– [HTTP::cookie names] returns all cookie names.
– HTTP::cookie decrypt $cookieName $PASSPHRASE decrypts each cookie before passing to the server.
• when HTTP_RESPONSE priority 500
– [HTTP::cookie names] again lists all cookies (including newly set ones).
– HTTP::cookie encrypt $cookieName $PASSPHRASE encrypts each cookie before sending to the client.
Overall summary: This iRule transparently decrypts client cookies for internal use and re-encrypts them on the way back, using a static passphrase initialized at connection time.
F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind. - JimmyPackets
AI-Generated iRule
Prompt: Inject a JavaScript analytics snippet into HTML response bodies before the closing </body> tag
Generated iRule (by F5 Distributed Cloud AI Assistant):
when HTTP_RESPONSE priority 500 { # Check if Content-Type header exists and contains "text/html" if { [HTTP::header exists "Content-Type"] && [string tolower [HTTP::header "Content-Type"]] contains "text/html" } { # Get Content-Length header value if present, else set to 0 if { [HTTP::header exists "Content-Length"] } { set content_length [HTTP::header "Content-Length"] } else { set content_length 0 } # Collect the entire response body based on Content-Length or up to 1MB if unknown or large if { $content_length > 0 && $content_length < 1048576 } { HTTP::collect $content_length } else { HTTP::collect 1048576 } } } when HTTP_RESPONSE_DATA priority 500 { # Define the JavaScript analytics snippet to inject set js_snippet "<script>/* Analytics snippet here */</script>" # Get the full response body payload set content [HTTP::payload] # Search for the closing </body> tag case-insensitively if {[regexp -nocase -- {</body>} $content match body_tag_start]} { # Insert the JavaScript snippet before the closing </body> tag regsub -nocase -- {</body>} $content "${js_snippet}</body>" new_content } else { # If no </body> tag found, append the snippet at the end append content $js_snippet set new_content $content } # Replace the payload with the modified content HTTP::payload replace 0 [HTTP::payload length] $new_content # Update the Content-Length header to the new payload length HTTP::header replace "Content-Length" [string length $new_content] # Release the modified payload to continue processing HTTP::release } F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind. - Kendall_Brennei
Employee
SO COOL to see irule automation in action at #AppWorld2026
- JimmyPackets
AI-Generated iRule
Prompt: Reject SSL connections using TLS versions older than 1.2 with a TCP reset
Generated iRule (by F5 Distributed Cloud AI Assistant):
when CLIENTSSL_HANDSHAKE priority 500 { # Get the TLS version from the current SSL cipher set tls_version [SSL::cipher version] # Reject connection if TLS version is older than 1.2 if { $tls_version eq "SSLv2" or $tls_version eq "SSLv3" or $tls_version eq "TLSv1" or $tls_version eq "TLSv1.1" } { reject } } F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind. - JimmyPackets
AI-Generated iRule
Prompt: Log HTTP request and response headers to a remote syslog server in a structured key-value format
Generated iRule (by F5 Distributed Cloud AI Assistant):
when HTTP_REQUEST { # Log the incoming HTTP request headers to the syslog server set request_headers [HTTP::request_headers] set log_message "HTTP Request: [format_headers $request_headers]" log local0. "$log_message" } when HTTP_RESPONSE { # Log the outgoing HTTP response headers to the syslog server set response_headers [HTTP::response_headers] set log_message "HTTP Response: [format_headers $response_headers]" log local0. "$log_message" } # Helper function to format headers as key-value pairs proc format_headers {headers} { set formatted "" foreach {key value} [array get headers] { set formatted "$formatted$key: $value; " } return $formatted } - JimmyPackets
iRule Explanation - from the iRules Toolbox
Source: redirect_non_ssl_on_port_443.txt
# Create an F5 BIG-IP iRule that enforces HTTPS connections and directs users to a login page. The rule should check if the connection is encrypted by attempting to get the SSL cipher version. For unencrypted connections, log the detection and redirect to the HTTPS version of the Login.jsp page. For encrypted connections, allow the request to proceed but redirect requests for the root path to the Login.jsp page. Include error handling for the SSL cipher check and extract the hostname without port number when constructing redirect URLs. when HTTP_REQUEST priority 500 { # Try to get the SSL cipher version and catch any errors # This checks if the connection is encrypted (SSL/TLS) if {([catch {SSL::cipher version} result]) || $result eq "none"} { # Log that we detected an unencrypted request log local0. "\: $result. Redirecting unencrypted request." # Redirect to HTTPS version of the site, specifically to Login.jsp # getfield extracts the hostname without port number (if any) HTTP::redirect "https://[getfield [HTTP::host] : 1]/Login.jsp" # Exit the rule early return } # If we reach here, the connection is encrypted # Log that we're allowing the encrypted request log local0. "\: $result. Allowing encrypted request." # If the request is for the root path "/" if {[HTTP::path] eq "/"} { # Redirect to the Login.jsp page # This ensures users going to the root are sent to the login page HTTP::redirect "https://[getfield [HTTP::host] : 1]/Login.jsp" } }Explanation (generated by F5 Distributed Cloud AI Assistant):
Objective
• Enforce that all client requests use HTTPS by detecting the SSL/TLS state.
• Redirect plain‐HTTP requests to the HTTPS Login.jsp page, logging the event.
• Allow encrypted requests to proceed but send clients hitting “/” to Login.jsp.
• Extract the hostname without the port when building redirect URLs and handle SSL check errors.Execution Flow
• Event: when HTTP_REQUEST priority 500 fires on each HTTP request (docs: valid event).
• The rule runs [catch {SSL::cipher version} result] to test for an SSL/TLS cipher (docs: SSL::cipher version).
• If catch returns non‐zero (error) OR $result eq "none"
– Log detection of an unencrypted request.
– Redirect to https://[getfield [HTTP::host] : 1]/Login.jsp (uses getfield to strip port; docs: getfield syntax).
– return exits this event early (docs: return stops the current event).
• Otherwise (encrypted connection)
– Log that the encrypted request is allowed.
– If [HTTP::path] eq "/" (docs: HTTP::path returns the request path)
• Redirect to https://[getfield [HTTP::host] : 1]/Login.jsp.Potential Logic Concerns
• The log commands use local0. without specifying a severity level (docs require <facility>.<level>). This will fail at runtime. (high confidence)
Overall Summary
This iRule correctly enforces HTTPS, handles SSL detection errors, and redirects root‐path requests to Login.jsp while preserving the hostname. Fixing the log facility syntax will ensure proper logging.
F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind. - JimmyPackets
AI-Generated iRule
Prompt: Redirect clients to a certificate enrollment page if no client SSL certificate is presented
Generated iRule (by F5 Distributed Cloud AI Assistant):
when CLIENTSSL_CLIENTCERT { if { [SSL::cert count] == 0 } { # No client certificate presented, redirect to enrollment page HTTP::redirect "https://example.com/certificate-enrollment" } } - JimmyPackets
AI-Generated iRule
Prompt: Terminate idle TCP connections that have been inactive for more than 300 seconds with a graceful close
Generated iRule (by F5 Distributed Cloud AI Assistant):
when CLIENT_ACCEPTED priority 500 { # schedule a timer to close the connection after 300 seconds (300000 ms) set idle_timer [after 300000 { # gracefully close the TCP connection TCP::close }] } when CLIENT_CLOSED priority 500 { # cancel the scheduled idle timeout if the connection closes first if { [info exists idle_timer] } { after cancel $idle_timer unset -- idle_timer } } F5, Inc. ("F5") disclaims all liability in connection with any output generated by the AI Assistant ("Output") or use thereof, including without limitation any negative business impact caused by your use of Output to administer, direct, configure or control the operation and functioning of any F5 products. Output is provided "as is" without any warranties of any kind. - JimmyPackets
AI-Generated iRule
Prompt: Rewrite the Location header in 301/302 redirects to change the scheme from HTTP to HTTPS
Generated iRule (by F5 Distributed Cloud AI Assistant):
Unfortunately, the AI assistant is unable to answer this question as the F5 Distributed Cloud documentation does not include this information.
