Forum Discussion
jay_41157
Nimbostratus
Nimbostratuscan this Irule be optimized?
when HTTP_REQUEST {
if { [matchclass [string tolower [HTTP::uri]] starts_with $::legacyPaths] } {
checked for matchclass == legacyPaths and forward to Legacy_http_pool
snat 172.23.0.60
HTTP::header insert X-Forwarded-For [IP::remote_addr] this was done to test i am trying to do it using http profile..
used for debub
HTTP::redirect http://www.google.com
pool Legacy_http_pool
} else {
when uri matches admin in Literatum check for source ip
if { [HTTP::uri] starts_with "/admin" and (not [matchclass [IP::remote_addr] equals $::Admin]) } {
path for admin uri but not internal IP
log local0. "External IP ([IP::remote_addr]) attempting to access admin path ([HTTP::uri])"
HTTP::redirect http://redirect.com/404.html
} else {
pool Stage_http_pool
}
}
}
---------------Thanks
Also I am using a custom http profile for this, where I am using insert X-forward-for. When I try to check for X-forward-for in fiddler (ie) or live headers in firefox I do not see it there... should I ?
THanks
7 Replies
Nicolas_MenantEmployee
This iRule looks good. Maybe just add a [string tolower [HTTP::uri]] in your if statemement:when HTTP_REQUEST { if { [matchclass [string tolower [HTTP::uri]] starts_with $::legacyPaths] } { checked for matchclass == legacyPaths and forward to Legacy_http_pool snat 172.23.0.60 HTTP::header insert X-Forwarded-For [IP::remote_addr] this was done to test i am trying to do it using http profile.. used for debub HTTP::redirect http://www.google.com pool Legacy_http_pool } else { when uri matches admin in Literatum check for source ip if { [string tolower [HTTP::uri]] starts_with "/admin" and (not [matchclass [IP::remote_addr] equals $::Admin]) } { path for admin uri but not internal IP log local0. "External IP ([IP::remote_addr]) attempting to access admin path ([HTTP::uri])" HTTP::redirect http://redirect.com/404.html } else { pool Stage_http_pool } } }
X-Forwarded-For header will be insert in your request after it goes through the BIGIP. So if you want to check this header you need to have a look between the BIGIP and the web server
jay_41157Thanks I am not sure how the tolower got missed, i will add it.- jay_41157This is the updated IRULE for above .... thoughts / comments / suggestions please.
when HTTP_REQUEST {
if { (not [matchclass [string tolower [HTTP::uri]] starts_with $::LegacyExceptions])
and ([matchclass [string tolower [HTTP::uri]] starts_with $::LegacyPaths]) } {
checked for matchclass != exceptions and == LegacyPaths and forward to Legacy_http_pool
use snatpool atypon_SNAT
log local0. "*****DEBUG SNAT applied"
snat 172.23.0.60
pool Legacy_http_pool
HTTP::redirect http://www.google.com
} else {
when uri matches admin in Literatum check for source ip
if { [HTTP::uri] starts_with "/admin"
and (not [matchclass [IP::remote_addr] equals $::Admin]) } {
Literatum path for admin uri but not internal IP
log local0. "External IP ([IP::remote_addr]) attempting to access admin path ([HTTP::uri])"
HTTP::redirect http://redirect.com/404.html
} else {
pool Stage_http_pool
}
}
} 
hoolioCirrostratus
Assuming the logic works for your scenario, the syntax looks fine.when HTTP_REQUEST { if { (not [matchclass [string tolower [HTTP::uri]] starts_with $::LegacyExceptions]) and ([matchclass [string tolower [HTTP::uri]] starts_with $::LegacyPaths]) } { checked for matchclass != exceptions and == LegacyPaths and forward to Legacy_http_pool use snatpool atypon_SNAT log local0. "*****DEBUG SNAT applied" snat 172.23.0.60 pool Legacy_http_pool HTTP::redirect http://www.google.com } else { when uri matches admin in Literatum check for source ip if { [HTTP::uri] starts_with "/admin" and (not [matchclass [IP::remote_addr] equals $::Admin]) } { Literatum path for admin uri but not internal IP log local0. "External IP ([IP::remote_addr]) attempting to access admin path ([HTTP::uri])" HTTP::redirect http://redirect.com/404.html } else { pool Stage_http_pool } } }
Aaron- jay_41157Aaron thanks for verifying the syntax, I was more curious if there would be any optimization that can be done ....
- jay_41157ok, so now we need ......
/one
/one/
/one/blahblah
But this go to stage_http_pool:
/cenblahblah
And the others to go legacy pool. And thoughts ?
I am unsure if i should change the starts_with to an equals ? - hoolioI think the rule was as efficient as it could be.
Is there any overlap between the URI's you want to go to the two different pools? ie, are there any instances where you want /one/something to go to stage, but all other /one/* URI's to go to legacy?
If not, you should be able to continue using starts_with. If this doesn't work, can you provide some sanitized (but detailed) examples of two overlapping URIs?
Aaron
