Forum Discussion

Deckard_214802's avatar
Deckard_214802
Icon for Nimbostratus rankNimbostratus
Aug 08, 2015

FTP Proxy Destinations

Hi Geniuses,

 

I am look for some help. I have used Bhattman's brilliant Proxy iRule and tried to enhance it, but it doesn't work correctly.

 

The Setup:

 

I have some servers that need to use the pool ftp-proxy and some that I want the IRule as a proxy. This works great. The Bluecoat takes the input of username@domain.com and so does the irule.

 

The Delima:

 

I have 5 application servers that contain 4 applications each. All of them use a script to FTP their jobs. Each application servers is a single address. So when I put that address in the data group called proxylist, 2 of the 4 applications break and the other 2 work. However, when I take them out of the proxylist the problem reverses. The 2 that work breaks and the 2 that broke now works. So I wanted started to rewrite the Irule so that I can now send based on destination of where they are FTPing to.

 

However, in my tests the code is not working correctly. Can the brilliant minds in this forum take a look and tell me where I am going wrong.

 

when CLIENT_ACCEPTED {
     if { [class match [IP::client_addr] eq proxylist ]  } {
          pool ftp-proxy
           Exit Binary Statement so it bypasses any other events.
          snat none
          set ret 1
          return
        } else {
           Set exit binary to 0 so we can hit all the events for the Irule FTP functionality
          set ret 0
          TCP::respond "220 Welcome to the Irule Proxy \r\n"
          TCP::collect
        }
}
when CLIENT_DATA {
    if {$ret} {return}
        set ftplogin [TCP::payload]
    if { $ftplogin starts_with "USER" } {
        set dnslookup "8.8.8.8"
        set cuser [TCP::payload]
        scan $ftpuser {%[^@]@%s} blah domainname
        scan $blah %s%s cmd uid
        set ips [RESOLV::lookup @$dnslookup -a $domainname]
        if {$ips eq "" } {
             Input wasn't an IP address, take some default action?
            reject
        } else { 
             This is intended to take the domain name entered from the user and see if matches
             The datagroup dg-forward-to-proxy
             Once it matches it sends to to the ftp-pool and sets the variable up for the
             Server Data Event
            if { [class match $domainname eq dg-forward-to-proxy ] } {
                set sendproxy 1
                pool ftp-proxy
                snat none
                return
                }
        TCP::payload replace 0 [TCP::payload length] ""
        set ftp_serv "[lindex $ips 0]"
        node [lindex $ips 0] [TCP::local_port]
        }
    }
    TCP::release
}

when SERVER_CONNECTED {
      if {$ret} {return}
      TCP::collect 20
}

when SERVER_DATA {
    if {$ret} {return}
    log local0. "This is selected"
    set server_data [TCP::payload]
    if { $server_data contains "220" } {
         This takes the variable created in Client data and sends the username@domainname to the FTP
         proxy otherwise it sends to directly to the FTP server.
        if { $sendproxy } {
            TCP::respond "USER $uid@$ips\r\n"\
        } else {
            TCP::respond "USER $uid\r\n"
        }
        TCP::payload replace 0 [TCP::payload length] ""
    }
    TCP::release
}

-==DECKARD==-

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
LTM
security