Forum Discussion
Zabeel_101104
Nimbostratus
Nimbostratusirule issue with priority groups and continue to end of script
Hi,
We have an issue with our irules where access-lists are used for users to only be able to access whats defined in the group for them only for website access. Issue we have is that I would like them to continue dropping into other groups if no match is found for what they are trying to get to.
At the moment they get to whats defined in there own group and thats all nothing else. Without having to duplicate urls for users I would like to make this efficient where if the match is not found they continue into other groups defined in priority 509 as below on till the end then stop. In between there are other irules as 501 which is ip address controlled.
Attached is a ommited version of the irule we have in place
This iRule Processes requests which were not caught by the HTTP Class
and handles access restrictions to certain sites
when HTTP_REQUEST priority 501 {
group 1 IPs Only
if { [class match [IP::client_addr] eq grp-1] } {
log local0. "Entered 501 this group 501"
Disable LDAP Authentication via APM
ACCESS::disable
Access controlled by source address Sites
Anything that doesn't match exit Event
switch -glob [string tolower [HTTP::host]] {
"websiteurlhere.com" { pool grp-server2 }
default { return }
}
}
}
....
....
....
when HTTP_REQUEST priority 509 {
log local0. "Entered 509 to get my_host"
set my_host [string tolower [HTTP::host]]
}
when ACCESS_ACL_ALLOWED {
log local0. "APM Done - ACL Allowed"
Everyone Else
All Other Sites
Anything that doesn't match send a RST
switch -glob $my_host { "host_url_here" { pool grp-webserver1 }
default { return }
}
}
}
Any help appreciated
Regards
Zabeel
Zabeel_101104anyone ?- At first glance, it looks like the: default {return} is causing the irule to stop processing that event.
- Zabeel_101104Hi John
Thanks for the reply can the default { continue } fix this ? As the irule we have is pretty long.
Regards
Zabeel - Michael_YatesYou do not need to list a default action unless you have one. The normal default action (unless you specify one) will allow all traffic that does not qualify for an iRule action to be passed through to the default pool applied to the Virtual Server.
Looking at your iRule, you do not need a default action.
You could also combine these separate iRules into a single iRule if you wanted to:when HTTP_REQUEST { if { [class match [IP::client_addr] eq grp-1] } { ACCESS::disable switch -glob [string tolower [HTTP::host]] { "websiteurlhere.com" { pool grp-server2 } } } } when ACCESS_ACL_ALLOWED { switch -glob [string tolower [HTTP::host]] { "host_url_here" { pool grp-webserver1 } } } - Zabeel_101104Thanks for the reply Michael.
We have a single irule but it is structered as you have written in your script almost 500 lines! I will raise a change and will remove the default return from each section but leave the default reject at the end.
Thanks for all your help.
Regards
Zabeel. - Zabeel_101104Thanks for the reply Michael.
We have a single irule but it is structered as you have written in your script almost 500 lines! I will raise a change and will remove the default return from each section but leave the default reject at the end.
Thanks for all your help.
Regards
Zabeel.
