Forum Discussion
OviShare_69630
Nimbostratus
NimbostratusiRule Optimization
I have recently run into a performance logjam with my load balancer, and I need help! Without commenting on the logic of doing things this way (we know it is not optimal and are working on a better long-term solution), I need to know how to optimize the following iRule. The datagroup "restricted_URL_datagroup" has over 14,000 entries in it, and all access to that data has to be blocked with a 404 error. I think what I need to do is just ignore the rule entirely if the request comes in from either domain1.com or domain2.com and dump out of the rule on the first match in "restricted_URL_datagroup" rather than processing the entire datagroup. Don't know if any of that it possible. Looking for any help/suggestions. Thanks!
when HTTP_REQUEST {
set refer_host [string tolower [HTTP::header Referer]]
if { ( not ($refer_host contains ".domain1.com") ) and
( not ($refer_host contains ".domain2.com") ) and
( [matchclass [string tolower [HTTP::path]] contains $::restricted_URL_datagroup] ) } {
Block content
HTTP::respond 404 content ""
}
}- The_BhattmanWell it's certainly possible to re-arrange it
Try the followingwhen HTTP_REQUEST { if { (![string tolower [HTTP::header Referer]] contains ".domain1.com") and (![string tolower [HTTP::header Referer]] contains ".domain2.com") } { if { [matchclass [string tolower [HTTP::path]] contains $::restricted_URL_datagroup] ) } { HTTP::respond 404 content "" } } }
orwhen HTTP_REQUEST { switch -global [string tolower [HTTP::header Referer]] { "*.domain1.com" - "*.domain2.com" { if { [matchclass [string tolower [HTTP::path]] contains $::restricted_URL_datagroup] ) } { HTTP::respond 404 content "" } } } }
Note: I didn't check the syntax so you might need to tweek it.
CB 
hooleylistCirrostratus
That looks about right, CB, but I think the logic would be if the Referer doesn't contain domain1 or domain2:when HTTP_REQUEST { switch -global [string tolower [HTTP::header Referer]] { "*.domain1.com" - "*.domain2.com" { do nothing } default { if { [matchclass [string tolower [HTTP::path]] contains $::restricted_URL_datagroup] ) } { HTTP::respond 404 content "" } } } }
And trying to optimize an iRule which does a wildcard (contains) search against a datagroup containing 14k entries on most (or is it just many?) HTTP requests is going to get expensive in terms of resources. The rule you first posted with the if's will prevent the matchclass running for any request which has a valid referer header value.
Aaron- The_BhattmanYou might want to replace your HTTP::path to URI::path to see if that makes a difference.
CB - OviShare_69630I changed my rule to use the switch statement, and it seems to have improved things. May 10% improvement....? Kinda hard to tell the true cause, but utilization was down roughly 10% over the last day.
I think the real culprit for the high CPU utilization is parsing through the now 16K+ entry datagroup. - The_BhattmanIs there any entries in teh datagroup that you encounter more often then not. You can then pull that out and let process in a smaller datagroup versus a large one. It might help.
CB
