For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

adrian_171483's avatar
adrian_171483
Icon for Cirrus rankCirrus
Sep 04, 2015

Irule problems

Hi I have a quirky request from a customer for the following conditions

 

they have 3 pools, one of the pools has servers that are listening on 8443 doing its own offload

 

so the conditions required are a single virtual server that is SSL offloading, then depending on the URI drop to the pool below. So simple thing.. then it gets a bit more complicated.

 

as one of the pools requires a server side SSL I have applied this to the Virtual server and then attempted to remove this within the Irule.

 

Also one of the URI's is request to be stripped after matching then forwarded to the Pool.

 

SO I cam up with the following Irule, but it doesn't work for any of the conditions I could have this all wrong.

 

Also we have just upgraded to 11.6 so wondering if this is not helping my cause.

 

when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::uri]] { "/dashboard" - "/filecatcher" { SSL::disable serverside pool 5000-farm } "/NEWDashboard*" { pool 8443-farm } if { [HTTP::uri] starts_with "/test" } { HTTP::uri replace "/test" "/" SSL::disable serverside pool 9080-farm } } }

 

8 Replies

  • Michael__'s avatar
    Michael__
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2015

    Hi,

    a variant without switch, but should have the same effect

    when HTTP_REQUEST { 

     VS has an serverside ssl profile attached but in general we dont want ssl on serverside
    SSL::disable serverside

   if {[string tolower [HTTP::uri]] eq "/dashboard"} or {[string tolower [HTTP::uri]] eq "/filecatcher"}{

          pool 5000-farm 

   } elseif {[HTTP::uri] starts_with "/test"}{

          HTTP::uri replace "/test" "/" 
          pool 9080-farm 

   } elseif {[HTTP::uri] starts_with "/test" {

          SSL::enable serverside     
          pool 8443-farm

   } else  {

          Insurance to make sure that if it is enabled anywhere it gets disabled
         SSL::disable serverside       
   }
}
  • Opher_Shachar_6's avatar
    Opher_Shachar_6
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2015

    You mentioned your running v11.6.0.

     

    Would it not be preferable to use a LTM Policy?

     

    I could conger up one for you if you're interested.

     

  • adrian_171483's avatar
    adrian_171483
    Icon for Cirrus rankCirrus
    Sep 04, 2015

    thank for the offer.. to be honest I am not familiar with the policies and how they work,, but I would be interested to see if it could be used ?

     

    • Opher_Shachar_6's avatar
      Opher_Shachar_6
      Icon for Nimbostratus rankNimbostratus
      Sep 04, 2015
      It'll gladly do it. It'll take a few minutes. Do you have terminal access to your unit? e.g through Putty on Windows? Otherwise, you'll need recreate it from the Web-GUI (a.k.a. Configuration Utility)
  • adrian_171483's avatar
    adrian_171483
    Icon for Cirrus rankCirrus
    Sep 04, 2015

    ahh ok.. so I reckon I could feel about in the web gui.. Ill try the policy out on my virtual box .. is there an easy way to see the syntax from the gui ?

     

  • adrian_171483's avatar
    adrian_171483
    Icon for Cirrus rankCirrus
    Sep 04, 2015

    wow.. there seems to be a fair bit involved.. Ill try the Irule at first.. but I might give the policy a try.

     

    Thanks for showing all this, makes it easier to see it being done.

     

    • Opher_Shachar_6's avatar
      Opher_Shachar_6
      Icon for Nimbostratus rankNimbostratus
      Sep 04, 2015
      LTM Policy is the way of the future and preferred :) See https://devcentral.f5.com/s/articles/ltm-policy especially the section "LTM Policy and iRules".
  • adrian_171483's avatar
    adrian_171483
    Icon for Cirrus rankCirrus
    Sep 04, 2015

    a big thanks for this.. ill run it past our production guys and see if they are happy to support it