iRule to access database

iRules have Data Groups -- internal lists that you can look up values in. If you are talking about an external database like MySQL or the like, you can't query real-time but you could hack up a method of loading database values into a data group automatically. Picture this -- set up a cron job to request a web page through the BIG-IP every so often. That web page has a list of the database values. An iRule parses that page and stores it in a Data Group for later use by the iRules in real-time.

What we want to do is actually authentication against databases. If as another member suggested, we cache values in iRule data group, do you have idea how big cache BigIP can support?

I know there is a limit to the size of a data group I'm just not sure what it is. But you could consider purchasing the Advanced Client Authentication Module for your BIG-IP which is made to do authentication. It can't talk to a database directly but it can do LDAP, RADIUS, etc.

Thank you for your suggestion! I will do some research on that to see if it is an option. I would like to figure out what the cache limit is.

And I just thought I should clarify a misstatement made earlier in this thread: There really isn't any way currently for an iRule to update a data group -- you'd have to use an internal array for that, and they are not mirrored across a redundant pair, so you'd have to account for that in your iRule initiation logic.

 

 

HTH

 

/deb

Just want to get some suggestion on this. Do you think creating an iRule to accesss an external service which handles accessing the database a feasible solution? The iRule would send a http request and parse the response.

 

 

Is there any similar example out there that I can reference? Thank you very much for any help!

I don't think it is a clean solution -- something like the Advanced Client Authentication module using an industry standard authentication database would be much better.

 

 

But if you have an external source trigger an occasional HTTP request through the BIG-IP to another external server that can provide the database dump in an easy-to-parse web page, then there is no reason you can't parse the results in an iRule, store it in a global array, and then use that array in another iRule to authenticate an HTTP header against the array. I don't know that it has ever been done before. The iRule can not request the database dump on its own, however.

I am trying to make my iRule to send request to a web server. I thought I could use the http package from TCL. However, both package and http commands are disabled. So I tried to see if I can use socket command instead but found out that is disabled too. Why does F5 disable those standard tcl commands? What's the drawback of enabling them if that's possible?

 

 

Thanks a lot!

Check out this recent article "Conditioning iRule Logic on External Information - 1 - HTTP::retry".

 

 

It explains why those commands have been disabled and demonstrates using an external DB query to condition traffic management:

 

 

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=105 (Click here)

 

 

HTH

 

/deb

As I said above the iRule can't initiate the request -- try something like a cron job doing a "curl" every minute that hits a VIP on the BIG-IP.