For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Will_Adams_1995's avatar
Will_Adams_1995
Icon for Nimbostratus rankNimbostratus
Nov 11, 2015

Is iRule the correct method?

I am configuring a new policy on my F5 and I was looking to delve a little into iRules I think for part of this policy. I would like to know if an iRule would be the correct method to use? I have never written an iRule so please bare with me.

 

Effectively I will have 3 paths for a URL that I need to direct to the same internal server via a specified port. For example

 

Abc.com/prod. When someone accesses this link externally the F5 would direct queries to this location to Server1:1234.

 

Abc.com/test. When someone accesses this link externally the F5 would direct queries to this location to Server1:5678.

 

Abc.com/dev. When someone accesses this link externally the F5 would direct queries to this location to Server1:5600.

 

From what I have read so far it looks as though using an iRule for http. The iRule would be an "if uri contains "/test" then direct to "server1:5678"".

 

Am I correct here or am I totally going down the wrong method?

 

application delivery
design
devops
iRules
LTM

5 Replies

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Nov 11, 2015

    irules will work of course, and you are heading in the right direction.

     

    YOu can also use Local Traffic Policies. They can be configured via GUI and are easier if you don't have irule experience. You might want to try these first to see if they meet your needs. irules are more flexible if you can't accomplish this in LT policies.

     

    Local Traffic Policies Manual

     

  • Will_Adams_1995's avatar
    Will_Adams_1995
    Icon for Nimbostratus rankNimbostratus
    Nov 12, 2015

    Thanks for the link to the manual, however I couldn't seem to get the LTM configured how I like so I opted to go for an iRule to try and do this. The iRule seems to work, however I noted that on my any alternate statements it doesn't appear to be working. The iRule I have configured is something similar to the following. A reminder of what I am trying to do first

     

    1) External user connects to abc.com/prod. The F5 then reverse proxies this (nat'd) to the internal server on port 1234 2) External user connects to abc.com/dev. The F5 then reverse proxies this to the internal server on port 4567.

     

    So with the above in mind, I wrote an iRule such as:

     

    when HTTP_REQUEST { if { [HTTP::uri starts_with "/prod"} {pool server1 port-1234} if { [HTTP::uri starts_with "/test"} {pool server1 port-4567} if { [HTTP::uri starts_with "/dev} {HTTP::redirect "https://example.com"} else {pool server1 port-1234} }

     

    I think the above is missing an operator between the IF statements and is likely the cause of my problem. The IF statements gets me a result at least for where I am going (I noted if I put say the HTTP redirect in the first if statement) it would actually do the redirect. However in the form it is above, it doesn't seem to work.

     

    I am using the virtual server as a standard type and piping this via an APM configuration. The APM configuration is basically "Start" ==> "Pool Assign" ==> "Allow". However it is likely that I will remove the APM configuration as this really is just an LTM configuration. It is also likely that I will remove the Pool that I created for the server and instead just use the iRule to do a "node" instead of "pool". So effectively the iRule would change to

     

    when HTTP_REQUEST { if { [HTTP::uri starts_with "/prod"} {node 10.10.10.10 1234} if { [HTTP::uri starts_with "/test"} {node 10.10.10.10 4567} if { [HTTP::uri starts_with "/dev} {node 10.10.10.10 8911} else {node 10.10.10.10 1234} }

     

    So where in my if statement am I wrong?

     

    • BinaryCanary_19's avatar
      BinaryCanary_19
      Historic F5 Account
      Nov 12, 2015
      when you paste code, make sure to use the "preformatted/code" button in the editor so that it is easier for others to read the code.
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Nov 12, 2015

    Do you mean that your Else statements appear not to be working?

    when HTTP_REQUEST {
    if {[HTTP::uri] starts_with "/prod" } {
        node 10.10.10.10 1234
    } elseif { [HTTP::uri] starts_with "/test" } {
        node 10.10.10.10 4567 
    } elseif { [HTTP::uri] starts_with "/dev" } {
        node 10.10.10.10 8901
    } else {
        node 10.10.10.10 2345
    }
}

    I imagine something like this is what you desire.

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Nov 12, 2015

    Hi,

    prefer use pool assignment instead of node... create one pool for each URL.

    • pool_prod : member 10.10.10.10 port 1234
    • pool_test : member 10.10.10.10 port 4567
    • pool_dev : member 10.10.10.10 port 8911

    use Local traffic policy :

    • requires : http
    • controls : forwarding
    • rule 1 :
      • condition : http-uri path starts_with /prod
      • action : forward pool pool_prod
    • rule 2:
      • ..
    • rule 3:
      • ..
    • rule 4 (default):
      • condition : none
      • action : forward pool def_pool

    if you really want to use irule, use switch command:

    when HTTP_REQUEST {
    switch -glob [HTTP::path] {
        "/prod*" {
            pool pool_prod
        }
        "/test*" {
            pool pool_test
        }
        "/dev*" {
            pool pool_dev
        }
        default {
            pool def_pool
        }
    }
}