Forum Discussion
Vsevolod_Petrov
Cirrostratus
Cirrostratuslocal traffic policy http-header insert action
Hi!
BIG-IP 11.4 introduces new feature called Local Traffic Policies.
Could you please help with the question if it is possible to use iRules commands inside local traffic policies?
I want use logic like represented below. Insert specific header with IP address value.
policy_rule_1 {
actions {
0 {
http-header
insert
name My-Header-Client-IP
value [IP::client_addr]
}
}
conditions { none }
}
Hi zup, the policy you have written looks good. BTW, the value in CPM rule written (Central Policy Matching Engine) is supposed to be a string. I have tested in 11.4, and a rule like the following one, and the result is that IP::client_addr is not interpreted differently than a string (and not as a variable). I will check but i think this was supposed to be done differently, using tcl type of actions instead of http header insert action. Can't you use in the HTTP Profile the "Header Insert" feature instead ? Here you can use variables if you require them, no ?
ltm policy /Common/TEST { requires { http } rules { MyTestRule { actions { 0 { http-header insert name IP_ADD value [IP::client_addr] } } conditions { 0 { http-host host contains values { . } missing } } ordinal 1 }
- something like this (for the HTTP Profile): ltm profile http /Common/HTTP_Insert_ClientIP { app-service none defaults-from /Common/http header-insert "HeaderInsert: [IP::client_addr]" }
Vsevolod_PetrovHi Philou! Common syntax is incorrect but idea works.
- Philippe_CLOUP
Employee
Hi zup, the policy you have written looks good. BTW, the value in CPM rule written (Central Policy Matching Engine) is supposed to be a string. I have tested in 11.4, and a rule like the following one, and the result is that IP::client_addr is not interpreted differently than a string (and not as a variable). I will check but i think this was supposed to be done differently, using tcl type of actions instead of http header insert action. Can't you use in the HTTP Profile the "Header Insert" feature instead ? Here you can use variables if you require them, no ?
ltm policy /Common/TEST { requires { http } rules { MyTestRule { actions { 0 { http-header insert name IP_ADD value [IP::client_addr] } } conditions { 0 { http-host host contains values { . } missing } } ordinal 1 }
- Philippe_CLOUPsomething like this (for the HTTP Profile): ltm profile http /Common/HTTP_Insert_ClientIP { app-service none defaults-from /Common/http header-insert "HeaderInsert: [IP::client_addr]" }
- Vsevolod_PetrovHi Philou! Common syntax is incorrect but idea works.
- Philippe_CLOUP
something like this for the HTTP Profile:
ltm profile http /Common/HTTP_Insert_ClientIP { app-service none defaults-from /Common/http header-insert "HeaderInsert: [IP::client_addr]" }
- Vsevolod_PetrovI'm sorry Philou I didn't noticed you are talking about profiles. HTTP profiles in this case are very limited because you can't insert multiple headers based on different conditions. With policies we have ability to filter request by any condition and insert any specific header.
something like this for the HTTP Profile:
ltm profile http /Common/HTTP_Insert_ClientIP { app-service none defaults-from /Common/http header-insert "HeaderInsert: [IP::client_addr]" }
- Vsevolod_PetrovI'm sorry Philou I didn't noticed you are talking about profiles. HTTP profiles in this case are very limited because you can't insert multiple headers based on different conditions. With policies we have ability to filter request by any condition and insert any specific header.
- Vsevolod_Petrov
I checked out and found we can use that commands in policies. That's great!
But by the way I've found another issue with policies. We can't use any special character (e.g. $, !, etc) as name. Using it is actually allowed by http but f5 filters it and generate error.
- Vsevolod_PetrovI wonder how I came to this conclusion that I can use commands in policies. But actually I have just checked it again and noticed that I can't use it at all. When I try to insert [IP::client_addr] it doesn't return ip address in request. All I see at server site is header My-Header-Client-IP with value [IP::client_addr]. It's terrible I spent a lot of time thinking it works.
