Forum Discussion

Vsevolod_Petrov's avatar
Vsevolod_Petrov
Icon for Cirrostratus rankCirrostratus
Oct 31, 2013

local traffic policy http-header insert action

Hi!

BIG-IP 11.4 introduces new feature called Local Traffic Policies.

Could you please help with the question if it is possible to use iRules commands inside local traffic policies?

I want use logic like represented below. Insert specific header with IP address value.

policy_rule_1 {
    actions {
0 {
    http-header
    insert
    name My-Header-Client-IP
    value [IP::client_addr]
}
    }
    conditions { none }
    }
  • Philippe_CLOUP_'s avatar
    Philippe_CLOUP_
    Historic F5 Account

    Hi zup, the policy you have written looks good. BTW, the value in CPM rule written (Central Policy Matching Engine) is supposed to be a string. I have tested in 11.4, and a rule like the following one, and the result is that IP::client_addr is not interpreted differently than a string (and not as a variable). I will check but i think this was supposed to be done differently, using tcl type of actions instead of http header insert action. Can't you use in the HTTP Profile the "Header Insert" feature instead ? Here you can use variables if you require them, no ?

     

    ltm policy /Common/TEST { requires { http } rules { MyTestRule { actions { 0 { http-header insert name IP_ADD value [IP::client_addr] } } conditions { 0 { http-host host contains values { . } missing } } ordinal 1 }

     

    • Philippe_CLOUP_'s avatar
      Philippe_CLOUP_
      Historic F5 Account
      something like this (for the HTTP Profile): ltm profile http /Common/HTTP_Insert_ClientIP { app-service none defaults-from /Common/http header-insert "HeaderInsert: [IP::client_addr]" }
  • Hi zup, the policy you have written looks good. BTW, the value in CPM rule written (Central Policy Matching Engine) is supposed to be a string. I have tested in 11.4, and a rule like the following one, and the result is that IP::client_addr is not interpreted differently than a string (and not as a variable). I will check but i think this was supposed to be done differently, using tcl type of actions instead of http header insert action. Can't you use in the HTTP Profile the "Header Insert" feature instead ? Here you can use variables if you require them, no ?

     

    ltm policy /Common/TEST { requires { http } rules { MyTestRule { actions { 0 { http-header insert name IP_ADD value [IP::client_addr] } } conditions { 0 { http-host host contains values { . } missing } } ordinal 1 }

     

    • Philippe_CLOUP's avatar
      Philippe_CLOUP
      Icon for Employee rankEmployee
      something like this (for the HTTP Profile): ltm profile http /Common/HTTP_Insert_ClientIP { app-service none defaults-from /Common/http header-insert "HeaderInsert: [IP::client_addr]" }
  • something like this for the HTTP Profile:

     

    ltm profile http /Common/HTTP_Insert_ClientIP { app-service none defaults-from /Common/http header-insert "HeaderInsert: [IP::client_addr]" }

     

    • Vsevolod_Petrov's avatar
      Vsevolod_Petrov
      Icon for Cirrostratus rankCirrostratus
      I'm sorry Philou I didn't noticed you are talking about profiles. HTTP profiles in this case are very limited because you can't insert multiple headers based on different conditions. With policies we have ability to filter request by any condition and insert any specific header.
  • Philippe_CLOUP_'s avatar
    Philippe_CLOUP_
    Historic F5 Account

    something like this for the HTTP Profile:

     

    ltm profile http /Common/HTTP_Insert_ClientIP { app-service none defaults-from /Common/http header-insert "HeaderInsert: [IP::client_addr]" }

     

    • Vsevolod_Petrov's avatar
      Vsevolod_Petrov
      Icon for Cirrostratus rankCirrostratus
      I'm sorry Philou I didn't noticed you are talking about profiles. HTTP profiles in this case are very limited because you can't insert multiple headers based on different conditions. With policies we have ability to filter request by any condition and insert any specific header.
  • I checked out and found we can use that commands in policies. That's great!

     

    But by the way I've found another issue with policies. We can't use any special character (e.g. $, !, etc) as name. Using it is actually allowed by http but f5 filters it and generate error.

     

    • Vsevolod_Petrov's avatar
      Vsevolod_Petrov
      Icon for Cirrostratus rankCirrostratus
      I wonder how I came to this conclusion that I can use commands in policies. But actually I have just checked it again and noticed that I can't use it at all. When I try to insert [IP::client_addr] it doesn't return ip address in request. All I see at server site is header My-Header-Client-IP with value [IP::client_addr]. It's terrible I spent a lot of time thinking it works.