Forum Discussion

Jeff_McCombs_42's avatar
Jeff_McCombs_42
Icon for Nimbostratus rankNimbostratus
May 03, 2006

multiple rules in a single virtual server

Gurus,

Perhaps I'm just blind but I haven't seen anything on this in my cursory lookthru the documentation and online.

What I'd like to be able to do, is string two rules togther under a virtual server, with each rule operating on the data within an HTTP_REQUEST event...

Is this possible?

e.g.


 rule _security_rule {
    when HTTP_REQUEST {
         blah blah blah.. strips out TRACE/Track method calls, admin.dll calls, etc.
    }
 }

and 


 rule director {
  when HTTP_REQUEST {
   if { [HTTP::uri] contains "/some-application-path/" } {
     pool application-servers
     persist cookie
   }
  }
 }

How could I string these two rules togheter? When I attach both to a virtual server, the virtual server stops working entirely.. I assume it's because I'm trying to use two rules with within the same event.. or something...

ideas?
application delivery
dev
devops
iRules
  • Jeff_McCombs_42's avatar
    Jeff_McCombs_42
    Icon for Nimbostratus rankNimbostratus
    May 03, 2006
    I should point out that I'm hoping that I can have a centralized 'security rule' that I can apply to _all_ my virtual servers, and still have individual rules for each virtual server that map URIs to pools, or whatever..

     

     

    my thought was it'd be nicer to be able to update a single rule, and know that everything is protected, rather than to have to edit a bunch of rules...
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    May 04, 2006
    Hi Jeff --

     

     

    You should be able to apply multiple rules to a virtual server even if both include the same events. The event processing is in the order in which the rules are applied to the virtual.

     

     

    Not sure why your VS seems to stop working with both applied, but here are some suggestions to help you figure it out:

     

     

    1) You might want to use the "return" statement to explicitly end the processing within that event once the appropriate decisions have been made. That will prevent the same event in the next rule from executing.

     

     

    2) I also try to avoid selecting pools/making LB decisions in both rules, instead opting for a front end rule to handle redirection on weak encryption, HTTP to HTTPS redirects, header sanitization & other security considerations, with a second load balancing rule applied after to actually do the traffic management (URI switching/re-writing/etc).

     

     

    3) Add logging statements in each event & conditional section of code to highlight which lines are executing, and give you some more clues about how your rule is processing traffic.

     

     

    HTH

     

    /deb