For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

CGI's avatar
CGI
Icon for Altostratus rankAltostratus
May 05, 2012

Optimizing Irule

Hi below is a rule being used together with geofilter and looking at the specific uri and then sending requests to different pools based on the Country, is there a more effective way todo the same thing with the switch command ?

Any suggestions for optimization appreciated.

 

 

 

when CLIENT_ACCEPTED {

 

if {([class match [whereis [IP::client_addr] country] eq Allowed_Country_Test] or [class match [IP::client_addr] eq allowed_ip])} {

 

set allowed 1 }

 

else { set allowed 0 }}

 

 

 

when HTTP_REQUEST {

 

if { $allowed } {

 

if {[whereis [IP::client_addr] country ] eq "FI" and [HTTP::uri] contains "/compass/" } {

 

pool CompassFI_Test_http_pool

 

 

} elseif {[whereis [IP::client_addr] country ] eq "DK" and [HTTP::uri] contains "/compass/" } {

 

pool CompassDK_Test_http_pool

 

 

} else {

 

pool Compass_Test_http_pool

 

}

 

} else {

 

do whatever you want to indicate the block, e.g.

 

HTTP::respond 403 content "The country or IP is not allowed to access this site"

 

 

 

}

 

}

 

 

 

 

/Craig

 

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 07, 2012
    Hi Craig,

     

     

    Here's an example which minimized the repeated commands with an intermediate variable for the country code:

     

     

    when CLIENT_ACCEPTED {
set cc [whereis [IP::client_addr] country]
if { [class match $cc eq Allowed_Country_Test] or [class match [IP::client_addr] eq allowed_ip] } {
set allowed 1
} else {
set allowed 0
}
}
when HTTP_REQUEST {
if { $allowed } {
switch $cc {
"FI" -
"DK" {
if {[HTTP::uri] contains "/compass/" } {
pool Compass${cc}_Test_http_pool
} else {
pool Compass_Test_http_pool
}
}
default {
pool Compass_Test_http_pool
}
}
} else {
  do whatever you want to indicate the block, e.g. 
 HTTP::respond 403 content "The country or IP is not allowed to access this site"
}
}

     

     

    Aaron
  • CGI's avatar
    CGI
    Icon for Altostratus rankAltostratus
    May 08, 2012
    Thanks Aaron that was much cleaner than the previous rule. /Craig
  • CGI's avatar
    CGI
    Icon for Altostratus rankAltostratus
    May 15, 2012

    Hi Aaron it would seem that we have a problem with the application it needs the ports to be changed in the host header,and we use diiferent ports depending on the country.

     

    Now i know the synatx for the port change:-

     

     

    HTTP::header replace Host [string map {:80 :7775} [HTTP::host]] for Finland and then

     

     

    HTTP::header replace Host [string map {:80 :7776} [HTTP::host]] for Denmark and then last

     

     

    HTTP::header replace Host [string map {:80 :7777} [HTTP::host]] for the default pool

     

     

    But iam not sure how to combine these statements in the optimised irule you helped me with.

     

     

    Now i could probably do this i another irule but it would be much better to combine them.

     

     

    Any ideas ?

     

     

    /Craig