For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

janardhan123_20's avatar
janardhan123_20
Icon for Nimbostratus rankNimbostratus
Aug 27, 2015

Route request to new pool based on IP range & URI matches

Hello,

We have a original iRule which routes the requests based on URI matches.

We would need add below logics in current iRule.

1) Both IP matches & URI( I.e /welcome) matches route only those request to pool Pool_abc.com_HTTP , else route requests to pool pool_xyz.com_http ( Ip validation added some logic to the oinginal iRule which is currently working )

2) The issue is if i hit the URL with not matching URI (/asdf) , as per the logic routing request to pool_xyz.com_http and inserting cookie, then i navigate page from not matching URI (/asdf) to matching URI (/welcome) , Irule gets executed (both IP & URI matches) request routing to Pool_abc.com_HTTP and inserting new cookie which is right, But we see both old cookie and new cookies.

I would like to delete Old cookie and insert new cookie if i navigate page from not matching URI (/asdf) to matching URI (/welcome).

Current Irule:

when RULE_INIT { create static variables instead of creating variable on each HTTP Request event set static::cookie_match "test_73686f70123c" Log debug messages to /var/log/ltm ? 1=yes, 0=no set static::var_debug 1 }

when HTTP_REQUEST { if { not [class match [IP::client_addr] equals class_IP_list] } { set is_ip_allowed 0 } else { set is_ip_allowed 1 if {[HTTP::cookie exists $static::cookie_match]} { persist cookie insert $static::cookie_match pool pool_abc_http return added } }

switch -glob [string tolower [HTTP::uri]] {
    "*welcome*" -
    "*test*" {
        if {$is_ip_allowed} {
            if {$static::var_debug}{log local0. "client IP <[IP::client_addr]> matching allowed IP for URI [HTTP::uri]"}
            persist cookie insert $static::cookie_match 0
            pool pool_abc.com_http
        } else {
            if {$static::var_debug}{log local0. "Reject : client IP <[IP::client_addr]> not matching allowed IP for URI [HTTP::uri]"}
            reject
        }
    }


    ============

    Thanks,
    Janardhan.

4 Replies

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 27, 2015

    Hi,

     

    New account, but same need, same irule and question format unreadable!!!

     

    I will ask the same question as Sivani (account weblead)... Why do you need to remove this cookie?????

     

    If you really need to remove it, the best solution is to do a HTTP redirect to the same location and changing expiration date of the cookie to 1970 or to add a condition in HTTP_RESPONSE Event and add cookie with expiration date to 1970.

     

  • janardhan123_20's avatar
    janardhan123_20
    Icon for Nimbostratus rankNimbostratus
    Aug 27, 2015

    Thanks for the revert.. cookie contains which pool member( instance) serving the request, since we have 2 cookies (old and new cookie), people get confuse which instance is serving the request. though we tested new pool member (new cookie ) serving the request based on logs.

     

    So we wanted to remove old cookie.

     

    Thanks, Janardhan.

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 27, 2015

    Hi,

    try this irule:

    when RULE_INIT {
     create static variables instead of creating variable on each HTTP Request event
    set static::cookie_match "test_73686f70123c"
    set static::cookie_default "73686f70123c"
    set static::cookie_null [format "73686f70123c=deleted; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"]
     Log debug messages to /var/log/ltm ? 1=yes, 0=no
    set static::var_debug 1
}

when HTTP_REQUEST {
    set testSession 0
    if { not [class match [IP::client_addr] equals class_IP_list] } {
        set is_ip_allowed 0
    } else {
        set is_ip_allowed 1
        if {[HTTP::cookie exists $static::cookie_match]} {
            set testSession 1
            persist cookie insert $static::cookie_match pool
            pool_abc_http
            return added
        }
    }

    switch -glob [string tolower [HTTP::uri]] {
        "*welcome*" -
        "*test*" {
            if {$is_ip_allowed} {
                if {$static::var_debug}{log local0. "client IP <[IP::client_addr]> matching allowed IP for URI [HTTP::uri]"}
                persist cookie insert $static::cookie_match 0
                pool pool_abc.com_http
                set testSession 0
            } else {
                if {$static::var_debug}{log local0. "Reject : client IP <[IP::client_addr]> not matching allowed IP for URI [HTTP::uri]"}
                reject
            }
        }
    }
}



when HTTP_RESPONSE {
    Insert persistent cookie for html content type and private session
   if {$testSession} {
        HTTP::cookie remove $static::cookie_default
        HTTP::header insert Set-Cookie $static::cookie_null
    }
}
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 27, 2015

    You can replace the HTTP_RESPONSE event by:

    when HTTP_RESPONSE {
    if {$testSession} {
        HTTP::cookie remove $static::cookie_default
        HTTP::cookie insert name $static::cookie_default value deleted path /
        HTTP::cookie expires $static::cookie_default 0 absolute
    }
}