Forum Discussion
Faintly_Lucky
Nimbostratus
NimbostratusSecond set of eyes, please
Hello all:
I wrote this iRule with people who don't have many public addresses or have found the need to conserve them in mind. I just started a new job, so I don't have access to any F5s to check my syntax. I'm also not an application or systems person, so I was hoping some of you gurus will take pity on the poor network guy and let me know if I have any of my commands out of order. I don't have much experience with TCL, but I do have program design, so I'm pretty sure that I have all of my brackets in the right place and that there aren't any flaws in my modules, but those are famous last words, so please speak up if you see something. The purpose of this rule is to take a list of sites that do SSL off-loading and switch pool and SSL client profile based on HTTP::host. I'd like feedback about my syntax, command order, and efficiency if that wouldn't be too much trouble.
Thanks in advance,
Lucky
when CLIENT_ACCEPTED {
set default_pool [LB::server pool]
}
when HTTP_REQUEST {
pool $default_pool
array set hostpool {
yoursite.yourdomain.com yoursite.yourdomain.com_pool
yoursite.yourdomain.com yoursite.yourdomain.com_pool
yoursite.yourdomain.com yoursite.yourdomain.com_pool
yoursite.yourdomain.com yoursite.yourdomain.com_pool
}
array set client_ssl_select {
yoursite.yourdomain.com client_ssl_yoursite.yourdomain.com
yoursite.yourdomain.com client_ssl_yoursite.yourdomain.com
yoursite.yourdomain.com client_ssl_yoursite.yourdomain.com
yoursite.yourdomain.com client_ssl_yoursite.yourdomain.com
}
foreach { site pool } [ array get hostpool ] {
switch [string tolower [HTTP::host]] {
$site { pool $pool {
foreach { name profile } [ array get client_ssl_select ] {
switch [string tolower [HTTP::host]] {
$name { SSL::profile $profile SSL::renegotiate
}
}
}
}
}
}
}
hoolioCirrostratus
Do you have a single SSL cert which is valid for all of the hostnames a client could be requesting for this virtual server? If so, you probably don't need the iRule as you can use that single cert. If you don't have such a cert, then the iRule won't work. Clients who make a request to a hostname which isn't listed in the SSL cert will get a mismatched cert warning from their browser. This will happen during the initial SSL handshake and before you have a chance to renegotiate the SSL handshake again from the HTTP_REQUEST event.
Aaron
Faintly_LuckyAaron:
Thank you very much for taking the time to look this over. Unfortunately, the sites in question (from my old job) do not have a cert like that, so it looks like that section of the iRule is out the window. Regarding the rest of it, does it look like an efficient and fast way of selecting different pools for different hosts?
Thanks,
Lucky- hoolioHi Lucky,
As Matt suggested, if you're wanting to test on 10.1.x, LTM VE is a great option.
I think it would be more efficient to define the host to pool mapping in a datagroup rather than defining the mapping in an array that you declare for every request. You can use findclass to look up the host in the class:
String type datagroup which maps the host names to pool names:class host_pool_map_class { "host1 pool1" "host_other some_pool" }
iRule which references the datagroup:when HTTP_REQUEST { Check if there is a host header value if {[HTTP::host] ne "" { Check if the requested Host is in the host_pool_map_class datagroup set my_pool [findclass [string tolower [HTTP::host]] $::host_pool_map_class " "] if { $my_pool ne "" } { pool $my_pool } } }
Note, if you're on 9.4.4 or higher, you should remove the $:: prefix from the iRule's reference of the datagroup.
Aaron - Faintly_LuckyAaron:
Thank you for helping me out with this. I'll give it a try.
Lucky - Faintly_LuckyAaron or anyone else who can answer this:
I tried your solution above with another rule that I am re-engineering because it was absolutely horrendous ( a bunch of if/elsif, totalling 355 lines). The F5 is running 9.3.1 and I'm having a problem when I specify the classes/data-groups. First, I can't specify them in the iRule. I'm not sure if that's because the LB is 9.3.1 and not 10 or if I'm just getting my syntax wrong or doing it in the wrong place. The second problem I am having is when I attempt to input the uri/redirect pairs through the command line (about 50 pairs, so it makes sense to input them via command line). I use the b class command and input them like this:
b class someclass { \
"/uri http://redirect site"
"/someother/longer/uri http://some.other.redirect.site" \
}
When I do a b class list, I get:
b class someclass {
"/uri"
"/someother/longer/uri"
"http://redirectsite'
"http://some.other.redirect.site'
}
Am I doing something wrong with my syntax here? Your example shows that I should put quotes around them and I did. I'm thinking I might want to try doing a b load and starting over. If you see something wrong with my syntax here, please let me know.
Thanks,
Lucky - hoolioHi Lucky,
I don't have ready access to a 9.3.x unit to test this. Can you try adding the datagroup entries through the GUI with two URIs on the same line:
/uri http://redirect_site
/someother/longer/uri http://some.other.redirect.site
...
Aaron