Tyler_Hardison_
Jan 24, 2014Nimbostratus
Sideband for connections that are not going to a pool?
Hi There!
I'm trying to inject a sideband check that queries an internal server for dns blacklisting on the source IP addresses. Because I'm not using pools (low traffic legacy websites) I'm trying to wrap my head around how to inject sideband into this iRule.
Example:
when HTTP_REQUEST {
switch [HTTP::host] {
"foo.bar.tld" {
node 192.168.100.100 80
}
"baz.bar.tld" {
node 192.168.100.101 80
}
default {
HTTP::redirect "http://www.bar.tld/404.html"
}
}
}
I would use a datagroup for the URL lookup instead of statically modifying the iRule every time you need to make a change. You could do the side band connection in client_accepted like kevin states, then you don't have to continue processing for blacklisted IPs.
when CLIENT_ACCEPTED { set clientAddress [IP::client_addr] Do sideband connection like described here https://devcentral.f5.com/wiki/irules.sideband-connection-http-example.ashx if { sideband tells us this is a bad IP address } { Drop it on the floor. drop } If it's not a blacklisted IP we let it continue } when HTTP_REQUEST { class match here for destination IP based on [HTTP::host] https://devcentral.f5.com/wiki/irules.class.ashx }
Here's a more elaborate access control iRule which uses data groups instead of a sideband connection
https://devcentral.f5.com/wiki/iRules.AccessControlBasedOnNetworkOrHost.ashx