Forum Discussion

Tyler_Hardison_'s avatar
Tyler_Hardison_
Icon for Nimbostratus rankNimbostratus
Jan 24, 2014

Sideband for connections that are not going to a pool?

Hi There! I'm trying to inject a sideband check that queries an internal server for dns blacklisting on the source IP addresses. Because I'm not using pools (low traffic legacy websites) I'm trying...
application delivery
devops
iRules
  • Aaron_Forster_3's avatar
    Aaron_Forster_3
    Jan 24, 2014

    I would use a datagroup for the URL lookup instead of statically modifying the iRule every time you need to make a change. You could do the side band connection in client_accepted like kevin states, then you don't have to continue processing for blacklisted IPs.

    when CLIENT_ACCEPTED {
    set clientAddress [IP::client_addr]

     Do sideband connection like described here
    https://devcentral.f5.com/wiki/irules.sideband-connection-http-example.ashx

    if { sideband tells us this is a bad IP address } {
         Drop it on the floor.
        drop
    }

     If it's not a blacklisted IP we let it continue

}
when HTTP_REQUEST {
    class match here for destination IP based on [HTTP::host]
    https://devcentral.f5.com/wiki/irules.class.ashx
}

    Here's a more elaborate access control iRule which uses data groups instead of a sideband connection

    https://devcentral.f5.com/wiki/iRules.AccessControlBasedOnNetworkOrHost.ashx

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jan 24, 2014

A few things:

 

  1. What protocol would you be using to query the internal blacklist server? How is the data stored? LDAP/DB/REST call/DNS?

     

  2. Making a sideband call in each HTTP request would potentially add significant overhead. At the very least I would do it in the CLIENT_ACCEPTED event.