Forum Discussion
Pirlo
Nimbostratus
NimbostratusSyntax and Effeciency check
Trying to verify syntax and efficiency for the following rule.
Essentially this is a HTTP vip that needs XFF redirection to a dummy pool if the address matches the data group list.
In the below Irule - Is syntax correct? Is their a more effecient way to process?
when HTTP_REQUEST {
check if client_addr = any in the class
if {[matchclass [HTTP::header "X-Forwarded-For"] equals $::pre_test_address_list]} {
use pool dummypool
} else {
use pool prodpool
}
}
And at the end of the rule do I need the "else use pool prodpool" statement? Or can I leave that out and once the Irule inspection is complete will the LTM proceed with the default pool that the VIP lb's to?
when HTTP_REQUEST {
check if client_addr = any in the class
if {[matchclass [HTTP::header "X-Forwarded-For"] equals $::pre_test_address_list]} {
use pool dummypool
}
hoolioCirrostratus
Hi Blue,
If you don't use a OneConnect profile and have multiple clients connect over the same TCP connection (through a proxy), you'd want to explicitly define a pool for both cases. There isn't any efficiency lost by specifying the pool in both cases. See this post for details:
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3392157229
Or you could add a OneConnect profile with a /32 mask and then not specify the pool in both cases. This would have the added benefit that server side connections would be re-used for the same client IP address.
Aaron
PirloThanks for the link and taking the time to provide feedback.
Wasnt sure if I was using the matchclass and header inspect properly.- Pirlo
The above mentioned rule failed. The XFF is showing up twice with a comma seperator in the middle.
Is it as simple as changing the matchclass to "contains" instead of "equals"? - hoolioYou'd need to parse out the IP's from the XFF header value. Can you configure whatever device is inserting the XFF to use a more unique header name? If not, you could use something like this to parse comma separated IPs:
when HTTP_REQUEST { Select the prodpool by default pool prodpool Check if XFF header has a value if {[HTTP::header "X-Forwarded-For"] ne ""}{ Some proxies append their XFF value to any existing XFF header. Check if XFF header value contains a comma if {[HTTP::header "X-Forwarded-For"] contains ","}{ Remove any spaces in the string, and then split it into a list on commas set xff [split [string map {" " ""} [HTTP::header value "X-Forwarded-For"]] ","] Get the last comma separated value from the XFF header set xff [lindex $xff [expr {[llength $xff]} - 1]] } else { set xff [HTTP::header "X-Forwarded-For"] } Check if XFF value is in the class if {[matchclass $xff equals $::pre_test_address_list]} { pool dummypool } } }
Note, I'm assuming you only want to check the last IP in the XFF header value. You could also loop through each IP and check it against the class. But then you'd be checking more than your proxy's XFF value.
Aaron - PirloAaron
Thanks for the assist. One last question if anyone can explain.
Aarons Reply
Note, I'm assuming you only want to check the last IP in the XFF header value. You could also loop through each IP and check it against the class. But then you'd be checking more than your proxy's XFF value.
Aaron
Im actually trying to get the first value in the XFF. I have tried several things that I thought would work. How do I get the first value of the XFF
Get the last comma separated value from the XFF header
set xff [lindex $xff [expr {[llength $xff]} - 1]]
Out of all the rules that I have done I thought this one would be cake.
It is still eluding me. - hoolioIn testing this with a customer who was using Squid, we saw the most recent IP appended to the XFF header. Are you sure you want to take the first IP in the list?
If so, you can use something like this:when HTTP_REQUEST { Select the prodpool by default pool prodpool Check if XFF header has a value if {[HTTP::header "X-Forwarded-For"] ne ""}{ Some proxies append their XFF value to any existing XFF header. Check if XFF header value contains a comma if {[HTTP::header "X-Forwarded-For"] contains ","}{ Split the XFF header into a list on commas or spaces and take the first element set xff [lindex [split [HTTP::header value "X-Forwarded-For"] ", "] 0] } else { set xff [HTTP::header "X-Forwarded-For"] } Check if XFF value is in the class if {[matchclass $xff equals $::pre_test_address_list]} { pool dummypool } } }
Aaron - PirloAaron
Once again thanks for taking the time. You have assisted/provided me with 3 solutions that I can work off of to get this issue resolved.
9 times out of 10 I can find my answer searching the forum, but could not in this case.
Reading some older posts I believe it was you that posed the question to another member "Can you insert a different Header value?" Which I think we may move forward with.
At this point my tcpdump shows the first XFF to be the correct one.
I have run into similar symptoms before with 2 XFF addresses, and the last one always been the correct one.
Let me know were to send the beer man. - PirloForgot to notate the actual packet flow. In tcpdump the first XFF show to be the actual.
Client >>> Akamai/Proxy address >>> WAM Address >>> LTM
Actual/First XFF >>> Second XFF value >>> Third XFF Value >>> VIP Side - hoolioAh, that makes sense if it's the Akamai inserted IP you want to use. Thanks for clarifying.
Aaron