Forum Discussion
milo
Nimbostratus
NimbostratusThis iRule should be simple
I was asked to create a security policy that forwarded traffic based on specific strings in the URI to a 3rd party server via SSL. After cobbling a few rules together, I came up with something that appeared to be working. But, after some testing, it was discovered that all traffic was being sent to the 3rd party server after the secured traffic triggered the irule. Can you please tell me what I am missing in the irule?
when HTTP_REQUEST {
set secure_service 0
if { [HTTP::uri] starts_with "/abc" } {
set secure_req [findstr [HTTP::uri] "abc" 4]
set secure_service 1
}
if { $secure_service == 1 } {
HTTP::uri /10521/$secure_req
snatpool secure_snat
pool secure
log "The secure request received is $secure_req"
log "The secure URL is [HTTP::uri]"
}
}
when SERVER_CONNECTED {
if { $secure_service == 0 } {
SSL::disable
}
}
when HTTP_RESPONSE {
if { $secure_service == 1 } {
log "HTTP Status is [HTTP::status] from server [IP::remote_addr]"
log "Service is $secure_service"
}
}
Michael_YatesHi Milo,
Are you looking to secure all traffic that meets your HTTP::uri search pattern, or just certain portions of traffic?
miloI'm trying to secure traffic that meets my HTTP::uri search pattern. For instance, URIs starting with /abc/secure1, /abc/secure2, and /abc/secure3. All other traffic to the vip should be forwarded to the default pool.- miloI was able to resolve the issue by adding an Else statement to forward unsecure traffic to our pool. The pool was already defined in the virtual server config. I'm not sure why it needed to be referenced with an Else statement and now I can't apply it to other virtual servers which use different pools. Any thoughts on how to make this iRule more generic and functional would be appreciated.
when HTTP_REQUEST {
set secure_service 0
if { [HTTP::uri] contains "/abc/s" } {
set secure_req [findstr [HTTP::uri] "abc" 4]
set secure_service 1
}
if { $secure_service eq 1 } {
HTTP::uri /10521/$secure_req
snatpool secure_snat
pool secure
log "The secure request received is $secure_req"
log "The secure URL is [HTTP::uri]"
} else {
pool my.site.com
log "Client connected to default pool - [LB::server] "
log "The securentry URL is [HTTP::uri]"
}
}
when SERVER_CONNECTED {
if { $secure_service == 0 } {
SSL::disable
}
}
when HTTP_RESPONSE {
if { $secure_service == 1 } {
log "HTTP Status is [HTTP::status] from server [IP::remote_addr]"
log "Service is $secure_service"
}
} 
Kevin_Davies_40Nacreous
The pool command affects the destination for the current TCP connection. Subsequent HTTP requests within the same connection will go to the selected pool unless you specifically tell it to go elsewhere. Looking over your iRule I can't see any large optimizations but here are some updates that may assist.Send traffic to a secure service when string found in URI when HTTP_REQUEST { set secure_service 0 if { [HTTP::uri] contains "/abc/s" } { HTTP::uri "/10521/[findstr [HTTP::uri] {abc} 4]" snatpool secure_snat pool secure set secure_service 1 log "The secure request received is [findstr [HTTP::uri] {abc} 4]" log "The secure URL is [HTTP::uri]" } else { pool my.site.com SSL::disable log "Client connected to default pool - [LB::server] " log "The securentry URL is [HTTP::uri]" } } when HTTP_RESPONSE { if { $secure_service } { log "HTTP Status is [HTTP::status] from server [IP::remote_addr]" log "Service is $secure_service" } }
- results of commands inside an event are cached so you can use repeatedly
- zero is false, 1 is true
- the first "if" defines what is considered a secure service, the second "if" is redundant as a result.
- SSL::disable can be used in the HTTP event.
Jarvil- miloJarvil, thanks for the optimization tips and the explanation of how the pool command affects the data stream. I had no idea the pool command affected the entire TCP stream. The sad thing is I watched it happen as I reviewed the logs and tcpdumps and I refused to accept what I was seeing.