20 Lines or Less #78: Host confirmation, Message LB, and CNAME Mods

What could you do with your code in 20 Lines or Less?

That's the question I like to ask for the DevCentral community, and every time I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.

 

Verify Host Header and Request URL Match

https://devcentral.f5.com/s/questions/verify-host-header-and-request-url-match

User “Server.Team” – no seriously, that’s the user, which makes me feel like maybe we are solving the problems of every server team everywhere, all at once – has an issue that is a bit troublesome. You see, their SharePoint installation is a bit…accessible, for their tastes. Specifically there is no restriction on the hostname requested when accessing SharePoint in their deployment. This means that, were a user to be disgruntled, they could whip up a custom hostname pointing to the known SharePoint IP address via a host entry and wreak all forms of havoc. The bad kind of havoc. To prevent something like this all they were looking for was a way for BIG-IP to ensure that the host name actually is what it’s supposed to be for a request inbound on SharePoint's IP address in their system. A super simple thing to do in an iRule but apparently, under the right circumstances, extremely useful. So here you go, in case something like this might apply in your world.

 

 if {not ([HTTP::host] eq "www.example.com")} { reject } 

 

 

One Virtual, Many Ports

https://devcentral.f5.com/s/questions/ltm-with-virtual-server-with-pool-member-listensing-on-different-port-numbers

Here’s a darn cool example brought about by a question from user karan12. The idea is that they want to be able to have a single virtual server that rations out traffic to nodes listening on different ports, based on the inbound URI. This is possible, assuming you’ve got the right options selected (such as OneConnect), and have a fancy iRule in place like this one. Very handy message based load balancing setup in a simple package. Take a peak and store this one on the shelf for later.

 

 when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "*hypplanning*" { node 10.x.x.x%x:x } "*drmservice*" { node 10.x.x.x%x:y } } } 

 

 

Limited CNAME Modification

https://devcentral.f5.com/s/questions/irule-trouble-dns_request

Looking to re-write DNS responses for a particular subnet? Have I got the iRule for you. User Jessica asked for something simple to help them ensure traffic from their 192.168.1.0/24 network was getting different responses than the rest of the world for a particular CNAME. That’s not a tall order as long as you’ve got iRules working for you. Here’s a look at the simple chunk of code that’ll accomplish just that. Alternatively, or if you’re looking to do modifications for more than one subnet, you could build out the code to read from a datagroup quite easily.

 

 when DNS_REQUEST { if { [IP::addr [IP::client_addr] equals 192.168.1.0/24] } { cname www.redirect.domain.ipn.mx } } 
Published Jul 29, 2014
Version 1.0
No CommentsBe the first to comment