20 Lines or Less: Playing nice in the same sandbox, data-groups, and APM session removal

What could you do with your code in 20 Lines or Less?

That's the question we like to ask from, for, and of (feel free to insert your favorite preposition here) the DevCentral community, and every time we do, we go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head. Thus was born the 20LoL (20 Lines or Less) series many moons ago. Over the years we've highlighted hundreds of iRules examples, all of which do downright cool things in less than 21 lines of code.

Local Traffic Policies and iRules Together

Sometimes kids don’t play nicely in the sandbox. What happens when a single virtual server has a policy and an iRule applied? Well this first entry is a new gift in the codeshare, where Stanislas’ clever use of POLICY::targets leads to the disabling of the event to avoid policy/iRule conflicts in the event a policy action results in an http reply redirect.

when HTTP_REQUEST priority 1 {
    if {[POLICY::targets http-reply] } {
        log local0. "LTM Policy action contains redirect. Disabling event"
        event disable
        return
    }
}

Match Multiple Data-Groups in an iRule

Community member sandevsingh asked how to create a rule that would first check a data-group for allowed urls, then check a data-group for a particular subnet. Community staple Hannes Rapp replied ever so quickly with a simple nested conditional. Personally I would use the not keyword on the second if statement to eliminate the need for the else and thus increase efficiency slightly, but readability is definitely higher with the iRule as is.

when HTTP_REQUEST {
  if { [class match [string tolower [HTTP::uri]] eq "Allowed-URIs" ] }{
    if { [class match [IP::client_addr] eq "Allowed-IPs" ] }{
      # Do not interfere (Allowed)
      return
    } else {
      # Not allowed
      drop
    }
  }
}

Access Policy Agent Event Remove Session

phl110 asked how to authenticate OWA and ECP independently since they have different security requirements for the two services. But since both services use the same SAML iDP, if they’ve already authenticated to OWA, they get a free up-level of access to ECP. Thankfully, there is a solution, and it’s short and sweet, courtesy of F5er Graham.

when ACCESS_ACL_ALLOWED {
    if { [HTTP::uri] starts_with "/ecp" } {
        if { [ACCESS::session data get session.custom.mfa] != 1 } {
            ACCESS::session remove
            ACCESS::respond 301 Location "[HTTP::uri]"
        }
    }
}

And there it is, another edition of 20 Lines or Less, the power of iRules on full display. Happy coding out there, and I look forward to seeing what excellent contributions might make the next edition!

Published May 09, 2016
Version 1.0
No CommentsBe the first to comment