cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Mitra_Kelly_625
Historic F5 Account

Problem this snippet solves:

This is an extension of the basic HTTP iApp template. This template allows you to activate priority group activation on the pool, and lets you set the priority of each pool member.

Code :

sys application template f5.http_pga {
    actions {
        definition {
            html-help {

Generating Application Services

This template creates a complete configuration optimized for managing traffic from most simple web server implementations. This template differs from the regular HTTP template in that it allows the user to set priority group activation on the pool and to set the priority for each pool member. Before filling out this template, complete the following prerequisites:

  • Check the System :: Resource Provisioning screen to ensure that LTM (the local traffic manager module) is provisioned.
  • License and provision additional BIG-IP modules, as applicable.
  • Set up VLANs to the servers containing the applications your clients will access.
  • Import SSL certificates to authenticate the server and encrypt data.

Sync and/or Failover Groups

  • If you enable sync and failover, you can select a device group that synchronizes BIG-IP configuration data among devices and a traffic group of related objects that fail over to another device when the current device becomes unavailable.

Analytics

  • If you have licensed and provisioned Analytics (AVR) to gather and report application statistics, you can specify options for using an Analytics profile.

Virtual Server Questions

  • Type the IP address and port for the virtual server the BIG-IP system uses with the HTTP web server. When you click Finished, the system creates a virtual server named <prefix>_virtual_server, and associates that virtual server with this IP address.
  • Specify whether the servers can communicate with the clients using a route through the BIG-IP system to deliver response data to the client, or whether the BIG-IP system should translate the client's source address if needed to deliver response data to the client. Selecting No causes the BIG-IP system to specify the Auto Map setting for the SNAT Pool option on the associated virtual server. In this case, the servers send response data to the BIG-IP system, which then translates the destination address and delivers response data to the client.
  • If you have more than 64,000 simultaneous connections, you must specify at least one IP address to the secure network address translation (SNAT) pool for every 64,000 connections (or fraction thereof). If you do not, after 64,000 connections, new requests fail. If you select No, the system uses the self-IP to automatically map to the IP address for the SNAT pool (SNAT automap).
  • If the HTTP web servers are configured to use NTLM authentication, the system adds an NTLM profile to the virtual server, which enables OneConnect.

SSL Encryption Questions

  • If you plan to offload SSL processing from the HTTP web servers to the BIG-IP system, you use SSL certificates on the server to authenticate the BIG-IP system.

Server Pool, Load Balancing, and Service Monitor Questions

  • If you plan to use an existing pool, select that from the list and continue to the next section.
  • If you plan to create a new pool, you also select the type of load balancing to use and specify the servers referenced by the virtual server the template creates. Until you specify at least one server here, the virtual server is not available.
  • You can enable priority grup activation for the pool. If you do so, then you can specify the priority for each pool member.
  • You can also enable TCP request queuing and specify a queue length and timeout for queued requests. The 0 (zero) value indicates unlimited. Keep in mind that value that are too high can cause potentially high memory consumption, resources that other applications might need, and values that are too low can cause service-unavailable errors, potentially disrupting service to clients. You must base the values on server capability, load, and need for shared resources.
  • Specify the string for the BIG-IP to use to check server health as well as the string the server responds with to indicate health.
  • The default request, GET / retrieves a default HTML file for a web site. To retrieve a specific page from a web site, specify a fully qualified path name, for example:
    GET /www/siterequest/index.html
  • If you are using HTTP 1.1, you also specify the fully qualified DNS name the HTTP 1.1 clients are expected to use to access the HTTP application (e.g., http.f5.com).

Protocol Optimization and Security Questions

  • Specify whether clients are connecting over the LAN or WAN.
  • If you have licensed and provisioned the Web Accelerator module to accelerate HTTP web server traffic, you also specify the name your end users will use to access the HTTP virtual server (e.g., http.f5.com). This is the DNS name that the system uses for the Web Accelerator application object's Requested Hosts field, which allows Web Accelerator to accelerate HTTP traffic to these virtual hosts.
} implementation { tmsh::log_dest file tmsh::log_level crit tmsh::include "f5.app_utils" # constants set NO_ANSWER "No" set YES_ANSWER "Yes" set WAN_OPTION "WAN" set EMPTY_STRING "EMPTY_STRING_NO_VALUE_PRESENT" set CREATE_NEW_POOL_OPTION "Create New Pool" set CREATE_NEW_MONITOR_OPTION "Create New Monitor" set ADDR_FIELD "addr" set PORT_FIELD "port" set RATIO_FIELD "ratio" set CONNECTION_LIMIT_FIELD "connection_limit" set PRIORITY_FIELD "priority" set ONE_SPACE " " set HTTP_11_VERSION_STRING "\"Version 1.1\"" proc tmsh_create { component arguments } { regsub -all {\"} $arguments "\\\"" arguments regsub -all {\[} $arguments "\\\[" arguments regsub -all {\]} $arguments "\\\]" arguments tmsh::run_proc f5.app_utils:do_tmsh_create "\"$component\"" "\"$arguments\"" } proc tmsh_modify { component arguments } { regsub -all {\"} $arguments "\\\"" arguments regsub -all {\[} $arguments "\\\[" arguments regsub -all {\]} $arguments "\\\]" arguments tmsh::run_proc f5.app_utils:do_tmsh_modify "\"$component\"" "\"$arguments\"" } proc create_pool_with_pga { app_name monitor_name servers lb_method enable_pga min_active_members } { set pool_name [format "%s_%s" $app_name pool] tmsh_create "/ ltm pool" "$pool_name members none load-balancing-mode $lb_method slow-ramp-time 300" tmsh_modify "/ ltm pool" "$pool_name monitor none" tmsh_modify "/ ltm pool" "$pool_name monitor $monitor_name" if { $enable_pga == $::YES_ANSWER } { tmsh_modify "/ ltm pool" "$pool_name min-active-members $min_active_members" } else { tmsh_modify "/ ltm pool" "$pool_name min-active-members 0" } if { $servers != "" } { set addr_value "" set port_value "" set ratio_value "" set conn_limit_value "-1" set priority_value "-1" set members \{ set element_list [split $servers] for {set i 0} {$i < [llength $element_list]} {incr i} { set element [lindex $element_list $i] puts "element |$element|" if { $element == $::ADDR_FIELD } { set i [incr i] set addr_value [lindex $element_list $i] } if { $element == $::PORT_FIELD } { set i [incr i] set port_value [lindex $element_list $i] } if { $element == $::CONNECTION_LIMIT_FIELD } { set i [incr i] set conn_limit_value [lindex $element_list $i] } if { $element == $::PRIORITY_FIELD } { set i [incr i] set priority_value [lindex $element_list $i] } if { $element == $::RATIO_FIELD } { set i [incr i] set ratio_value [lindex $element_list $i] if { [string is integer $ratio_value] == 0 } { set ratio_value "" } } if { $element == "\}\}" || $element == "\}\}\}" } { append members $addr_value append members ":" append members $port_value if { $conn_limit_value != "-1" || [tmsh::run_proc f5.app_utils:is_lb_method_ratio $lb_method] || $priority_value != "-1" } { append members " \{" if { $priority_value != "-1" } { append members " priority-group " append members $priority_value } if { $conn_limit_value != "-1" } { append members " connection-limit " append members $conn_limit_value } if { [tmsh::run_proc f5.app_utils:is_lb_method_ratio $lb_method] } { append members " ratio " append members $ratio_value } append members " \}" } append members " " set conn_limit_value "-1" set priority_value "-1" } } append members \} tmsh_modify "/ ltm pool" "$pool_name members replace-all-with $members" } return $pool_name } proc configure_http_deployment {} { # create web profiles set http_optimization_profile_names [tmsh::run_proc \ f5.app_utils:create_http_comp_accel_profiles $tmsh::app_name \ $::optimizations__lan_or_wan $::YES_ANSWER $::NO_ANSWER \ $::EMPTY_STRING $::ssl_encryption_questions__offload_ssl ] set profile_names \{ append profile_names $http_optimization_profile_names if { $::ssl_encryption_questions__offload_ssl == $::YES_ANSWER } { set key $::ssl_encryption_questions__key set cert $::ssl_encryption_questions__cert set client_ssl_profile_name [tmsh::run_proc f5.app_utils:create_ssl_profile \ $tmsh::app_name $key $cert] append profile_names " " append profile_names $client_ssl_profile_name } # Attach AVR profile if the user wants one set provisioned [tmsh::run_proc f5.app_utils:get_provisioned avr] if { $provisioned == "provisioned" } { if { $::analytics__add_analytics == $::YES_ANSWER } { append profile_names $::ONE_SPACE if { $::analytics__create_new_analytics == "Select a Custom Profile" } { append profile_names $::analytics__analytics_profile } else { set analytics_profile_name [format "%s_%s" $tmsh::app_name basic_analytics_profile] tmsh_create "/ ltm profile analytics" "$analytics_profile_name defaults-from analytics" append profile_names $analytics_profile_name } } } # create pool if { $::server_pools__create_new_pool == $::CREATE_NEW_POOL_OPTION } { # create monitor if { $::server_pools__create_new_monitor == $::CREATE_NEW_MONITOR_OPTION} { set monitor_interval $::server_pools__monitor_interval set monitor_recv \"$::server_pools__monitor_recv\" set monitor_send \"$::server_pools__monitor_send\" set http_version \"$::server_pools__monitor_http_version\" set monitor_type http if { $http_version == $::HTTP_11_VERSION_STRING } { set monitor_dns_name $::server_pools__monitor_dns_name } else { set monitor_dns_name $::EMPTY_STRING } set monitor_name [tmsh::run_proc f5.app_utils:create_monitor \ $tmsh::app_name $monitor_type $monitor_interval "$monitor_send" \ "$monitor_recv" "$http_version" $monitor_dns_name] } else { set monitor_name $::server_pools__reuse_monitor_name } # create pool set servers $::server_pools__servers set lb_method $::server_pools__lb_method_choice if { $::server_pools__enable_pga == $::YES_ANSWER } { set min_active_members $::server_pools__min_active_members } else { set min_active_members 0 } set pool_name [create_pool_with_pga $tmsh::app_name $monitor_name \ "\{$servers\}" $lb_method $::server_pools__enable_pga $min_active_members ] set do_queuing $::server_pools__tcp_request_queuing_enable_question if { $do_queuing == $::YES_ANSWER } { set queue_length $::server_pools__tcp_request_queue_length set time_limit $::server_pools__tcp_request_queue_timeout } else { set queue_length 0 set time_limit 0 } tmsh::run_proc f5.app_utils:do_tcp_request_queue_settings \ $pool_name $do_queuing $queue_length $time_limit } else { set pool_name $::server_pools__reuse_pool_name } #create irule if { $::ssl_encryption_questions__offload_ssl == $::YES_ANSWER } { set irule_name [tmsh::run_proc f5.app_utils:create_https_redirect_irule $tmsh::app_name] } else { set irule_name $::EMPTY_STRING } # create TCP profiles set tcp_profile_name_lan [format "%s_%s" $tmsh::app_name lan-optimized_tcp_profile] tmsh_create "/ ltm profile tcp" "$tcp_profile_name_lan defaults-from tcp-lan-optimized" set tcp_server_profile_name $tcp_profile_name_lan if { $::optimizations__lan_or_wan == $::WAN_OPTION } { set tcp_profile_name_wan [format "%s_%s" $tmsh::app_name wan-optimized_tcp_profile] tmsh_create "/ ltm profile tcp" "$tcp_profile_name_wan defaults-from tcp-wan-optimized" set tcp_client_profile_name $tcp_profile_name_wan } else { set tcp_client_profile_name $tcp_profile_name_lan } # create persist profile set persist_profile [format "%s_%s" $tmsh::app_name cookie_persistence_profile] tmsh_create "/ ltm persistence cookie" "$persist_profile" # SNAT if { $::basic__snat == $::NO_ANSWER } { set snat "automap" set using_snat $::YES_ANSWER if { $::basic__need_snatpool == $::YES_ANSWER } { set members \{ foreach member $::basic__snatpool_members { append members [tmsh::get_field_value $member addr] append members " " } append members \} set snat [format "%s_snatpool" $tmsh::app_name ] tmsh_create "/ ltm snatpool" "$snat members replace-all-with $members" } } else { set snat "none" set using_snat $::NO_ANSWER } # create one_connect profile set create_ntlm_profile $::basic__using_ntlm set one_connect_and_ntlm_profile_names [tmsh::run_proc \ f5.app_utils:create_one_connect_and_ntlm_profiles \ $tmsh::app_name $create_ntlm_profile $using_snat] append profile_names $::ONE_SPACE append profile_names $one_connect_and_ntlm_profile_names append profile_names \} # create VS(s) set destination $::basic__addr:$::basic__port if { $::ssl_encryption_questions__offload_ssl == $::YES_ANSWER } { set https_destination $::basic__addr:443 set temp $http_optimization_profile_names set http_optimization_profile_names \{ append http_optimization_profile_names $temp append http_optimization_profile_names \} set vs_name [tmsh::run_proc f5.app_utils:create_http_vs \ $tmsh::app_name $destination $snat $::EMPTY_STRING \ $http_optimization_profile_names $persist_profile \ $tcp_server_profile_name $tcp_client_profile_name] if { $irule_name != $::EMPTY_STRING } { tmsh_modify "/ ltm virtual" "$vs_name rules \{ $irule_name \}" } tmsh::run_proc f5.app_utils:create_https_vs $tmsh::app_name \ $https_destination $snat $pool_name $profile_names $persist_profile \ $tcp_server_profile_name $tcp_client_profile_name } else { tmsh::run_proc f5.app_utils:create_http_vs $tmsh::app_name \ $destination $snat $pool_name $profile_names $persist_profile \ $tcp_server_profile_name $tcp_client_profile_name } } puts " " puts " " puts "Starting HTTP template." puts " " set provisioned [tmsh::run_proc f5.app_utils:get_provisioned ltm] if { $provisioned == "provisioned" } { if { [tmsh::run_proc f5.app_utils:is_safe_app_name "\"$tmsh::app_name\""] != true } { puts "The app template name contained illegal characters." error "The app template name contained illegal characters." } configure_http_deployment } else { puts "The app template failed because LTM is required." error "The app template failed because LTM is required." } puts " " puts "Ending HTTP template." puts " " } presentation { include "/Common/f5.apl_common" section intro { message hello "most simple web server implementations" optional ( hello == "NEVER_SHOW_THIS" ) { choice ltm_provisioned tcl { tmsh::run_proc f5.app_utils:get_provisioned ltm } choice analytics_provisioned tcl { tmsh::run_proc f5.app_utils:get_provisioned avr } choice is_viprion tcl { tmsh::run_proc f5.app_utils:get_is_viprion } } optional ( ltm_provisioned != "provisioned" ) { message sorry "We are sorry but you must license and provision the LTM module to use this template." } optional ( analytics_provisioned != "provisioned" && is_viprion == "false" ) { message analytics_opportunity "Provisioning AVR will enable additional options in this template." } } optional ( intro.ltm_provisioned == "provisioned" ) { optional ( intro.analytics_provisioned == "provisioned" ) { section analytics { noyes add_analytics optional ( add_analytics == "Yes" ) { message about_analytics_profiles "For full functionality and flexibility, we recommend that you create a custom Analytics profile for each iApp under Local Traffic > Profiles > Analytics. Once you have created an Analytics profile, you will be able to select it from the list below." choice create_new_analytics default "Select a Custom Profile" display "xlarge" { "Select a Custom Profile", "Use Default Profile" } optional ( create_new_analytics == "Select a Custom Profile" ) { choice analytics_profile display "xlarge" tcl { tmsh::run_proc f5.app_utils:get_items / ltm profile analytics } } } } } section basic { string addr required validator "IpAddress" string port default "80" required validator "PortNumber" display "small" noyes snat optional ( snat == "No" ) { noyes need_snatpool optional ( need_snatpool == "Yes" ) { table snatpool_members { string addr required validator "IpAddress" } } } noyes using_ntlm } ssl_section ssl_encryption_questions section server_pools { choice create_new_pool display "large" { "Create New Pool", "Use Pool..." } optional ( create_new_pool == "Create New Pool" ) { lb_method lb_method_choice noyes enable_pga optional ( enable_pga == "Yes" ) { string min_active_members default "0" required validator "NonNegativeNumber" } table servers { string addr required validator "IpAddress" string port default "80" required validator "PortNumber" display "small" string connection_limit default "0" required validator "NonNegativeNumber" display "small" optional ( lb_method_choice == "ratio-member" || lb_method_choice == "ratio-node" || lb_method_choice == "ratio-session" || lb_method_choice == "ratio-least-connections-memeber" || lb_method_choice == "ratio-least-connections-node" || lb_method_choice == "dynamic-ratio-member" || lb_method_choice == "dynamic-ratio-node" ) { string ratio default "1" validator "NonNegativeNumber" display "small" } optional ( enable_pga == "Yes" ) { string priority default "0" required validator "NonNegativeNumber" display "small" } } noyes tcp_request_queuing_enable_question optional ( tcp_request_queuing_enable_question == "Yes" ) { message note "TCP request queuing requires you to have a Connection Limit on your pool members." string tcp_request_queue_length default "0" required validator "NonNegativeNumber" display "small" string tcp_request_queue_timeout default "0" required validator "NonNegativeNumber" display "small" } choice create_new_monitor display "xlarge" { "Create New Monitor", "Use Monitor..." } optional ( create_new_monitor == "Create New Monitor" ) { string monitor_interval default "30" required validator "NonNegativeNumber" display "small" string monitor_send default "GET /" required display "xlarge" choice monitor_http_version { "Version 1.0", "Version 1.1" } optional ( monitor_http_version == "Version 1.1" ) { string monitor_dns_name required validator "FQDN" display "large" } string monitor_recv display "xlarge" } optional ( create_new_monitor == "Use Monitor..." ) { choice reuse_monitor_name display "xlarge" tcl { tmsh::run_proc f5.app_utils:get_ltm_monitors_filter http https } } } optional ( create_new_pool == "Use Pool..." ) { choice reuse_pool_name display "xlarge" tcl { tmsh::run_proc f5.app_utils:get_items ltm pool } } } section optimizations { choice lan_or_wan { "WAN", "LAN" } } } text { intro "Welcome to the HTTP template" intro.hello "This template supports:" intro.sorry "We're sorry:" intro.analytics_opportunity "Additional features available:" analytics "Analytics" analytics.add_analytics "Do you want to enable Analytics so that you can view application statistics? (This may affect system performance.)" analytics.about_analytics_profiles "About creating your own Analytics profiles:" analytics.create_new_analytics "Do you want to use a default Analytics profile or select a custom profile?" analytics.analytics_profile "Which Analytics profile do you want to use?" basic "Virtual Server Questions" basic.addr "What IP address do you want to use for this virtual server?" basic.port "What port do you want to use for this virtual server?" basic.snat "Do the HTTP servers have a route back to application clients via this BIG-IP system?" basic.need_snatpool "Will you have more than 64,000 connections at one time? If so, you will need to enter at least one IP address for each 64,000 connections. " basic.snatpool_members "Enter IP addresses that can be used for a SNAT pool. Enter one IP address for each 64,000 connections " basic.snatpool_members.addr "Address: " basic.using_ntlm "Are the HTTP servers configured to use NTLM authentication?" ssl_encryption_questions "SSL Encryption Questions" ssl_encryption_questions.offload_ssl "Do you want the BIG-IP system to offload SSL processing from the HTTP servers?" ssl_encryption_questions.cert "Which certificate do you want the BIG-IP system to use to authenticate the server? (You may need to import a certificate before deploying this Template.)" ssl_encryption_questions.key "Which key do you want the BIG-IP system to use for encryption? (You may need to import a key before deploying this Template.)" server_pools "HTTP Server Pool, Load Balancing, and Service Monitor Questions" server_pools.create_new_pool "Do you want to create a new pool or use an existing one?" server_pools.lb_method_choice "Which load balancing method do you want to use?" server_pools.enable_pga "Do you want to enable Priority Group Activation?" server_pools.min_active_members "What is the minimum number of active members?" server_pools.servers "Which servers do you want this virtual server to reference? (The virtual server will not be available until at least one server is added.)" server_pools.servers.addr "Address" server_pools.servers.port "Port" server_pools.servers.ratio "Ratio" server_pools.servers.connection_limit "Connection Limit" server_pools.servers.priority "Priority" server_pools.tcp_request_queuing_enable_question "Do you want the BIG-IP to queue TCP requests?" server_pools.note "Note:" server_pools.tcp_request_queue_length "Specify the TCP request queue length. Choose 0 for unlimited." server_pools.tcp_request_queue_timeout "Specify a timeout for TCP request queuing in milliseconds. Choose 0 for unlimited." server_pools.reuse_pool_name "Choose a pool from the list of available pools." server_pools.create_new_monitor "Do you want to create a new health monitor or use an existing one?" server_pools.monitor_interval "How often (in seconds) do you want the BIG-IP system to check on the health of each HTTP server? " server_pools.monitor_send "What HTTP request should be sent to check the health of each HTTP server?" server_pools.monitor_http_version "What HTTP version do your HTTP servers expect clients to use?" server_pools.monitor_dns_name "What fully qualified DNS name are HTTP 1.1 clients expected to use to access the HTTP servers?" server_pools.monitor_recv "What string can the BIG-IP system expect to see within the health check response for the server to be considered healthy?" server_pools.reuse_monitor_name "Choose a monitor from the list of available monitors." optimizations "Protocol Optimization Questions" optimizations.lan_or_wan "Will clients be connecting to this virtual server primarily over a LAN or a WAN?" } } role-acl { admin manager resource-admin } } } }
Version history
Last update:
‎11-Mar-2015 14:40
Updated by:
Contributors