cancel
Showing results for 
Search instead for 
Did you mean: 
Steve_McCarthy_
Historic F5 Account

This is another short article in an irregular series demonstrating some practical recipes using LTM Policy.  Please also check out another article with a more complete overview of LTM Policy.

 

Forcing SSL connections

In today’s security conscious world, end users and service providers will frequently want sensitive information to be exchanged over an encrypted connection.  Here is a simple policy that you could place on an unencrypted HTTP virtual server, which sends a redirect to a secure version of the same URL.

TaskConfiguration
Demostrates http-reply functionality, and use of Tcl expansions to access full URI.

0151T000003d6iyQAA.png

ltm policy /Common/force-ssl {
  controls { forwarding }
  requires { http }
  rules {
      r1 {
          actions {
              0 {
      http-reply redirect
      location tcl:https://[HTTP::host][HTTP::uri]
              }
          }
          ordinal 1
      }
  }
  strategy /Common/first-match
}

 

Rewrite URI without issuing a redirect

Sometimes you want to rewrite a URI straightaway, without redirecting the client and incurring the overhead of an additional round-trip request/response cycle.  Here is one way to do this using LTM Policy.

TaskConfiguration

Detect when a user is trying to access a private part of a site and direct the connection to the public part of the site.

0151T000003d6izQAA.png

ltm policy /Common/rewrite-uri {
    requires { http }
    rules {
        r1 {

            conditions {
                0 {
                    http-uri path starts-with
                    values { /private }
                }
            }

            actions {
                0 {
                    http-uri replace path /public/
                }
            }
            ordinal 1
        }
    }
    strategy /Common/first-match
}

 

Prevent other sites from using images

Some third party sites will try to “deep link” to images or other content on your site, so that they can use your content but not have to host it.  Here is one idea of how you can manage this situation using an LTM Policy which inspects the HTTP request’s Referer: header.

TaskConfiguration

Detect when a request for image types (jpg, gif, or png) is coming from somewhere other than mydomain.com, and serve up a replacement image.

0151T000003d6j0QAA.png

ltm policy /Common/all-all {
    requires { http }
    rules {
        r1 {
            conditions {
                0 {
                    http-referer not contains
                    values { mydomain.com }
                }
                1 {
                    http-uri extension
                    values { "jpg gif png" }
                }
            }
            actions {
                0 {
                    http-uri replace
                    path /images/unavailable.jpg
                }
            }
            ordinal 1
        }
    }
    strategy /Common/first-match
}

Comments
Walter_Kacynski
Cirrostratus
Cirrostratus
What version will the tcl: syntax work with 12.0+?
Steve_McCarthy_
Historic F5 Account
Yes, Tcl support for selected fields was added to LTM Policy in version 12.0.
Andy_Assareh
Legacy Employee
Legacy Employee

How can we modify the URI rewrite policy to preserve the full URI path while replacing private with public? For example if the URI request is example.com/private/images/image.png the resulting request would be for example.com/public/images/image.png

 

Walter_Kacynski
Cirrostratus
Cirrostratus

I just did this yesterday

 

Action: Replace : HTTP path-> tcl:[string map {private public} [HTTP::path]]

 

Steve_McCarthy_
Historic F5 Account

Walter is right. My comment about tcl support was exactly backwards - tcl expressions are supported in actions, not conditions.

 

Andy_Assareh
Legacy Employee
Legacy Employee

Great, thanks!

 

Version history
Last update:
‎28-Dec-2015 09:45
Updated by:
Contributors