Forum Discussion

vaahtera's avatar
vaahtera
Icon for Nimbostratus rankNimbostratus
Nov 05, 2019

HSSR sideband connection for querying LDAP not working

I'm having this issue, that i can't get the sideband connection to work. Code is like this:

 

when HTTP_REQUEST {
  
  set apikey [URI::query [HTTP::uri] api-key]
  log local0. $apikey
 
 
  if {  $apikey eq "" } {
    log local0. "apikey is empty, redirecting to another virtual"
    virtual test-internal
  } else {
  log local0. "We got the apikey and begin HSSR connection"
    set status [call /Common/HSSR::http_req -virt "/test-internal-api" \
                 -uri "http://test.com/[URI::encode $apikey]" \
                 -tag "custom" -key $apikey -rbody rbody]
 
 
    if {($status == 200) && ($rbody ne "NOT_FOUND")} {
    log local0. "HSSR query successful, redirecting traffic to pool"
    pool test-pool
    return
    }
 }
}

 

The test-internal-api virtual is assigned with access policy that has a simple LDAP query and a iRule that gets the reply for the sideband query.

 

Now when the user goes to that virtual where the iRule is assigned, ltm logs the following lines:

 

Nov 5 15:27:59 f5test01 info tmm1[17166]: Rule /Common/APIKEY <HTTP_REQUEST>: 010101-123N

Nov 5 15:27:59 f5test01 info tmm1[17166]: Rule /Common/APIKEY <HTTP_REQUEST>: We got the apikey and begin HSSR connection

Nov 5 15:27:59 f5test01 err tmm1[17166]: 01220001:3: TCL error: /Common/APIKEY <HTTP_REQUEST> - can't read "sts": no such variable   while executing "set e "connect to ${dest} '${server}' fails: ${sts} (${conn})""  (iRule proc "/Common/HSSR::http_req") (line 430)   invoked from within "call /Common/HSSR::http_req -virt "/test-internal-api" -uri "http://test.com/" -tag "custom" -key $apikey -r..."   invoked from within "if { $apikey eq "" } {   log local0. "apikey is empty, redirecting to another virtual"   virtual test-internal..."

 

What is that sts and where should it come from? No matter what i do to the call, the error is the same...

APM
application delivery
iRules

1 Reply

Sort By
  • vaahtera's avatar
    vaahtera
    Icon for Nimbostratus rankNimbostratus
    Nov 06, 2019

    Ok, got this a bit further. I was missing the /Common before the virtual server in the call. But now as the another virtual has this iRule code, it never get's to the ACCESS_POLICY_COMPLETED:

     

    when HTTP_REQUEST {
 log local0. "Got http request to internal virtual"
 set apikey ""
 if {[HTTP::path] starts_with "/"} {
  regexp {/([^/]+)$} [HTTP::path] junk x
  set apikey [URI::decode $x]
 }
 
}
 
when ACCESS_SESSION_STARTED {
 if {$apikey ne ""} {
 log local0. "Access session started on internal virtual"
  ACCESS::session data set session.custom.apikey $apikey
 }
}
 
when ACCESS_POLICY_COMPLETED {
 set reply "NOT_FOUND"
 if {[ACCESS::session data get session.ldap.last.queryresult] == 1} {
  set reply [ACCESS::session data get session.ldap.last.attr.apikey]
 }
 log local0. "Access session policy completed with reply: $reply"
 ACCESS::respond 200 content $reply Content-Type "text/plain" Connection close
}

    The access policy attached to this internal virtual contains only one LDAP query that ends in deny no matter what the query result is.

     

    What am i missing here?