Forum Discussion

Nimbostratus

Mar 20, 2017

Solved

iRule for custom traffic flow

Hi! We currently have a setup where we have a HTTPS website which customers can upload both text and media (Sound or video) to a server and this data is stored in the cloud. This data is then p...

Mar 20, 2017

Matt,

To perform this action, there are a couple things you need.

Client-ssl and server-ssl profile on the virtual server.
Identify requests with content.

Here is a simple example iRule that should accomplish what you need. I'm working under the assumption any POST will have content you want to inspect.

when HTTP_REQUEST {
    if {![info exists DEFAULT_POOL]} { set DEFAULT_POOL [LB::server pool] }

    set INSPECT 0
    if {[HTTP::method] eq "POST"} {
         request should contain conent, select server the inspection pool
        pool inspection_servers
        set INSPECT 1
    } else {
        pool $DEFAULT_POOL
    }
}
when SERVER_CONNECTED {
     do not encrypt server-side if destined to inspection pool
    if {$INSPECT} { SSL::disable }
}

If you use a OneConnect profile, you should be able to remove the default pool selection as long as you're not running 11.5.3 HF2 or 12.0.0 - 12.0.0 HF3.

when HTTP_REQUEST {
    set INSPECT 0
    if {[HTTP::method] eq "POST"} {
         request should contain conent, select server the inspection pool
        pool inspection_servers
        set INSPECT 1
    }
}
when SERVER_CONNECTED {
     do not encrypt server-side if destined to inspection pool
    if {$INSPECT} { SSL::disable }
}

As with anything, there is often more than one answer. Hopefully this will at least point you in the right direction.

Jeremy_Church_3

Cirrus

Mar 20, 2017

Matt,

To perform this action, there are a couple things you need.

Client-ssl and server-ssl profile on the virtual server.
Identify requests with content.

Here is a simple example iRule that should accomplish what you need. I'm working under the assumption any POST will have content you want to inspect.

when HTTP_REQUEST {
    if {![info exists DEFAULT_POOL]} { set DEFAULT_POOL [LB::server pool] }

    set INSPECT 0
    if {[HTTP::method] eq "POST"} {
         request should contain conent, select server the inspection pool
        pool inspection_servers
        set INSPECT 1
    } else {
        pool $DEFAULT_POOL
    }
}
when SERVER_CONNECTED {
     do not encrypt server-side if destined to inspection pool
    if {$INSPECT} { SSL::disable }
}

If you use a OneConnect profile, you should be able to remove the default pool selection as long as you're not running 11.5.3 HF2 or 12.0.0 - 12.0.0 HF3.

when HTTP_REQUEST {
    set INSPECT 0
    if {[HTTP::method] eq "POST"} {
         request should contain conent, select server the inspection pool
        pool inspection_servers
        set INSPECT 1
    }
}
when SERVER_CONNECTED {
     do not encrypt server-side if destined to inspection pool
    if {$INSPECT} { SSL::disable }
}

As with anything, there is often more than one answer. Hopefully this will at least point you in the right direction.

Jeremy_Church_3

Cirrus

Mar 29, 2017

Matthew,

Glad you learned something even if it won't be used.

If you would like to learn iRules, I found a few things very helpful:

Learning TCL to get a firm grasp on the syntax and behavior of language itself.
Understand the protocol being balanced, usually HTTP, but the F5 can load balance lots of things.

I use the TCL manual as a reference quite often. When I first started learning, I installed TCL on my computer and took time to test certain commands and syntax prior to writing an iRule. I still use it to test and demonstrate certain behaviors. Beyond the disabled TCL commands, the F5 has slightly different behavior so testing is still needed in iRules.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)