cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Persistence for selected URIs on a VS

Dave_Noonan
Cirrus
Cirrus

Looking for suggestions on the best way to accomplish this.

 

We want specific URIs to have cookie persistence enabled while the persistence on the virtual server is None.

 

I'm pretty sure this could be done with an iRule but wanted to check whether there's a better way since I'm returning to F5 after a five year absence.

 

These URIs need cookie persistence, any other URI will not use peristence:

/blahblah/app/

/blahblah/api/

 

 

Bonus question:

They want those same URIs blocked from public access. What's the easiest way to ACL those while leaving the rest of it open?

 

2 REPLIES 2

James_Thomson
F5 Employee
F5 Employee

https://clouddocs.f5.com/api/irules/persist.html

 

 

when HTTP_REQUEST {

 

# Check the requested URI

switch -glob [HTTP::uri] {

"/path1/*" -

"/path2/*" {

# Request was for an IIS URI so select the pool and set a pool-specific cookie

pool iis_pool

persist cookie insert iis_persist 0

}

}

 

 

For your second question,when you say "blocked form public access", what does "private" access mean? Only allowed from certain subnets? how many subnets? Something else?

Dave_Noonan
Cirrus
Cirrus

Your code looks a lot like what I came up with after further searching, so that's reassuring.

when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/blahblah/app/*" - "/blahblah/api/*" { # If client is public IP then send 404 if { not ([class match [IP::client_addr] equals private_net]) } { HTTP::respond 404 content "HTTP ERROR 404 Reason:Not Found" Mime-Type "text/html" event disable TCP::close } else { # If client is private IP set cookie persistence persist cookie insert blahblah_Cookie 0 } } } }

The second question is just to block those from non-RFC1918 IP space. I included that in my irule but feel free to tell me if there's a better way.