iRule(s) using Data Group based on host and uri
So we are trying to implement single VIP (one Virtual IP) for multiple clients (websites) and would like to achieve that using iRules that has Data Group assigned. I was able to get the iRule working which has DG based on host. However I need to be able to accept certain requests based on couple of URIs as well. One of the URIs should work on port 80 and other on 85. Below is the iRule I have which works fine based on host for 443. when HTTP_REQUEST { set pool [class match -value -- [HTTP::host] equals test_url] if {$pool ne ""} { pool $pool } } How do I append or add more iRules to manage my URI based traffic? I believe iRule for port 80 URI needs to be on 80_VIP. Also we need to have http to https redirect rule for everything other than above specified URI. URIs are as below -- /XYZ.svc* -- port 80 /example/attach/ABC.svc* -- port 85 URI (string) will be same for all clients but the pool (value) is different. So how do I get the request go to the right pool based on URI as well as host in the prefix? In my tests, all requests made for different client websites are going to the first pool in the data group.
iRule for IP restriction with multiple virt servers and multiple DGL of allowed IPs.
I have read through a multitude of threads, but my scenario seems a little unique. A little background so it all makes sense. We serve multiple customers with their own site, each site is a virt server and arte using the header to match rather than a single IP per. Each customer has a unique data group list of allowed IP's. We did not want a single list of allowed IP's in case a customer was emailed an incorrect URL by mistake, or just started browsing other dns records for the domain etc. We are changing our monitoring company and I would like to have a second data group list of IP's that are allowed so that any time there is a change for a source IP of monitoring, one of our offices etc, we don't have to touch 100 lists. The current iRule we are using is: when HTTP_REQUEST priority 100 { # This iRule will check if the client request is SITE.DOMAIN.COM and the client source IP is NOT a member of the datagroup specified which is a list of allowed IPs # If the client ip address is matched to the list of allowed IPs then it will bring up the web page, if it isnt, then it will bring up the COMPANY IP Forbidden Page. if { ( [string tolower [HTTP::host]] equals "1000-t01.DOMAIN.COM" ) and not ( [class match [IP::client_addr] equals COMPANY-1000-CUSTOMER-DG-Allow ] ) } { # log local0."Invalid CUSTOMER client IP: [IP::client_addr] - Blocking traffic" HTTP::respond 200 content [ifile get COMPANY_ip_forbidden] after 50 drop event disable } } How do I add the second data group, and allow if the source IP is in either of the two data groups?BIG-IP : iRule class match fails to find data-group
F5 BIG-IP 11.4.1 Build 635.0 Hotfix HF2 LTM VE ESXi Starting last night, for every request processed by my irule-01 I see this error : Mon Sep 8 23:15:57 PDT 2014 err test-f5-01 tmm1[8721] 01220001 TCL error: /Common/irule-01 - Could not find class list_bots (line 2) invoked from within "class match -value [string tolower [HTTP::header User-Agent]] contains list_bots" Here's the relevant line 2 : set bot_generated [class match -value [string tolower [HTTP::header User-Agent]] contains list_bots] But the list_bots external data-group ( type string ) is present and contains properly formatted name-value pairs and in fact it always has been present and has always processed correctly in the past. Here is a sample line from list_bots : "bingbot" := "bingbot", I deleted list_bots external data-group and re-created it but still same issue. What could be going on ? What could have changed ? What can I do ?Redirect based on datagroup
I have an iRule which checks to see if the URI is listed within a datagroup and then does a redirect to the value for that URI within the datagroup. Now the customer would like it to check for the URI plus a trailing / (e.g. /redirectme/ as well as /redirectme ) but the data group list only contains the URI's without the trailing /. The data group has hundreds of entries so adding all the URI's again including the / is out of the question. My iRule is currently: if { [class match [HTTP::uri] eq datagroup_uri_list] } { HTTP::respond 302 Location "[class match -value [HTTP::uri] eq datagroup_uri_list]" } What would be the best way to add a / to the end of the datagroup_uri_list entries so they can be compared to the URI? I assume it'll be something like: if { [(class match [HTTP::uri] eq datagroup_uri_list] || class match [HTTP::uri] eq datagroup_uri_list]+/ } { HTTP::respond 302 Location "[class match -value [HTTP::uri] eq datagroup_uri_list]" }
problems with data group and http:host
hi, i have set up a forward http proxy, using the irule provided in Devcentral(current version 3.2), which works quite well. But due to security demands, i need to limit outgoing requests to only approved hosts, which has proved to be a bit more challenging than first anticipated. what i have done, is to create a data group, containing the approved domains that can be reached, and added the following to the proxy irule: if { not [matchclass [string tolower [HTTP::host]] ends_with data_group] } { reject } } so the thought is to only allow domains and subdomains that is in the data group, but we are not getting the results we want. if i change the operator from "ends_with" to "contains", it will work, but that will leave us more open to exploits, as we cannot be sure the request goes to a valid host. is there something im missing here, as i thought that HTTP::host would be http:// and not inlude anything from the uri.. if there are any suggestions on how to get this to work as intended, it would be much appriciated!
Data Group IP Lists and Route Domains
I wanted to ask this question since I hadn't seen a definitive answer for v11.x. In a Data Group List of IP's, when route domains are in use, is it required to denote the route domain suffix (%x) for each IP/network? Should I leave it off? Looks like in v10.x this did not work. See: https://devcentral.f5.com/questions/ip-address-based-classes-support-routing-domains-in-v101. Thanks.
Using data group for limiting the concurrent client connections from different subnets
Hi All, We have recently deployed F5 in our environment. We are running 11.5.3 version. We are trying to set up rule to limit the concurrent connections from a source IP to a particular value. After testing varios snippets, the best one worked for us was (https://devcentral.f5.com/tech-tips/articles/iruleology-connection-limiting-take-2): when CLIENT_ACCEPTED { set tbl "connlimit:[IP::client_addr]" set key "[TCP::client_port]" table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > 46 } { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } However, when I start like 60 parallel concurrent connections it allows like 42 (or something) slight less than the set value. But then if I again try to make the connections (when pref connections are active) it does eventually limits me to 46 (total). This is probably an expected behavior , and we will see some %age of error? My concern is to Limit the connections per subnets, hosts. As I was browsing through, data group can help me to achieve that. So, I created an address data group "connlimit_dg" with address records in the GUI: Address Records: 192.0.0.0/255.0.0.0 := 22 10.0.0.0/255.0.0.0 :=22 I see like '1' or sometimes none connection allowed to my test host (everything else is refused). I am suspecting I am not referring to the data group correctly. See the snippet: when CLIENT_ACCEPTED { Max connections per client IP set limit [class match [IP::client_addr] equals "connlimit_dg"] Set a subtable name with a standard prefix and the client IP set tbl "connlimit:[IP::client_addr]" Use a key of the client IP:port set key "[IP::client_addr][TCP::client_port]" table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > $limit} { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } when CLIENT_CLOSED { after cancel $timer table delete -subtable $tbl $key } Thanks! Regards RenukaBIG-IP : completely delete data-group
F5 BIG-IP 11.4.1 Build 635.0 Hotfix HF2 LTM VE ESXi via admin browser I perform following steps : Main > Local Traffic > iRules > Data Group List > select data group > delete "my-data-group" Main > System > File Management > Data Group File List > select data-group file > delete "my-data-group" Then ssh to f5-device server and navigate to this dir : /config/filestore/files_d/Common_d/data_group_d/ I expect to not find any file with name my-data-group ... but instead I see : -rw-r--r-- 1 root apache 62 Sep 8 22:25 :Common:my-data-group_64015_18 For some reason BIG-IP is retaining an underlying data-group file of same name as the external data-group & associated file that I deleted. Why is this ? Can I safely delete this file ?iRule with host and uri match condition
I need an iRule that should check host and uri combination and redirect to appropriate pool. Below is what I have but its not working. when HTTP_REQUEST { set pool [class match -value -- [HTTP::host][HTTP::uri] equals test_url_attachment] if {$pool ne ""} { pool $pool } } example1.com/attachment should go to example1.com pool example2.com/attachment should go to example2.com pool example3.com/attachment should go to example3.com pool test_url_attachment is the datagroup that has string and value as below -- example1.com/attachment* -- value example1.com example2.com/attachment* -- value example2.com example3.com/attachment* -- value example3.com URI will remain common for all and I need to have the iRule this way based on URI, as it works only on a specific port (our app requirement). I have another iRule that maps based on just host to appr pool on diff port. Please advise on how to the syntax as the request is not reaching the pool with what I have.