BIG-IP : completely delete data-group
F5 BIG-IP 11.4.1 Build 635.0 Hotfix HF2 LTM VE ESXi via admin browser I perform following steps : Main > Local Traffic > iRules > Data Group List > select data group > delete "my-data-group" Main > System > File Management > Data Group File List > select data-group file > delete "my-data-group" Then ssh to f5-device server and navigate to this dir : /config/filestore/files_d/Common_d/data_group_d/ I expect to not find any file with name my-data-group ... but instead I see : -rw-r--r-- 1 root apache 62 Sep 8 22:25 :Common:my-data-group_64015_18 For some reason BIG-IP is retaining an underlying data-group file of same name as the external data-group & associated file that I deleted. Why is this ? Can I safely delete this file ?446Views0likes1CommentBIG-IP : iControl LocalLBDataGroupFile.set_local_path()
F5 BIG-IP LTM VE v11.4.0 on ESXi iControl re-cache data-group operation : LocalLBDataGroupFile.set_local_path() For a live prod BIG-IP cluster with a VIP iRule that is actively reading data from the data-group , is the above considered a risky operation ? e.g. attempt live-swap of data-group's data-file, fails due to locks or other systems-level issues, data-group now unavailable to iRule I've attempted live-update of a data-file's contents via BIG-IP browser admin ( copy/paste new contents and click “Update” ) and seen the corresponding data-group become unavailable to the iRule. The paranoid approach is to create a new data-group/file and a copy of the iRule modified to point to this new data-group , and then in the VIP’s iRule list swap old/new iRules – so that never actually update a “live” data-group. So now I am concerned about performing similar operation via iControl LocalLBDataGroupFile.set_local_path() –- although apparently this API is not actually live-updating a cached data-file but rather re-pointing data-group to a new cached data-file ?184Views0likes2CommentsBIG-IP : iRule class match fails to find data-group
F5 BIG-IP 11.4.1 Build 635.0 Hotfix HF2 LTM VE ESXi Starting last night, for every request processed by my irule-01 I see this error : Mon Sep 8 23:15:57 PDT 2014 err test-f5-01 tmm1[8721] 01220001 TCL error: /Common/irule-01 - Could not find class list_bots (line 2) invoked from within "class match -value [string tolower [HTTP::header User-Agent]] contains list_bots" Here's the relevant line 2 : set bot_generated [class match -value [string tolower [HTTP::header User-Agent]] contains list_bots] But the list_bots external data-group ( type string ) is present and contains properly formatted name-value pairs and in fact it always has been present and has always processed correctly in the past. Here is a sample line from list_bots : "bingbot" := "bingbot", I deleted list_bots external data-group and re-created it but still same issue. What could be going on ? What could have changed ? What can I do ?496Views0likes5CommentsMenthod to redirect based on DYNAMIC IP list from external source...
We have a situation that happens daily - certain browser and OS combination loops our login page uncontrollably. We have looked into the issue, and even modified our application to address 99% of the time. However we still get a few hundred of these a day, and they can loop 10K times in an hour. During very busy times this can cause undue load on our system. We then have the ultimate fallback, which is to manually add these to a data group list, and throw them over to a static page that tells them to close their browser and reboot. Here's the simple rule we use: when HTTP_REQUEST { if { [class match [IP::client_addr] equals ps_redirect_quarantine] } { HTTP::redirect "http://docs.xyz.com/docs/portal/browser_error.html" } } Once this is done, we remove the IP and carry on. We have written a PL/SQL procedure on the back end to populate a table in our application database in realtime with the "offenders". What I want to do is find a way to get that data into the data group list. It does not have to be instant, once a minute would be sufficient. Even once every 5 would work. I found a lot of people asking similar questions, and no real solutions. One suggested we may be able to "scrape" this from an html doc if we serve up the data that way. (We could do that) but how would I approach that on the irule side? Or if there is a simpler way. Thanks in advance265Views0likes3CommentsRedirect based on datagroup
I have an iRule which checks to see if the URI is listed within a datagroup and then does a redirect to the value for that URI within the datagroup. Now the customer would like it to check for the URI plus a trailing / (e.g. /redirectme/ as well as /redirectme ) but the data group list only contains the URI's without the trailing /. The data group has hundreds of entries so adding all the URI's again including the / is out of the question. My iRule is currently: if { [class match [HTTP::uri] eq datagroup_uri_list] } { HTTP::respond 302 Location "[class match -value [HTTP::uri] eq datagroup_uri_list]" } What would be the best way to add a / to the end of the datagroup_uri_list entries so they can be compared to the URI? I assume it'll be something like: if { [(class match [HTTP::uri] eq datagroup_uri_list] || class match [HTTP::uri] eq datagroup_uri_list]+/ } { HTTP::respond 302 Location "[class match -value [HTTP::uri] eq datagroup_uri_list]" }518Views0likes3CommentsiRule(s) using Data Group based on host and uri
So we are trying to implement single VIP (one Virtual IP) for multiple clients (websites) and would like to achieve that using iRules that has Data Group assigned. I was able to get the iRule working which has DG based on host. However I need to be able to accept certain requests based on couple of URIs as well. One of the URIs should work on port 80 and other on 85. Below is the iRule I have which works fine based on host for 443. when HTTP_REQUEST { set pool [class match -value -- [HTTP::host] equals test_url] if {$pool ne ""} { pool $pool } } How do I append or add more iRules to manage my URI based traffic? I believe iRule for port 80 URI needs to be on 80_VIP. Also we need to have http to https redirect rule for everything other than above specified URI. URIs are as below -- /XYZ.svc* -- port 80 /example/attach/ABC.svc* -- port 85 URI (string) will be same for all clients but the pool (value) is different. So how do I get the request go to the right pool based on URI as well as host in the prefix? In my tests, all requests made for different client websites are going to the first pool in the data group.715Views0likes3CommentsiRule with host and uri match condition
I need an iRule that should check host and uri combination and redirect to appropriate pool. Below is what I have but its not working. when HTTP_REQUEST { set pool [class match -value -- [HTTP::host][HTTP::uri] equals test_url_attachment] if {$pool ne ""} { pool $pool } } example1.com/attachment should go to example1.com pool example2.com/attachment should go to example2.com pool example3.com/attachment should go to example3.com pool test_url_attachment is the datagroup that has string and value as below -- example1.com/attachment* -- value example1.com example2.com/attachment* -- value example2.com example3.com/attachment* -- value example3.com URI will remain common for all and I need to have the iRule this way based on URI, as it works only on a specific port (our app requirement). I have another iRule that maps based on just host to appr pool on diff port. Please advise on how to the syntax as the request is not reaching the pool with what I have.399Views0likes1CommentiRule for IP restriction with multiple virt servers and multiple DGL of allowed IPs.
I have read through a multitude of threads, but my scenario seems a little unique. A little background so it all makes sense. We serve multiple customers with their own site, each site is a virt server and arte using the header to match rather than a single IP per. Each customer has a unique data group list of allowed IP's. We did not want a single list of allowed IP's in case a customer was emailed an incorrect URL by mistake, or just started browsing other dns records for the domain etc. We are changing our monitoring company and I would like to have a second data group list of IP's that are allowed so that any time there is a change for a source IP of monitoring, one of our offices etc, we don't have to touch 100 lists. The current iRule we are using is: when HTTP_REQUEST priority 100 { # This iRule will check if the client request is SITE.DOMAIN.COM and the client source IP is NOT a member of the datagroup specified which is a list of allowed IPs # If the client ip address is matched to the list of allowed IPs then it will bring up the web page, if it isnt, then it will bring up the COMPANY IP Forbidden Page. if { ( [string tolower [HTTP::host]] equals "1000-t01.DOMAIN.COM" ) and not ( [class match [IP::client_addr] equals COMPANY-1000-CUSTOMER-DG-Allow ] ) } { # log local0."Invalid CUSTOMER client IP: [IP::client_addr] - Blocking traffic" HTTP::respond 200 content [ifile get COMPANY_ip_forbidden] after 50 drop event disable } } How do I add the second data group, and allow if the source IP is in either of the two data groups?524Views0likes2CommentsData Group IP Lists and Route Domains
I wanted to ask this question since I hadn't seen a definitive answer for v11.x. In a Data Group List of IP's, when route domains are in use, is it required to denote the route domain suffix (%x) for each IP/network? Should I leave it off? Looks like in v10.x this did not work. See: https://devcentral.f5.com/questions/ip-address-based-classes-support-routing-domains-in-v101. Thanks.512Views0likes4CommentsEditing a data group from import, "invalid format, line 1"
Why is it that when we try to edit a data group list definition in the Big-IP GUI, do we get an "...invalid format, line 1"? We created a sample file in notepad, and uploaded. When we tried to edit the data group definition in the GUI, we get the error "...invalid format, line 1".250Views0likes2Comments