Modification of data group in CLI mode
Suppose I have a datagroup say name as xyz which contains only strings. But there are around 150 strings added in the data group. Now I want to modify the data group where I want to add another 150 new strings. If I do manually it will take lots of time. How to do it in VI editor or any other alternative method via CLI mode?[Workaround]: Prevent iRule Managers to accidentally enter invalid characters into a Data Group
We realized some time ago that the BIG-IP GUI does not handle UTF-8 encoded strings very well in Data Groups which result in ever growing data records for everytime the Data Group is saved. This is an example on how to reproduce the problem and to see it in action: Start by creating an empty new data group named TEST of the type string. Add a line with the key test1 and the value abcåäö123 (copy and paste if you don't have a nordic keyboard) Click finish Check with tmsh list ltm data-group internal TEST You will see that it doesn't handle the UTF-8 data and you will se two characters for each > 7-bit character. Now go to the GUI again and add a second line with the key test2 and the same value abcåäö123 Click update Once again check tmsh and you will see that not only has test2 been added but test1 has also been updated, now including even more wrong characters. This is a screenshot of how it will look: The result of this is that eventually you will receive the following error from the BIG-IP (even if you only update lines that are not containing 8-bit ascii characters). Workaround Luckily we require the iRule Managers to login to an APM portal (webtop) where we have published a Portal Access to the administrative GUI of the BIG-IP, and since we do that, we can inject some JavaScript the will check the data before it saved. iRule PREVENT_INVALID_DATA_IN_DATAGROUP-IRULE This iRule will inject some JavaScript code that will prevent these mistakes from happening when HTTP_REQUEST { set inject_code 0 if {[HTTP::path] ends_with "/tmui/tmui/skins/Default/scripts/skin.js"} { set inject_code 1 STREAM::disable HTTP::header remove "Accept-Encoding" } } when HTTP_RESPONSE { if {$inject_code == 1} { set s1 "this.form.submitError\ =\ formSubmitError;" set r1 "this.form.submitError\ =\ formSubmitError;\n" append r1 "if\ (document.location.href.indexOf('datagroup')\ >\ -1)\ {\n" append r1 "select\ =\ document.getElementById('class_string_item');\n" append r1 "if\ (select\ !=\ null)\ {\n" append r1 "console.log('We\ found\ the\ select');\n" append r1 "for\ (option\ of\ select.children)\ {\n" append r1 "key\ =\ option.value.substr(0,\ option.value.indexOf('\\\\x0a'));\n" append r1 "if\ (!\ /^\[\\x00-\\x7F\]*\$/.test(key))\ {\n" append r1 "alert('String\ \"'+key+'\"\ contains\ invalid\ characters!');\n" append r1 "return\ false;\n" append r1 "}\n" append r1 "if\ (!\ /^\[\\x00-\\x7F\]*\$/.test(option.value))\ {\n" append r1 "alert('Value\ of\ \"'+key+'\"\ contains\ invalid\ characters!');\n" append r1 "return\ false;\n" append r1 "}\n" append r1 "}\n" append r1 "}\n" append r1 "}\n" STREAM::expression "@$s1@$r1@" STREAM::enable } } Now if you add a streaming profile to your APM Virtual Server and add this iRule the user will be presented with a popup informing them about the invalid data and also prevent them from submitting it. Hope this can be of help until F5 fixes this in the BIG-IP
Detect IP in a range in iRule
For the IPs in a range for example 91.186.192.0 to 91.186.223.255, how should I structure the datagroup list to detect if the incoming IP is within the that range using the iRule. There are many IP ranges. If I calculate the CIDR for each range beforehand (an example CIDR for the above range would be 91.186.192.0/19), can I make use of the CIDR to delect if the incoming IP is within the given range using iRule?
Irule Redirect with Datagroup
I have the following Irule and data group working (If I go to jerry.com/jerry it redirects me to http://www.msn.com/en-us/news) What I would like add to the functionality if possible is if I were to go to jerry.com/jerry/123 it redirect me to http://www.msn.com/en-us/news/jerry/123. So I would like it to remember the /jerry/123 and append that to the redirected url. Can anyone tell me if this is possible with the syntax of the irule and datagroup. Below are the contents of my irule and datagroup: Name: datagroup_uri_list String: jerry.va.gov/jerry Value: www.msn.com/en-us/news Irule is when HTTP_REQUEST { if { [class match [HTTP::host][HTTP::uri] equals datagroup_uri_list] } { set redirect_value [class match -value [HTTP::host][HTTP::uri] eq datagroup_uri_list] HTTP::respond 302 Location HTTP::redirect "http://$redirect_value" } }
iRule Choose pool base on SNI and disable ssl base on SNI
Hi We have the need to select pool via irule but we don't want to decrypt all HTTPS traffic. Can we do this? (This is outbound traffic) We have list of URL in iRule Datagroup if user access HTTPS website -> F5 detect SNI and check if that URL is in datagroup or not. if it's in datagroup -> Load balance to pool A. if it's not in datagroup -> disable http profile, ssl profile and other profile (if any) to just forward HTTPS traffic only. don't decrypt/encrypt anything. Is this possible? Thank youiRule(s) using Data Group based on host and uri
So we are trying to implement single VIP (one Virtual IP) for multiple clients (websites) and would like to achieve that using iRules that has Data Group assigned. I was able to get the iRule working which has DG based on host. However I need to be able to accept certain requests based on couple of URIs as well. One of the URIs should work on port 80 and other on 85. Below is the iRule I have which works fine based on host for 443. when HTTP_REQUEST { set pool [class match -value -- [HTTP::host] equals test_url] if {$pool ne ""} { pool $pool } } How do I append or add more iRules to manage my URI based traffic? I believe iRule for port 80 URI needs to be on 80_VIP. Also we need to have http to https redirect rule for everything other than above specified URI. URIs are as below -- /XYZ.svc* -- port 80 /example/attach/ABC.svc* -- port 85 URI (string) will be same for all clients but the pool (value) is different. So how do I get the request go to the right pool based on URI as well as host in the prefix? In my tests, all requests made for different client websites are going to the first pool in the data group.Modifying external datagroup within an irule
Hi all, I'm attempting to log certain requests to an external datagroup in order to provide the logged data to management. The situation is we are testing out a new design of our site. I've got working irules to provide certain users a cookie and then changing their pool based on the cookies value. I would like to then log to a file those users who have opted out. The goal is to do something like this tmsh command but inside the irule: tmsh modify ltm data-group uid_optout_list records add { $fool_UID } Where the $fool_UID is found by examining the incoming cookie and parsing out their UID. This happens earlier in the code and is working as expected, e.g. log local0. "NAT - UID $fool_UID" performs as expected. Relevant subset of pool mapping code the cookie will either be "true%3D[an epoch time]" or "false%3D[an epoch time], so we split out true or false to test if {([lindex [split [HTTP::cookie value "NewArticleOptIn"] "%3D"] 0] equals "true") and not ($legacy_query_var equals "true")} { log local0. "NAT - hit article, optin true - $path" if { [class match $path starts_with tmf_poolmap_newsiteall]} { log local0. "NAT - class file hit - in poolmap" set tmfpool $tmfpool-django } } elseif {([lindex [split [HTTP::cookie value "NewArticleOptIn"] "%3D"] 0] equals "false") and not ($legacy_query_var equals "true")} { checking for people who have opted out get the Fool UID from Fool cookie. parse the UID out by using a temporary variable to get everything after the = and then splitting on the & to remove the end set fool_cookie [HTTP::cookie value "Fool"] set fool_UID1 [lindex [split $fool_cookie "="] 1] set fool_UID [lindex [split $fool_UID1 "&"] 0] log local0. "NAT - attempting to log false" unset fool_UID1 fool_UID fool_cookie } Code setting the cookie for certain users based on point of entry into the site and if they already have it or not. when HTTP_REQUEST { if { [class match $path starts_with tmf_poolmap_newsite] } { if the cookie doesn't exist, set it to true on response. we don't want to mess with an existing cookie if {not [HTTP::cookie exists "NewArticleOptIn"]} { get the Fool UID from Fool cookie. parse the UID out by using a temporary variable to get everything after the = and then splitting on the & to remove the end set fool_cookie [HTTP::cookie value "Fool"] set fool_UID1 [lindex [split $fool_cookie "="] 1] set fool_UID [lindex [split $fool_UID1 "&"] 0] unset fool_UID1 if {[class match $fool_UID equals tmf_uid_list]} { set new_user "true" } } } } when HTTP_RESPONSE { if new_user isn't null, we need to send them the cookie if {[info exists new_user]} { set now [clock seconds] set cookie [format "%s=%s; domain=%s; expires=%s; path=/;" "NewArticleOptIn" "true%3D$now" ".fool.com" "[expr $now + 31536000]"] HTTP::header insert "Set-Cookie" $cookie remove the variables if they exist unset new_user unset fool_UID unset fool_cookie } } So where I currently am logging to /var/ltm/log, I'd like to drop it into an external datagroup instead so that I end up with one list of unique keys. I've spent a few hours looking for this and can't seem to arrive at a solution, so any guidance would be appreciated. We're currently on 10.2.4 and will be updating to 11.5.1 soon, so my suspicions would be that this needs to use tmsh instead of bigpipe, but if bigpipe gets me to a working solution today, that's fine with me. There is also likely a more elegant way to parse their UID out from the Fool cookie, but that way was quick and working. If you want to advise me on that, the cookie's structure is Uid=&someotherdata Thanks for your time! P.S. in case you're wondering, I'm not calling my opt-out users fools! I work at The Motley Fool, so it's a term we use positively.
Print string found in Data Group to Log
I have an iRule that is looking in the HTTP POST request method data payload for a string that is defined in a data-group. I would like to print to the log whichever string from the referenced data-group is found. # See https://devcentral.f5.com/s/question/0D51T00006i7hpJSAQ/irule-to-block-requests-with-specific-word # #ltm data-group internal restricted_dg { #records { #restricted {} #} #type string #} when HTTP_REQUEST_DATA { set payload [HTTP::payload] if {[class match [string tolower $payload] contains "restricted_dg"]} { # set variable named restricted_text to the string found in $payload # that matches something in data-group restricted_dg log local0. "Rejecting restricted content $restricted_text" reject } }
