rewrite uri with datagroup
Hi I'm new to irules and have got where I am but looking at other irules we have, but am still struggling. I have a request from marketing to host a number (40) of small websites. Rather than setting up a new vip/pool/node/website for each one I would like to inspect the hostheader, forward it to a pool, rewrite the uri and be invisible to the user. This way I can simply copy the content to a single website. e.g. nick.domain.co.uk/* -> forward to pool POC_Boxes -> uri rewritten to /nick/* alan.domain.co.uk/* -> forward to pool POC_Boxes -> uri rewritten to /alan/* lara.domain.co.uk/* -> forward to pool POC_Boxes -> uri rewritten to /lara/* I have been able to get this working using a switch irule but would prefer a datagroup as it is easier to maintain going forward. However, I am having trouble reading data from the datagroup here is my switch irule when HTTP_REQUEST { set marketingURI "[HTTP::uri]" switch -glob -- [string tolower [URI::decode [HTTP::host]]] \ "nick.domain.co.uk" { HTTP::uri "/nick$marketingURI" pool POC_boxes } switch -glob -- [string tolower [URI::decode [HTTP::host]]] \ "lara.domain.co.uk" { HTTP::uri "/lara$marketingURI" pool POC_boxes } switch -glob -- [string tolower [URI::decode [HTTP::host]]] \ "alan.domain.co.uk" { HTTP::uri "/alan$marketingURI" pool POC_boxes } else { HTTP::redirect "http://www.domain.com" } } Here is my datagroup irule when HTTP_REQUEST { if { [class match [string tolower [HTTP::host]] starts_with POC_DGL_Marketing_trades] } { set url_URI [class match -value [string tolower [HTTP::host]] starts_with POC_DGL_Marketing_trades] set marketingURI "$url_uri[HTTP::uri]" HTTP::uri "$marketingURI" pool POC_boxes } else { HTTP::redirect "http://www.domain.com" } log local0. "Marketing Trades [HTTP::host]" } Here is my datagroup Name Value nick.domain.co.uk /nick alan.domain.co.uk /alan lara.domain.co.uk /lara Thanks Nick
Modifying external datagroup within an irule
Hi all, I'm attempting to log certain requests to an external datagroup in order to provide the logged data to management. The situation is we are testing out a new design of our site. I've got working irules to provide certain users a cookie and then changing their pool based on the cookies value. I would like to then log to a file those users who have opted out. The goal is to do something like this tmsh command but inside the irule: tmsh modify ltm data-group uid_optout_list records add { $fool_UID } Where the $fool_UID is found by examining the incoming cookie and parsing out their UID. This happens earlier in the code and is working as expected, e.g. log local0. "NAT - UID $fool_UID" performs as expected. Relevant subset of pool mapping code the cookie will either be "true%3D[an epoch time]" or "false%3D[an epoch time], so we split out true or false to test if {([lindex [split [HTTP::cookie value "NewArticleOptIn"] "%3D"] 0] equals "true") and not ($legacy_query_var equals "true")} { log local0. "NAT - hit article, optin true - $path" if { [class match $path starts_with tmf_poolmap_newsiteall]} { log local0. "NAT - class file hit - in poolmap" set tmfpool $tmfpool-django } } elseif {([lindex [split [HTTP::cookie value "NewArticleOptIn"] "%3D"] 0] equals "false") and not ($legacy_query_var equals "true")} { checking for people who have opted out get the Fool UID from Fool cookie. parse the UID out by using a temporary variable to get everything after the = and then splitting on the & to remove the end set fool_cookie [HTTP::cookie value "Fool"] set fool_UID1 [lindex [split $fool_cookie "="] 1] set fool_UID [lindex [split $fool_UID1 "&"] 0] log local0. "NAT - attempting to log false" unset fool_UID1 fool_UID fool_cookie } Code setting the cookie for certain users based on point of entry into the site and if they already have it or not. when HTTP_REQUEST { if { [class match $path starts_with tmf_poolmap_newsite] } { if the cookie doesn't exist, set it to true on response. we don't want to mess with an existing cookie if {not [HTTP::cookie exists "NewArticleOptIn"]} { get the Fool UID from Fool cookie. parse the UID out by using a temporary variable to get everything after the = and then splitting on the & to remove the end set fool_cookie [HTTP::cookie value "Fool"] set fool_UID1 [lindex [split $fool_cookie "="] 1] set fool_UID [lindex [split $fool_UID1 "&"] 0] unset fool_UID1 if {[class match $fool_UID equals tmf_uid_list]} { set new_user "true" } } } } when HTTP_RESPONSE { if new_user isn't null, we need to send them the cookie if {[info exists new_user]} { set now [clock seconds] set cookie [format "%s=%s; domain=%s; expires=%s; path=/;" "NewArticleOptIn" "true%3D$now" ".fool.com" "[expr $now + 31536000]"] HTTP::header insert "Set-Cookie" $cookie remove the variables if they exist unset new_user unset fool_UID unset fool_cookie } } So where I currently am logging to /var/ltm/log, I'd like to drop it into an external datagroup instead so that I end up with one list of unique keys. I've spent a few hours looking for this and can't seem to arrive at a solution, so any guidance would be appreciated. We're currently on 10.2.4 and will be updating to 11.5.1 soon, so my suspicions would be that this needs to use tmsh instead of bigpipe, but if bigpipe gets me to a working solution today, that's fine with me. There is also likely a more elegant way to parse their UID out from the Fool cookie, but that way was quick and working. If you want to advise me on that, the cookie's structure is Uid=&someotherdata Thanks for your time! P.S. in case you're wondering, I'm not calling my opt-out users fools! I work at The Motley Fool, so it's a term we use positively.
BIG-IP : create data-group fails with format error
f5 BIG-IP LTM VE v11.4.0 on ESXi I am attempting to create a new data-group : Type = "(External File)" File Contents = "String" Key/Value Pair Separator = ":=" My external data-file 'test.txt' : "test-1" := "test-1", "test-2" := "test-2", What is strange is that I've previously successfully loaded data in exactly this format. However, now I receive this error : 0107169a:3: The data group external file (/config/filestore/.stage_d/107479_d/Common_d/data_group_d/:Common:test_57194_1) has an invalid format, line: 2. I've tried removing the final comma on line 2 : "test-1" := "test-1", "test-2" := "test-2" but receive the same error. With a single row : "test-1" := "test-1", the data loads with no error.
iRule to check URI and Client source IP using data groups
Hi everybody, I'm trying to achieve the following with my iRule: 1. Check for URI and if its /abc/* choose pool_A 2. Check for URI and if its /abc-preprod/* also check if Client's IP is from internal pool using datagroup "internalIP" 3. If both checks under 2 are good, choose pool_b 4. Discard everything else that wasn't caught by 1 or 2 My iRule is: when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/abc/*" { log local0. "Detected [HTTP::uri] URL" pool pool_A log local0. "Production pool selected" } "/abc-preprod/*" { log local0. "Detected [HTTP::uri] URL" if { ([class match [IP::remote_addr] equals $::internalIP]) } log local0. "Client IP [IP::remote_addr] belongs to private network" pool pool_B log local0. "Pre-production pool selected" } default { discard log local0. "Wrong URI or Client connecting to Pre-prod from external, packet discarded" } } } However I'm unable to get the syntax working and it fails with: 01070151:3: Rule [/Common/***_redirect_iRule_Logging] error: /Common/***_redirect_iRule_Logging:8: error: [missing a script after "if"][ ] Can somebody help?BIG-IP : iRule class match fails to find data-group
F5 BIG-IP 11.4.1 Build 635.0 Hotfix HF2 LTM VE ESXi Starting last night, for every request processed by my irule-01 I see this error : Mon Sep 8 23:15:57 PDT 2014 err test-f5-01 tmm1[8721] 01220001 TCL error: /Common/irule-01 - Could not find class list_bots (line 2) invoked from within "class match -value [string tolower [HTTP::header User-Agent]] contains list_bots" Here's the relevant line 2 : set bot_generated [class match -value [string tolower [HTTP::header User-Agent]] contains list_bots] But the list_bots external data-group ( type string ) is present and contains properly formatted name-value pairs and in fact it always has been present and has always processed correctly in the past. Here is a sample line from list_bots : "bingbot" := "bingbot", I deleted list_bots external data-group and re-created it but still same issue. What could be going on ? What could have changed ? What can I do ?irule for snat pool and data group and pool member
Hi Everyone, Can anyone help me to create an irule: Pool Name: Pool_Test Member: a. 10.10.10.2 port 0 (ALL) b. 20.20.20.2 port 0 (ALL) Datagroup name: dg_test Snatpool: a. snat1 - 10.10.10.1 b. snat2 - 20.20.20.2 what i want is if the client ip is a member of the datagroup dg_test, he will use pool_test but will use the pool member 10.10.10.2 port 0 (ALL) and will be snat to snat1. then everything else will fall to pool_test pool member 20.20.20.2 port 0 (ALL) and snat2 Please help me.
Using data group for limiting the concurrent client connections from different subnets
Hi All, We have recently deployed F5 in our environment. We are running 11.5.3 version. We are trying to set up rule to limit the concurrent connections from a source IP to a particular value. After testing varios snippets, the best one worked for us was (https://devcentral.f5.com/tech-tips/articles/iruleology-connection-limiting-take-2): when CLIENT_ACCEPTED { set tbl "connlimit:[IP::client_addr]" set key "[TCP::client_port]" table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > 46 } { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } However, when I start like 60 parallel concurrent connections it allows like 42 (or something) slight less than the set value. But then if I again try to make the connections (when pref connections are active) it does eventually limits me to 46 (total). This is probably an expected behavior , and we will see some %age of error? My concern is to Limit the connections per subnets, hosts. As I was browsing through, data group can help me to achieve that. So, I created an address data group "connlimit_dg" with address records in the GUI: Address Records: 192.0.0.0/255.0.0.0 := 22 10.0.0.0/255.0.0.0 :=22 I see like '1' or sometimes none connection allowed to my test host (everything else is refused). I am suspecting I am not referring to the data group correctly. See the snippet: when CLIENT_ACCEPTED { Max connections per client IP set limit [class match [IP::client_addr] equals "connlimit_dg"] Set a subtable name with a standard prefix and the client IP set tbl "connlimit:[IP::client_addr]" Use a key of the client IP:port set key "[IP::client_addr][TCP::client_port]" table set -subtable $tbl $key "ignored" 180 if { [table keys -subtable $tbl -count] > $limit} { table delete -subtable $tbl $key event CLIENT_CLOSED disable reject } else { here the timer value is in ms ; 60000 ms (60 sec) set timer [after 60000 -periodic { table lookup -subtable $tbl $key }] } } when CLIENT_CLOSED { after cancel $timer table delete -subtable $tbl $key } Thanks! Regards RenukaBIG-IP : completely delete data-group
F5 BIG-IP 11.4.1 Build 635.0 Hotfix HF2 LTM VE ESXi via admin browser I perform following steps : Main > Local Traffic > iRules > Data Group List > select data group > delete "my-data-group" Main > System > File Management > Data Group File List > select data-group file > delete "my-data-group" Then ssh to f5-device server and navigate to this dir : /config/filestore/files_d/Common_d/data_group_d/ I expect to not find any file with name my-data-group ... but instead I see : -rw-r--r-- 1 root apache 62 Sep 8 22:25 :Common:my-data-group_64015_18 For some reason BIG-IP is retaining an underlying data-group file of same name as the external data-group & associated file that I deleted. Why is this ? Can I safely delete this file ?