Irule to allow specific IPs
I have a site which is abc.com Trying to achieve below requirements- 1) If uri is / it should redirect to abc.com/xyz - open for all 2) If uri is /rdp_xyz_tshoot should accessible to internal network - (here we can use the datagroup list) As this site is migrated to akamai where they have requirement to use below irule- when HTTP_REQUEST { if { [HTTP::header exists True-Client-IP] } { set trueclientip [HTTP::header True-Client-IP] HTTP::header replace X-Forwarded-For $trueclientip } } Cause for above akamai irule= Normally the True-Client-IP header includes the real IP of the clients when requests are coming from Akamai. It will be unaffected and be sent as part of the request to the pool member. So, your backend servers could look for that header and do something with its value. However, if you want the F5 to translate it to the X-Forwarded-For header, you can use an iRule to convert the Akamai True-Client-IP header to the X-Forwarded-For header. we are trying with below irule which is not working- when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/rdp_xyz_tshoot") && (not[class match [IP::client_addr] equals allowed_IPs])} { reject } if { [HTTP::uri] == "/" } { HTTP::redirect "https://[HTTP::host]/abc_login.jsp" } } Please help
VS with Wildcard Pool set path to specific port
Good Day - Today we have a Virtual Server listening on port 443, and an irule with 300+ lines to switch pool based on the path. Example of current irule is below: when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/site1/score/sap/wbse/search" { pool pool_site1.test.com_34561 } "/site1/score/sap/companycodes" { pool pool_site1.test.com_34561 } "/site2/score/timekeeper/unionmasterdata/contract" { pool pool_site2.test.com_34562 } "/site2/score/timekeeper/unionmasterdata/jobcode" { pool pool_site2.test.com_34562 } "/site3/score/sap/chartofaccounts/glaccount*" { pool pool_site3.test.com_34563 } "/site3/score/timekeeper/timecard/gettimecard" { pool pool_site3.test.com_34563 } default { pool pool_site0.test.com_33333 } } } So the above irule goes on for over 300+ more lines. Here is the problem with this: Above setup we are creating over 200+ individual pools of servers with the same 5 servers but just on different ports. Original reason for all the pools is not every port would be up all the time so in the beginning it was simple just to create a pool, but now this is getting un-managable. What I would like to do is the following: Since all the servers in the over 200+ pools are exactly the same but only on a different port I would like to create a wildcard pool instead with just the 5 servers in them. pool pool_site0.test.com member server0.test.com:0 member server1.test.com:0 member server2.test.com:0 member server3.test.com:0 member server4.test.com:0 Move the path / destination port into a Data group and create an iRule that will match the path then check if the server in the wildcard pool responds to the port and if so then send the request to that server. So requesting assistance on creating an irule that: Read the path on the incoming request Match path in datagroup and map destination port based on path matched in datagroup Check if the servers in the wildcard server pool responds on the port matched if port responds on server, then send request to server that responds. Any assistance would be appreciated. Thx Rich
APM session policy based on IP address datagroup?
Hi everyone We currently use LTM policy to use datagroup as ACL for virtual server access. After LTM ACL is accepted, APM policy will create a session etc But I was thinking to optimize it, so that LTM policy is not executed for every request while APM session is active So, I am thinking of removing the LTM policy that does IP matching and adding a step in APM per-session policy to do IP matching. Under APM there are 2 areas that can be used - IP subnet matching or ACL matching We have 100s, if not 1000s of IPs, and not sure if either of the 2 would be able to work with it without reaching limits of sorts. Have a call with F5 support to confirm the limits. But I wanted to investigate the idea, if its possible to execute a policy/iRule from within APM that would use existing datagroup/external file datagroup to perform the check. Can anyone assist with a clean way of doing it? I am thinking having a step to execute iRule that inserts some sort of variable into APM session (say isIPAllowed) and then in the next step check if that isIPAllowed = 1 and branch out from there?
Redirect URIs in datagroup to dedicated node
Hi Could you help identify why I get the following error below when applying this irule. ERROR ===================================== :9: error: ["wrong # of arguments"][class match -value $request_uri equals_any -case_sensitive [class lookup $datagroup_name]] The aim is to send specific requeststo a dedicated node "1.2.2.2" in pool "myprodpool" that match a URI list datagroup "ACL_webforms" . This must also maintain sticky persistence cookie on this node. So when request that contain URIs in datagroup, send to node 1.2.2.2 with cookie persistence The irule below gives this error set is_match [class match -value $request_uri equals_any -case_sensitive [class lookup $datagroup_name]] IRULE ============================== when HTTP_REQUEST { # Define the name of your data group containing the URIs set datagroup_name "ACL_Intranett-webforms" # Get the request URI set request_uri [HTTP::uri] # Check if the request URI matches any entry in the data group set is_match [class match -value $request_uri equals_any -case_sensitive [class lookup $datagroup_name]] if { $is_match } { # Set the node to your specific IP address set node_ip "1.2.2.2" # Set the persistence cookie name set persistence_cookie_name "sticky_cookie_name" # Check if the persistence cookie exists set cookie_value [HTTP::cookie $persistence_cookie_name] if { $cookie_value eq "" } { # If the cookie doesn't exist, create and set the cookie set cookie_value [IP::client_addr] HTTP::cookie insert $persistence_cookie_name $cookie_value } # Set the persistence based on the cookie persist uie cookie $persistence_cookie_name pool $node_ip return } }