datagroup
6 TopicsIrule to allow specific IPs
I have a site which is abc.com Trying to achieve below requirements- 1) If uri is / it should redirect to abc.com/xyz - open for all 2) If uri is /rdp_xyz_tshoot should accessible to internal network - (here we can use the datagroup list) As this site is migrated to akamai where they have requirement to use below irule- when HTTP_REQUEST { if { [HTTP::header exists True-Client-IP] } { set trueclientip [HTTP::header True-Client-IP] HTTP::header replace X-Forwarded-For $trueclientip } } Cause for above akamai irule= Normally the True-Client-IP header includes the real IP of the clients when requests are coming from Akamai. It will be unaffected and be sent as part of the request to the pool member. So, your backend servers could look for that header and do something with its value. However, if you want the F5 to translate it to the X-Forwarded-For header, you can use an iRule to convert the Akamai True-Client-IP header to the X-Forwarded-For header. we are trying with below irule which is not working- when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/rdp_xyz_tshoot") && (not[class match [IP::client_addr] equals allowed_IPs])} { reject } if { [HTTP::uri] == "/" } { HTTP::redirect "https://[HTTP::host]/abc_login.jsp" } } Please help41Views0likes2CommentsVS with Wildcard Pool set path to specific port
Good Day - Today we have a Virtual Server listening on port 443, and an irule with 300+ lines to switch pool based on the path. Example of current irule is below: when HTTP_REQUEST { switch -glob [string tolower [HTTP::path]] { "/site1/score/sap/wbse/search" { pool pool_site1.test.com_34561 } "/site1/score/sap/companycodes" { pool pool_site1.test.com_34561 } "/site2/score/timekeeper/unionmasterdata/contract" { pool pool_site2.test.com_34562 } "/site2/score/timekeeper/unionmasterdata/jobcode" { pool pool_site2.test.com_34562 } "/site3/score/sap/chartofaccounts/glaccount*" { pool pool_site3.test.com_34563 } "/site3/score/timekeeper/timecard/gettimecard" { pool pool_site3.test.com_34563 } default { pool pool_site0.test.com_33333 } } } So the above irule goes on for over 300+ more lines. Here is the problem with this: Above setup we are creating over 200+ individual pools of servers with the same 5 servers but just on different ports. Original reason for all the pools is not every port would be up all the time so in the beginning it was simple just to create a pool, but now this is getting un-managable. What I would like to do is the following: Since all the servers in the over 200+ pools are exactly the same but only on a different port I would like to create a wildcard pool instead with just the 5 servers in them. pool pool_site0.test.com member server0.test.com:0 member server1.test.com:0 member server2.test.com:0 member server3.test.com:0 member server4.test.com:0 Move the path / destination port into a Data group and create an iRule that will match the path then check if the server in the wildcard pool responds to the port and if so then send the request to that server. So requesting assistance on creating an irule that: Read the path on the incoming request Match path in datagroup and map destination port based on path matched in datagroup Check if the servers in the wildcard server pool responds on the port matched if port responds on server, then send request to server that responds. Any assistance would be appreciated. Thx Rich52Views0likes1CommentAPM session policy based on IP address datagroup?
Hi everyone We currently use LTM policy to use datagroup as ACL for virtual server access. After LTM ACL is accepted, APM policy will create a session etc But I was thinking to optimize it, so that LTM policy is not executed for every request while APM session is active So, I am thinking of removing the LTM policy that does IP matching and adding a step in APM per-session policy to do IP matching. Under APM there are 2 areas that can be used - IP subnet matching or ACL matching We have 100s, if not 1000s of IPs, and not sure if either of the 2 would be able to work with it without reaching limits of sorts. Have a call with F5 support to confirm the limits. But I wanted to investigate the idea, if its possible to execute a policy/iRule from within APM that would use existing datagroup/external file datagroup to perform the check. Can anyone assist with a clean way of doing it? I am thinking having a step to execute iRule that inserts some sort of variable into APM session (say isIPAllowed) and then in the next step check if that isIPAllowed = 1 and branch out from there?68Views0likes1CommentModifying multiple entries in a datagroup via api?
We have a datagroup with entries like this: domain1.com := virtual /Common/www.domain1.com_vs_443 domain2.com := virtual /Common/www.domain2.com_vs_443 domain3.com := virtual /Common/www.domain3.com_vs_443 And so forth. This datagroup gets used by an iRule for re-routing traffic based on SNI. I need to be able to make an HTTP call to the F5 to remap these to put up a mainteance page. So in other words I want to modify the above to: domain1.com := virtual /Common/maintenance.domain1.com_vs_443 domain2.com := virtual /Common/maintenance.domain2.com_vs_443 domain3.com := virtual /Common/maintenance.domain3.com_vs_443 I figured out that I can make a curl request as such to delete entries from the datagroup: curl -ku "admin:superS3cret" -X PATCH -H 'Content-type: application/json' -d '{ "name":"dummy" }' https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options=records%20delete%20%7B%20www.domain1.com,www.domain2.com,www.domain3.com%20%7D |jq . And via this articlehttps://community.f5.com/t5/technical-forum/add-new-key-into-data-group-without-updating-entire-list-using/td-p/272699I was able to determine we could add a key using this: curl -ku "admin:superS3cret" -X PATCH -H 'Content-type: application/json' -d '{ "name":"dummy" }' 'https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options=records%20add%20%7b%20www.domain1.com%20%7b%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain1.com_vs_443%22%20%7d%20%7d' |jq . However then I have to have one HTTP Request per domain. If I need to repoint 20 sites for example I have to make 20 different requests instead of one request with all domains. Is there a way to add multiple records at once? I tried something like this: curl -ku "admin:superS3cret" -X PATCH -H 'Content-type: application/json' -d '{ "name":"dummy" }' 'https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options%3Drecords%20add%20%7B%20www.domain1.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain1.com_vs_443%22%20%7D%20domain1.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain1.com_vs_443%22%20%7D%20www.domain2.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain2.com_vs_443%22%20%7D%20www.domain3.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain3.com_vs_443%22%20%7D%20www.domain4.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain4.com_vs_443%22%20%7D%7D' |jq . Here's the URL HTML decoded (so its easier to read): https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options=records add { www.domain1.com { data "virtual /Common/maintenance.domain1.com_vs_443" } domain1.com { data "virtual /Common/maintenance.domain1.com_vs_443" } www.domain2.com { data "virtual /Common/maintenance.domain2.com_vs_443" } www.domain3.com { data "virtual /Common/maintenance.domain3.com_vs_443" } www.domain4.com { data "virtual /Common/maintenance.domain4.com_vs_443" }} However I get this error: { "code": 400, "message": "one or more properties must be specified", "errorStack": [], "apiError": 26214401 } I haven't been able to figure out if adding multiple records isn't supported or if I have the syntax wrong and frankly the documentation here:https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_ltm_data-group_internal.htmland here:https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/ltm/ltm_data-group_internal.htmlisn't super clear. Frankly the fact that patch doesn't just modify entries sent seems like a bug to me and using ?options record add seems like a hack. Alternatively is there some way to run a modify instead of running delete and then add? That would be even more efficient (less HTTP calls) and less opportunity for a call to fail. I know I can just get all records, modify them and then post all records back. The trouble with that approach is that then I'm touching records I really don't want to touch and having to do some sort of regex replace. This seems like it could have the potential to accidentally modify records I don't want to modify if my regex isn't very explicit. I would prefer a more targeted approach which only modifies the records that need modifying and that touches nothing else. ThanksSolved863Views0likes9CommentsRedirect URIs in datagroup to dedicated node
Hi Could you help identify why I get the following error below when applying this irule. ERROR ===================================== :9: error: ["wrong # of arguments"][class match -value $request_uri equals_any -case_sensitive [class lookup $datagroup_name]] The aim is to send specific requeststo a dedicated node "1.2.2.2" in pool "myprodpool" that match a URI list datagroup "ACL_webforms" . This must also maintain sticky persistence cookie on this node. So when request that contain URIs in datagroup, send to node 1.2.2.2 with cookie persistence The irule below gives this error set is_match [class match -value $request_uri equals_any -case_sensitive [class lookup $datagroup_name]] IRULE ============================== when HTTP_REQUEST { # Define the name of your data group containing the URIs set datagroup_name "ACL_Intranett-webforms" # Get the request URI set request_uri [HTTP::uri] # Check if the request URI matches any entry in the data group set is_match [class match -value $request_uri equals_any -case_sensitive [class lookup $datagroup_name]] if { $is_match } { # Set the node to your specific IP address set node_ip "1.2.2.2" # Set the persistence cookie name set persistence_cookie_name "sticky_cookie_name" # Check if the persistence cookie exists set cookie_value [HTTP::cookie $persistence_cookie_name] if { $cookie_value eq "" } { # If the cookie doesn't exist, create and set the cookie set cookie_value [IP::client_addr] HTTP::cookie insert $persistence_cookie_name $cookie_value } # Set the persistence based on the cookie persist uie cookie $persistence_cookie_name pool $node_ip return } }670Views0likes7CommentsBIG IP F5 IRule with data group to check if date has passed
Hello, I have a datagroup of kind string/external file, which has hosts on the first field, and dates with format YYYY-MM-DD on the second field. I want to create an irule that will do something when the date on the same row of the host has passed, or do something else if it doesn't. Example: "www.google.com" := "2020-04-16" In this case I want to do something, and if the date was 2024-11-25 I would want to do something else. Right now, it's not working for me, as I've tried with my Irule for a number of times. I am not even getting anything in the log. My irule: when HTTP_REQUEST priority 100 { if { not ( ( [IP::addr [IP::client_addr] equals 1.1.0.0%2/15]) or ( [IP::addr [IP::client_addr] equals 2.2.4.0%2/24]) or ( [IP::addr [IP::client_addr] equals 3.3.23.0%2/24]) or ( [IP::addr [IP::client_addr] equals 4.4.41.0%2/24]) or ( [IP::addr [IP::client_addr] equals 5.5.66.0%2/24]) or ( [IP::addr [IP::client_addr] equals 6.6.236.65%2/24]) or ( [IP::addr [IP::client_addr] equals 7.7.151.0%2/24]) or ( [IP::addr [IP::client_addr] equals 8.8.6.0%2/23]) or ( [IP::addr [IP::client_addr] equals 9.9.8.0%2/21]) or ( [HTTP::host] ends_with "co.il") or ( [HTTP::host] ends_with "sites.example.com") ) } { if { [string tolower [class match -name "[HTTP::host]" equals /Common/webrules_tal]] ne "" } { set expire_date [clock scan { class match -value equals /Common/webrules_tal }] log local0. "Got host address: [HTTP::host]" if { [clock seconds] < [clock scan { "$expire_date" }] } { HTTP::redirect "https://www.youtube.com" } } } } How can I do something like this in my Irule? Note: The IP address restriction above is to restrict by IP, these IP addresses are not mine, they're there just for this post. Thank you! Tal SabadiaSolved1.5KViews0likes1Comment