iRules LX Sideband Connection
Problem this snippet solves: Sideband connections in traditional TCL iRules can be large, complex and difficult to support. Additionally doing something with the information retrieved (such as JSON) may require the use of regular expressions to parse the content before it can be used, something to be avoided if at all possible due to the performance overhead. Using the inbuilt capabilities of Node.js, sideband calls in iRules LX are much easier to implement and with a range of inbuilt as well as NPM packages, the possibilities are endless. To make the external request, the example uses 'https' package from the standard library, however many more are available via NPM such as 'request' which is much simpler to use and doesn't need to chuck the response. The advantage of using the standard library in this instance is this can be done 'out of the box' and doesn't require the use of NPM. In this simple example, a traditional iRule requests the object 'title', which is a JSON object from a publicly available API (https://jsonplaceholder.typicode.com/). { "userId": 1, "id": 1, "title": "delectus aut autem", "completed": false } iRules LX will, make the call using the standard 'https' library, parse the JSON data and return the value for 'title' to the calling iRule, which will be then returned to the user as an HTTP response How to use this snippet: Add the following iRule to yout iRules LX Workspace. This will make an RPC call to iRules LX, using the plugin 'ilx_pl' and the extension 'ilx_ext' You can however call this what you like providing your update the ILX::init command to reflect this. when HTTP_REQUEST { # pass argument to ILX in form of a requested JSON object: # {"userId": 1,"id": 1,"title": "delectus aut autem","completed": false} set arg title set ilx_handle [ILX::init "ilx_pl" "ilx_ext"] if {[catch {ILX::call $ilx_handle "httpRequest" $arg} result]} { log local0.error "Client - [IP::client_addr], ILX failure: $result" HTTP::respond 400 content "<html>There has been an error.</html>" return } HTTP::respond 200 content $result log local0. "retrieved parsed JSON value for $arg: $result" } Use the iRules LX code below for the index.js file, within your workspace Code : var https = require("https"); var f5 = require("f5-nodejs"); var ilx = new f5.ILXServer(); function httpRequest (req, res) { https.get('https://jsonplaceholder.typicode.com/todos/1', function (resp) { var data = ''; // A chunk of data has been recieved. resp.on('data', function (chunk) { data += chunk; }); // The whole response has been received. Parse JSON resp.on('end', function () { res.reply(JSON.parse(data).title); }); }).on("error", function (err) { console.log("Error: " + err.message); }); } ilx.addMethod('httpRequest', httpRequest); ilx.listen(); Tested this on version: 12.1
HTTPS sideband connection with certificate authentication
Hello Is it possible to make a https sideband connection with certificate authentication from a custom iRule. The connection I need is the same as the one created with this curl command: curl --cacert /root/CA.pem -d " date " --cert /root/cert.pem:admincert https://server.domain.int:550/OTP/rest/service/generateSideband connection coming from 127.1.1.3: virtual server can't reply. How to fix?
Hi all, I have an iRule configured on a virtual server that is attempting to make a sideband connection to another virtual server. The target virtual server also has an iRule, and everything works just fine when I target that virtual server directly. However, when I try to use the virtual server from within the iRule, the connection times out. Here is the relevant section of iRule code: set sidebandRequest "GET /service?$payload HTTP/1.1\r\n\r\n" set sidebandServer [connect -protocol TCP -timeout 100 -idle 5 -status connect_status $static::SBVirtualServer] send -status send_status -timeout 300 $sidebandServer $sidebandRequest set sidebandResponse [recv -status recv_status -timeout 1000 $sidebandServer] When I look at the packet capture for the sideband connection attempt, I see this: so I think that the root of my problem might be that 127.1.1.3 source address: it seems clear that the server at 192.168.0.111 won't be able to send any responses back to there. I had an idea that I might want to configure address translation on the source virtual server, so I tried that. I used both the "automap" setting, and the "SNAT Pool" setting, with a pool I created using the LTM's address on that 192.168.0.x network. No joy with either approach. Am I in the right general area? How should I fix this? Thanks Davesideband connect command crashes but no logs
Hi, I have created a simple iRule for sideband connections. Here is how the connection is being initialized: if {[catch {connect -timeout 1000 -idle 30 -status conn_status 10.10.10.10:8080} conn] == 0 && $conn ne ""}{ log local0. "Connect returns: $conn and conn status: $conn_status" } else { log local0. "Connection could not be established to sideband_virtual_server" } But, it doesn't look to work - the connection is not being established. Only the log that i see in /var/log/ltm is "Connection could not be established to sideband_virtual_server". I don't even see the try of establishing of TCP connection from the F5 box to the sideband server by using tcpdump. As i'm new to F5, could you please help me to understand what did I do wrong and is there a way to see the exceptions being throwing by the LTM while processing the iRule? Thanks
