fir3net
PPS-Firenetbanner-780.5x190-30-03-17

iRule Examples - 10.x

Contents[Hide]

Below shows a number of iRule examples that you may find useful when creating or deploying iRules on the BIGIP F5 device.

For the latest in iRule tips and tricks hop over to our iRule Cookbook  - click here

WWW redirect

This simple iRule redirects any HTTP traffic without the prepending www to a www address. 

when HTTP_REQUEST {
   if { [HTTP::host] starts_with "fir3net.com" } {
     HTTP::redirect http://www.fir3net.com[HTTP::uri]
   }
}

HTTP Redirect

This iRule will action a HTTP redirect response when a HTTP request URI contains the string 'Secure'.

when HTTP_REQUEST {
  if { [HTTP::uri] contains "Secure" } {
    HTTP::redirect https://[HTTP::host][HTTP::uri]
     }
}

HTTP Redirect (using 2 Conditions)

This iRule will action a HTTP redirect response when a HTTP request URI ends with the string '/sendmesomewhereelse' and the host header contains the domain 'mydomain.com'.

when HTTP_REQUEST {
if { ([HTTP::host] equals "mydomain.com") and ([HTTP::uri] ends_with "/sendmesomewhereelse") } {
  HTTP::redirect http://google.com
  }
}

URI Pool Selection

This iRule will distribute traffic to Pool2 when the HTTP Request URI ends with 'txt'.

when HTTP_REQUEST {
  if {[HTTP::uri] ends_with "txt"} {
     pool Pool1
     }
     else { pool Pool2 }
}

Switch

This iRule will distrubte traffic to the nessecary pool based on the URL.

when HTTP_REQUEST {
   switch -glob [HTTP::host] {
     example-url1                            { pool POOL-172.16.1.35-80-1 }
     example-url2                            { pool POOL-172.16.1.35-80-2 }
     example-url3                            { pool POOL-172.16.1.35-80-3 }
     example-url4                            { pool POOL-172.16.1.35-80-4
                                                persist source_addr 255.255.255.248 1800 }
     example-url5                            { pool POOL-172.16.1.35-80-5
                                                persist source_addr 255.255.255.248 1800 }
     example-url6                            { pool POOL-172.16.1.35-80-7
                                                persist source_addr 255.255.255.248 1800 }
     default                                 { pool POOL-172.16.1.35-80-8 }
   }
}

SNAT

This iRule will translate the source address for any traffic originating from any address defined within the data group net-group and destined for TCP port 8181.

when CLIENT_ACCEPTED {
      if { [TCP::local_port] == 8181 and [class match [IP::client_addr] equals net-group ] } {
         snat 192.168.1.131
         }
      else {
         forward
      }
}

Insert Header

The following iRule inserts a custom header named SOURCE_IP containing the client source IP address.

when HTTP_REQUEST {
     HTTP::header insert SOURCE_IP [IP::remote_addr]

Create HTTP Session ID

The following iRule creates a unique id for each HTTP request. The unique id is generated by using the IP/Port of the Local/Remote host and a random number between 1 and 100,000,000. This value is then hashed.
This unique id is then appended to the HTTP request via a custom HTTP header named X-SESSIONID.

when HTTP_REQUEST {
    set id "[IP::client_addr][TCP::client_port][IP::local_addr][TCP::local_port][expr { int(100000000 * rand()) }]"
    binary scan [md5 $id] H* md5var junk
    HTTP::header insert X-SESSIONID $md5var
}

SSL Server Side

This iRule allows you to only perform server side SSL on a selection of pool members. These pool members are defined within a datagroup (named 'poolmember-group').

when LB_SELECTED {
      SSL::disable serverside
      if {[class match [LB::server addr] equals poolmember-group ]} {
         SSL::enable serverside
      }
}

Troubleshooting

This iRule is used to troubleshoot connections. It creates a log for the HTTP Request and HTTP Response. Within these logs the following is recorded,

  • Source IP address
  • X-Forwarded-For, in case you are coming from a CDN
  • A unique ID so that you can match the HTTP Request and Response.
  • The HTTP Response code returned by the server.
  • The backend Server IP.
  • Time between the F5 receiving the HTTP Request and sending on the HTTP Request.
  • Time between the F5 sending the HTTP Request and receiving the HTTP Response.
when HTTP_REQUEST {
    set CLIENT_ADDR [IP::client_addr]
    set XFF [HTTP::header X-Forwarded-For]
    set ID "[TCP::local_port][expr { int(100000000 * rand()) }]"
    set REQUEST_RECEIVE [clock clicks -milliseconds]
}

when HTTP_REQUEST_SEND {     set REQUEST_SEND [clock clicks -milliseconds]     set REQUEST_WAIT [expr {$REQUEST_SEND - $REQUEST_RECEIVE}]     log local0. "SRC:$CLIENT_ADDR  XFF:$XFF ID:$ID" }
when HTTP_RESPONSE {     set RESPONSE_TIME [expr {[clock clicks -milliseconds] - $REQUEST_SEND}]     log local0. "SRC:$CLIENT_ADDR XFF:$XFF ID:$ID - HTTP[HTTP::status] $RESPONSE_TIME\ms/$REQUEST_WAIT\ms [LB::server addr]"
}

Tags: TCL, iRule, BIG-IP F5

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001