20 Lines or Less #37 - Hex, HTTPS, and SNATing
What could you do with your code in 20 Lines or Less? That's the question I ask (almost) every week for the devcentral community, and every week I go looking to find cool new examples that show just how flexible and powerful iRules can be without getting in over your head.
I bring to you your weekly dose of short yet cool iRule goodness. Check out what these iRule gurus have crammed into less than 21 lines of code. This week we’ve got hex translation of HTTP payloads, intelligent redirection including port handling, and some snat intelligence in just a few lines of code. Dig it.
Log binary HTTP payload in hex
http://devcentral.f5.com/s/wiki/default.aspx/iRules/Log_binary_HTTP_payload_in_hex.html
Here’s one that we touched on briefly in the podcast last week. Hoolio decided that it would be fun or handy or…something, to convert and log the entire HTTP payload in hex for every response. I couldn’t tell you when this would be needed, but it was a pretty darn cool thought, and I thought I’d share it. Maybe he’ll come tell us what it was for. ;)
when HTTP_REQUEST {
# Log debug? 1=yes, 0=no
set debug 1# Collect up to the first 1MB of POST data
if {[HTTP::method] eq "POST"}{set clength 0
# Check if there is a content-length header and the value is set to less than 1Mb
if {[HTTP::header exists "Content-Length"] && [HTTP::header Content-Length] set clength [HTTP::header Content-Length]
} else {
set clength 1048576
}
if {[info exists clength] && clength > 0} {
if {$debug}{log local0. "[virtual name]: Collecting $clength bytes"}
HTTP::collect $clength
}
}
}when HTTP_REQUEST_DATA {
# Log the payload converted to hex
binary scan [HTTP::payload] H* payload_hexif {$debug}{log local0. "[virtual name]: $payload_hex: $payload_hex"}
}
SNAT based on incoming IP
http://devcentral.f5.com/s/Default.aspx?tabid=53&forumid=5&postid=1170490&view=topic
Matt dished out a great little example of how to effectively control which snat address a connection is assigned based on the IP range the request is coming in from. It’s simple, it’s efficient, it’s effective, and it’s short. Those are a few of my favorite things in iRules, so here you go.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.9.9.0/26] }{
snat 1.1.1.1
} elseif { [IP::addr [IP::client_addr] equals 10.9.9.65/26] }{
snat 2.2.2.2
} elseif { [IP::addr [IP::client_addr] equals 10.9.9.128/26] }{
snat 3.3.3.3
} else {
forward
}
}
Intelligent HTTP to HTTPS redirection…now with port handling!
http://devcentral.f5.com/s/Default.aspx?tabid=53&forumid=5&postid=1168453&view=topic
This is a topic (HTTP to HTTPS redirection) that I’ve shown off at least a few times in the 20LoL, but that’s because it comes up so darn often in the forums and elsewhere. Here is yet another take on how to do it, and a darn good one at that. Note the use of string map, which I heart, and the fact that this one can actually handle requests that specifically have the port declared in the hostname. If you try to redirect to HTTPS but still have a :80 in your host, things might not go as swimmingly as you’d like.
when HTTP_RESPONSE {
# Check if server response is a redirect
if { [HTTP::header is_redirect]} {
# Log original and updated values
log local0. "Original Location header value: [HTTP::header value Location],\
updated: [string map -nocase "http:// https:// :80/ /" [HTTP::header value Location]]"
# Do the update, replacing http:// with https:// and :80/ with /
HTTP::header replace Location \
[string map -nocase "http:// https:// :80/ /" [HTTP::header value Location]]
}
}
There you go, 3 more examples of iRules goodness in 20 Lines or Less each. See ya next time.
#Colin