Forum Discussion

Brian_69413's avatar
Brian_69413
Icon for Nimbostratus rankNimbostratus
Nov 06, 2012

Direct Server Access

I have the following iRule which seems to work at first, but then I see traffic to other pool members as well...not sure what I am missing here?

 

when RULE_INIT {

 

Log debug to /var/log/ltm? 1=yes, 0=no.

 

set ::debug_code 1

 

set ::server_direct 0

 

}

 

 

when HTTP_REQUEST {

 

Only apply rule if this request is coming from a internal addresses

 

if { [matchclass [IP::client_addr] equals $::internal_address_dg]} {

 

if { ([HTTP::uri] contains "?srv=") and ([HTTP::uri] contains "?port=") }{

 

set server_ip [URI::query [HTTP::uri] srv]

 

set server_port [URI::query [HTTP::uri] port]

 

set ::server_direct 1

 

 

if {$::debug_code}{log local0. "[IP::client_addr] is attempting to send [HTTP::host] traffic to $server_ip:$server_port"}

 

pool [LB::server pool] member $server_ip $server_port

 

}

 

}

 

}

 

 

when LB_FAILED {

 

If the selection fails and t

 

if {$::debug_code}{log local0. "Pool member selection failed, using default pool..."}

 

if { $::server_direct }{

 

HTTP::respond 200 content {

 

 

 

 

 

 

 

 

 

Invalid Direct Server Access: [HTTP::host][HTTP::uri]

 

 

 

 

}

 

}

 

}

 

application delivery
dev
devops
iRules

12 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 06, 2012
    I think you might need to use LB::detach before the pool command.

     

     

    Persistence might also be an issue, you may want to apply a OneConnect profile to the Virtual Server and see if that helps first.
  • Brian_69413's avatar
    Brian_69413
    Icon for Nimbostratus rankNimbostratus
    Nov 07, 2012
    I added the LB::detach command and I applied a OneConnect profile. The persistence mode is session cookie. I can even close my browser, verify that there are no connection on the LB for my client before opening a new connection to a different server and the traffic still goes to the same server.
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 07, 2012
    A new connection to a different server? Do you mean Virtual Server? What's the load balancing method?

     

     

    This line looks wrong: if { [matchclass [IP::client_addr] equals $::internal_address_dg] < Remove the $::

     

     

    I'd also suggest you add some logging to check things are working, particularly after both of these;

     

     

    set server_ip [URI::query [HTTP::uri] srv]

     

    log local.0 "Server IP is $server_ip"

     

    set server_port [URI::query [HTTP::uri] port]

     

    log local.0 "Server Port is $server_port"
  • Brian_69413's avatar
    Brian_69413
    Icon for Nimbostratus rankNimbostratus
    Nov 07, 2012
    The idea here is that I would like to be able to pick which backend pool member my traffic goes to, so I send the server/port via URI parameters. Same virtual server, different parameters. Observed is the load balancing method.

     

     

    The matchclass line works fine in version 10. I set up logging and it appears to be working as expected. The line "log local0. "[IP::client_addr] is attempting to send [HTTP::host] traffic to $server_ip:$server_port"" hits the ltm logfile showing the correct pool member information, but the actual traffic does not go to that server 100% of the time.
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 08, 2012
    Can you add a log line after the pool command which includes 'LB::server addr' and 'LB::persist' please. Also, are you sure you are including the relevant parameters in every request? I wonder if you need to disable persistence when you do?
  • Brian_69413's avatar
    Brian_69413
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2012
    Added the log line and it shows the correct server and cookie persistence. I am sure each request has the parameters, but the tcpdump clearly shows the traffic going to a different server. Any idea how to disable cookie persistence for this case?
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 08, 2012
    You could add the 'persist none' command, the earlier in the rule the better I would have thought. Make sure OneConnect is applied.
  • Brian_69413's avatar
    Brian_69413
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2012
    I added the persist none to the rule, but the traffic still goes to other servers. I am really starting to wonder what is going on now...
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 08, 2012
    I'm pretty much out of ideas I'm afraid. My last random suggestion is to use the node command instead of the pool command; https://devcentral.f5.com/wiki/iRules.node.ashx and see if that helps.
  • Brian_69413's avatar
    Brian_69413
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2012
    yeah, I had tried that, but it has similar behavior...something is still at play here that I cannot figure out.