Forum Discussion

AllanUK_202329's avatar
AllanUK_202329
Icon for Nimbostratus rankNimbostratus
Jan 12, 2017

iRule for subdomain datagroup matching

Hi,

I have been trying to find a solution to my requirement below,

We have subdomains like subdomain.domain.com and we want to perform a match on the domain part in a data group to return a pool and ideally an SSL profile.

For the pool part I think it should go something like this;

when HTTP_REQUEST {
    set DATA_GROUP_HTTPSPOOL $::DG-HTTPSPool
    set HOST [string tolower [HTTP::host]]
    set POOL [ findclass $HOST $DATA_GROUP_HTTPSPOOL " " ]
    if { $POOL ne "" } {
       pool $POOL
    }
}

This would be with a datagroup as follows;

ltm data-group internal /Common/DG-HTTPSPool {
    records {
        domain.com {
        data "pool-domain.com"
    }
    }
    type string
}

I don't know how close this is to being correct or if what I'm trying to do is even possible. So any advice would be gratefully received.

I think i really need to use an 

match ending_with
rather than the 
findclass
but I'm not sure. Also i don't know the best way to do the profile would it also sit under the when 
HTTP_REQUEST
?

Many thanks,

Allan

BIG-IP
devops
iRules

2 Replies

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 12, 2017

    Hi Allan,

    which TMOS version are you running on? I'm asking because the 

    [findclass]
    command and the way you're referencing the data-group (aka. via 
    $::datagroup
    ) is deprecated since may years and would harm CMP-operations on current TMOS versions.

    If you've loaded a TMOS version v10 or higher on your box, then the take a look to the iRule below. It uses the CMP-friendly 

    [class]
    syntax to lookup the data-group containing the domain-to-pool information.

    ltm data-group internal DG-HTTPSPool {
    records {
        "domain.com" { 
            data "pool-domain.com" 
        }
        "domain.net" { 
            data "pool-domain.net" 
        }
    }
    type string
}
when HTTP_REQUEST {
    if { [set pool [class match -value [domain [string tolower [getfield [HTTP::host] ":" 1]] 2] equals "DG-HTTPSPool"]] ne "" } then {
        pool $pool
    } else {
        HTTP::respond 403 content "Access denied - Invalid HOST-name requested" "Content-Type" "text/html"
    }
}

    Cheers, Kai

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jan 12, 2017

    Hi and welcome to the forum!

    I understood the question a bit differently and thought you wanted to choose pool based on "domain.com" if the request was for ";.

    This should do it in that case. Haven't tested it for syntax though.

    when HTTP_REQUEST {

    set [domain [getfield [HTTP::host] ":" 1] 2]

    if { [class match $domain eq yourdatagrouplist] }{
        pool [class lookup $domain yourdatagrouplist]
    } else {
        pool yourdefaultpool
    }
}

    As for the SSL profile you should probably look into SNI:

    https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indication

    Hope that helped.

    /Patrik