Forum Discussion

Pirlo's avatar
Pirlo
Icon for Nimbostratus rankNimbostratus
Mar 29, 2010

Syntax and Effeciency check

Trying to verify syntax and efficiency for the following rule.

 

 

Essentially this is a HTTP vip that needs XFF redirection to a dummy pool if the address matches the data group list.

 

 

In the below Irule - Is syntax correct? Is their a more effecient way to process?

 

 

when HTTP_REQUEST {

 

check if client_addr = any in the class

 

if {[matchclass [HTTP::header "X-Forwarded-For"] equals $::pre_test_address_list]} {

 

use pool dummypool

 

} else {

 

use pool prodpool

 

}

 

}

 

 

And at the end of the rule do I need the "else use pool prodpool" statement? Or can I leave that out and once the Irule inspection is complete will the LTM proceed with the default pool that the VIP lb's to?

 

 

when HTTP_REQUEST {

 

check if client_addr = any in the class

 

if {[matchclass [HTTP::header "X-Forwarded-For"] equals $::pre_test_address_list]} {

 

use pool dummypool

 

}
application delivery
dev
devops
iRules

9 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 29, 2010
    Hi Blue,

     

     

    If you don't use a OneConnect profile and have multiple clients connect over the same TCP connection (through a proxy), you'd want to explicitly define a pool for both cases. There isn't any efficiency lost by specifying the pool in both cases. See this post for details:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3392157229

     

     

    Or you could add a OneConnect profile with a /32 mask and then not specify the pool in both cases. This would have the added benefit that server side connections would be re-used for the same client IP address.

     

     

    Aaron
  • Pirlo's avatar
    Pirlo
    Icon for Nimbostratus rankNimbostratus
    Mar 29, 2010
    Thanks for the link and taking the time to provide feedback.

     

     

    Wasnt sure if I was using the matchclass and header inspect properly.
  • Pirlo's avatar
    Pirlo
    Icon for Nimbostratus rankNimbostratus
    Apr 01, 2010

     

    The above mentioned rule failed. The XFF is showing up twice with a comma seperator in the middle.

     

     

     

     

    Is it as simple as changing the matchclass to "contains" instead of "equals"?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 01, 2010
    You'd need to parse out the IP's from the XFF header value. Can you configure whatever device is inserting the XFF to use a more unique header name? If not, you could use something like this to parse comma separated IPs: 

      
 when HTTP_REQUEST { 
  
     Select the prodpool by default 
    pool prodpool 
  
     Check if XFF header has a value 
    if {[HTTP::header "X-Forwarded-For"] ne ""}{ 
  
        Some proxies append their XFF value to any existing XFF header. 
        Check if XFF header value contains a comma 
       if {[HTTP::header "X-Forwarded-For"] contains ","}{ 
  
           Remove any spaces in the string, and then split it into a list on commas 
          set xff [split [string map {" " ""} [HTTP::header value "X-Forwarded-For"]] ","] 
  
           Get the last comma separated value from the XFF header 
          set xff [lindex $xff [expr {[llength $xff]} - 1]] 
  
       } else { 
          set xff [HTTP::header "X-Forwarded-For"] 
       } 
  
        Check if XFF value is in the class 
       if {[matchclass $xff equals $::pre_test_address_list]} { 
          pool dummypool 
       } 
    } 
 }

    Note, I'm assuming you only want to check the last IP in the XFF header value. You could also loop through each IP and check it against the class. But then you'd be checking more than your proxy's XFF value.

    Aaron
  • Pirlo's avatar
    Pirlo
    Icon for Nimbostratus rankNimbostratus
    Apr 05, 2010
    Aaron

     

     

    Thanks for the assist. One last question if anyone can explain.

     

     

    Aarons Reply

     

    Note, I'm assuming you only want to check the last IP in the XFF header value. You could also loop through each IP and check it against the class. But then you'd be checking more than your proxy's XFF value.

     

     

    Aaron

     

     

     

    Im actually trying to get the first value in the XFF. I have tried several things that I thought would work. How do I get the first value of the XFF

     

     

    Get the last comma separated value from the XFF header

     

    set xff [lindex $xff [expr {[llength $xff]} - 1]]

     

     

    Out of all the rules that I have done I thought this one would be cake.

     

    It is still eluding me.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 06, 2010
    In testing this with a customer who was using Squid, we saw the most recent IP appended to the XFF header. Are you sure you want to take the first IP in the list?

    If so, you can use something like this: 

     
 when HTTP_REQUEST { 
  
     Select the prodpool by default 
    pool prodpool 
  
     Check if XFF header has a value 
    if {[HTTP::header "X-Forwarded-For"] ne ""}{ 
  
        Some proxies append their XFF value to any existing XFF header. 
        Check if XFF header value contains a comma 
       if {[HTTP::header "X-Forwarded-For"] contains ","}{ 
  
           Split the XFF header into a list on commas or spaces and take the first element 
          set xff [lindex [split [HTTP::header value "X-Forwarded-For"] ", "] 0] 
  
       } else { 
          set xff [HTTP::header "X-Forwarded-For"] 
       } 
  
        Check if XFF value is in the class 
       if {[matchclass $xff equals $::pre_test_address_list]} { 
          pool dummypool 
       } 
    } 
 }

    Aaron
  • Pirlo's avatar
    Pirlo
    Icon for Nimbostratus rankNimbostratus
    Apr 06, 2010
    Aaron

     

     

     

    Once again thanks for taking the time. You have assisted/provided me with 3 solutions that I can work off of to get this issue resolved.

     

    9 times out of 10 I can find my answer searching the forum, but could not in this case.

     

     

    Reading some older posts I believe it was you that posed the question to another member "Can you insert a different Header value?" Which I think we may move forward with.

     

     

    At this point my tcpdump shows the first XFF to be the correct one.

     

    I have run into similar symptoms before with 2 XFF addresses, and the last one always been the correct one.

     

     

    Let me know were to send the beer man.
  • Pirlo's avatar
    Pirlo
    Icon for Nimbostratus rankNimbostratus
    Apr 06, 2010
    Forgot to notate the actual packet flow. In tcpdump the first XFF show to be the actual.

     

     

     

    Client >>> Akamai/Proxy address >>> WAM Address >>> LTM

     

     

     

    Actual/First XFF >>> Second XFF value >>> Third XFF Value >>> VIP Side

     

     

     

     

     

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 06, 2010
    Ah, that makes sense if it's the Akamai inserted IP you want to use. Thanks for clarifying.

     

     

    Aaron