LTM: iRules (event driven) Aluseks TCL, muudetud süntaks Lisatud BIG-IP-spetsiifilised funktsioonid / muutujad

© 2009-2013 Tarmo Mamers
LTM: iRules
Sündmusjuhitav (event driven) skriptikeel
Aluseks TCL, muudetud süntaks
Lisatud BIG-IP-spetsiifilised funktsioonid / muutujad
when HTTP_REQUEST {
HTTP::header insert “X-Forwarded-For” [IP::remote_addr]
}
when HTTP_REQUEST {
set redir="https://[HTTP::host][HTTP::uri]"
log "redirect to $redir"
HTTP::redirect $redir
}
1
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Support
F5 Support does not write iRules
No warranties whatsoever!
Case on siis, kui “enne töötas, aga pärast softi
upgrademist enam ei tööta”
F5 Professional Services does write iRules
SMN Professional Services does write iRules
2
www.smn.ee
© 2009-2013 Tarmo Mamers
iRule Editor
http://devcentral.f5.com/irules → iRule Editor
3
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Applications
• Logging, reporting
• Universal Persistency (UIE)
• Content analysis & manipulation
• DLP, debugging, BIG-IP-hosted content
• Load balancing decision overruling
• Client authentication
• EID
• Security
• Rate-limiting
• Content-based filtering
• Sideband connections
4
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Programming
iRules stuff homepage
http://devcentral.f5.com/
API > iRules Wiki
iRules Basics 101
iRules CodeShare
TCL command reference
http://www.tcl.tk/man/tcl8.4/TclCmd/contents.htm
5
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Concepts
when EVENT { operations }
eventide järjestus iRule’i kirjelduse lõikes pole oluline
# comment
() [] {} and " can be used, but must be paired !!
enne hash-märki võib samal real olla programmikood
kõikide muutujad on string-tüüpi
numbriliste operaatorite parameetrid teisendatakse
numbriteks, pärast tehet tagasi stringiks
set myvariable [ expr ( 1 / 2 ) ]
6
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Concepts
kui ühe VS küljes on mitu iRule’i või sama eventi on
kirjeldatud iRule'i sees mitu korda, siis eventi saabudes
käiakse iRule’de/kirjelduste järjekorras kõik eventi
kirjeldused läbi
when EVENT priority 100 { }
default priority 500
priority range 0...1000
0 is the highest priority
7
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Variables
Local variables
scope: single TCP connection
assigning: varname
using: $varname
Global variables
scope: all connections, available in all rules attached to any virtual
server
assigning: ::varname
using: $::varname
8
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Variables
Session variables
Tables
Static variables
9
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Logging
via BIG-IP local syslog daemon
log "logging record"
→ /var/log/ltm
log user.notice "another logging record"
→ /var/log/user.log
UDP syslog directly to remote server
log 192.168.1.1 user.notice "remote logging record"
log 192.168.1.1:1999 user.notice "remote logging record"
Mar 9 04:02:15 local/tmm1 notice tmm1[6723]: Rule log_test
<HTTP_REQUEST>: remote logging record
log -noname 192.168.1.1:1999 user.notice "short record"
Mar 9 04:02:15 local/tmm1 notice tmm1[6723]: short record
10
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: High-Speed Logging
pure data
set hsl [HSL::open -proto UDP -pool syslog_pool]
HSL::send $hsl "logging message"
soovitavalt mitte-binary !!
syslog message
set hsl [HSL::open -proto TCP -pool syslog_pool]
set $log "<158>" # fac.crit encoded 158 = local3.info
append log "log message"
append log "log message continuation"
append log "log message continuation more more"
HSL::send $hsl $log
11
www.smn.ee
© 2009-2013 Tarmo Mamers
12
syslog facility/severity codes
facility ↓
level / severity →
0
1
2
3
4
5
6
7
emerg/
panic
alert
crit
err/
error
warn/
warning
notice
info
debug
0
kern
kernel
0
1
2
3
4
5
6
7
1
user
miscellaneous user-level
8
9
10
11
12
13
14
15
2
mail
mail system
16
17
18
19
20
21
22
23
3
daemon
system daemons
24
25
26
27
28
29
30
31
4
auth
authorization
32
33
34
35
36
37
38
39
5
syslog
generated internally by syslogd
40
41
42
43
44
45
46
47
6
lpr
line printer subsystem
48
49
50
51
52
53
54
55
7
news
network news subsystem
56
57
58
59
60
61
62
63
8
uucp
UUCP subsystem
64
65
66
67
68
69
70
71
9
cron
clock daemon
72
73
74
75
76
77
78
79
10
authpriv
security/authorization
80
81
82
83
84
85
86
87
11
ftp
FTP daemon
88
89
90
91
92
93
94
95
12
ntp
NTP subsystem
96
97
98
99
100
101
102
103
13
audit / security
audit
104
105
106
107
108
109
110
111
14
console
console
112
113
114
115
116
117
118
119
15
cron2
clock daemon
120
121
122
123
124
125
126
127
16
local0
local use 0
128
129
130
131
132
133
134
135
17
local1
local use 1
136
137
138
139
140
141
142
143
18
local2
local use 2
144
145
146
147
148
149
150
151
19
local3
local use 3
152
153
154
155
156
157
158
159
20
local4
local use 4
160
161
162
163
164
165
166
167
21
local5
local use 5
168
169
170
171
172
173
174
175
22
local6
local use 6
176
177
178
179
180
181
182
183
23
local7
local use 7
184
185
186
187
188
189
190
191
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Samples
when HTTP_REQUEST {
if { [[IP::remote_addr] starts_with "192.168."] } { ;# check pvt addresses
HTTP::respond 200 content {
<html><head><title>No access</title></head>
<body>No access from internal network!</body></html>
}
}
}
when HTTP_RESPONSE_DATA {
set remarks [regexp -all -inline -indices {<![ \r\n\t]*--([^\-]|/[\r\n]|-[^\])*[^/][^/]--[ \r\n\t]*>} [HTTP::payload]] ;# find all HTML comments
foreach idx $remarks { ;# loop through all HTML comments
set start [lindex $idx 0]
set len [expr {[lindex $idx 1] - $start + 1}]
HTTP::payload replace $start $len [string repeat " " $len]
}
}
13
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: GeoLocation
when HTTP_REQUEST {
set loc [URI::query [HTTP::uri] loc]
set c "<html><body>"
if { $loc ne "" } {
append c "IP address $loc is located in:<br>"
append c "single string: [whereis $loc]<br>"
append c "continent: [whereis $loc continent]<br>"
append c "country: [whereis $loc country]<br>"
append c "zip: [whereis $loc zip]<br>"
append c "area_code: [whereis $loc area_code]<br>"
append c "latitude: [whereis $loc latitude]<br>"
append c "longitude: [whereis $loc longitude]<br>"
append c "state: [whereis $loc state]<br>"
append c "state abbrev: [whereis $loc abbrev]<br>"
append c "org: [whereis $loc org]<br>"
append c "ISP: [whereis $loc isp]<br>"
} else { append c "loc parameter missing" }
append c "</body></html>"
HTTP::respond 200 content $c
}
14
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: GeoLocation
when CLIENT_ACCEPTED {
if { !(([whereis [IP::client_addr] abbrev] equals "MO") or
([whereis [IP::client_addr] abbrev] equals "IL")) } {
pool rejected
}
}
when CLIENT_ACCEPTED {
set region [class match -value [whereis [IP::client_addr] abbrev] equals
us_regions]
if { $region ne "" } {
switch $region {
midwest { pool $region }
east { HTTP::redirect http://my-east.servers.com }
south { HTTP::redirect http://my-south.servers.com }
west { HTTP::redirection http://my-west.servers.com }
} else { pool default }
}
15
www.smn.ee
© 2009-2013 Tarmo Mamers
16
iRules: HTTP Events' Flowchart
Image: http://devcentral.f5.com/weblogs/jason/archive/2009/09/08/irules-insight-http-event-order.aspx
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Order of Events (1)
Initializing event
1. RULE_INIT
Client request events
2. CLIENT_ACCEPTED
3. CLIENTSSL_HANDSHAKE
4. CLIENTSSL_CLIENTCERT
5. HTTP_REQUEST CACHE_REQUEST RTSP_REQUEST
SIP_REQUEST HTTP_CLASS_FAILED HTTP_CLASS_SELECTED
6. STREAM_MATCHED
7. CACHE_UPDATE
8. CLIENT_DATA RTSP_REQUEST_DATA HTTP_REQUEST_DATA
9. AUTH_RESULT AUTH_WANTCREDENTIAL
10. LB_SELECTED LB_FAILED PERSIST_DOWN
17
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=344
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Order of Events (2)
Server request events
11. SERVER_CONNECTED
12. SERVER_SSL_HANDSHAKE
13. HTTP_REQUEST_SEND SIP_REQUEST_SEND
Server response events
14. CACHE_RESPONSE
15. HTTP_RESPONSE RTSP_RESPONSE SIP_RESPONSE
16. STREAM_MATCHED
17. HTTP_RESPONSE_CONTINUE
18. HTTP_RESPONSE_DATA SERVER_DATA RTSP_RESPONSE_DATA
Disconnect events
19. SERVER_CLOSED
20. CLIENT_CLOSED
18
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=344
www.smn.ee
© 2009-2013 Tarmo Mamers
HTTP: multiple requests
CLIENT_ACCEPTED
HTTP_REQUEST & HTTP_REQUEST_DATA
HTTP_RESPONSE & HTTP_RESPONSE_DATA
CLIENT_CLOSED
19
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Errors
Syntax error - ilmneb rule'i salvestamisel või “tmsh load
sys config”
Runtime error - katkestab iRule'i töö ja sulgeb TCP
ühenduse
vaata /var/log/ltm
Mar 22 09:29:08 local/tmm err tmm[5558]: 01220001:3: TCL
error: test_cert_rule <CLIENTSSL_CLIENTCERT> - while
executing "X509::whole [SSL::cert 0]"
aitab catch:
if { [catch { codewhichmayresultinruntimeerror } ] } { }
if { [catch { codewhichmayresultinruntimeerror } errmsg ] } {
log “Catched TCL run-time error: $errmsg”
}
20
www.smn.ee
© 2009-2013 Tarmo Mamers
iRules: Managing Without ☺
HTTP profile: header insert X-Forwarded-For
HTTP profile: header insert, remove
HTTP profile: fallback host
HTTP profile: compression
HTTP profile: redirect
HTTP profile: ramcache
Stream profile: content search/replace
Class profile: URI matching & pool selection
Request logging profile
Analytics profile
.................
21
www.smn.ee