© 2009-2013 Tarmo Mamers LTM: iRules Sündmusjuhitav (event driven) skriptikeel Aluseks TCL, muudetud süntaks Lisatud BIG-IP-spetsiifilised funktsioonid / muutujad when HTTP_REQUEST { HTTP::header insert “X-Forwarded-For” [IP::remote_addr] } when HTTP_REQUEST { set redir="https://[HTTP::host][HTTP::uri]" log "redirect to $redir" HTTP::redirect $redir } 1 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Support F5 Support does not write iRules No warranties whatsoever! Case on siis, kui “enne töötas, aga pärast softi upgrademist enam ei tööta” F5 Professional Services does write iRules SMN Professional Services does write iRules 2 www.smn.ee © 2009-2013 Tarmo Mamers iRule Editor http://devcentral.f5.com/irules → iRule Editor 3 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Applications • Logging, reporting • Universal Persistency (UIE) • Content analysis & manipulation • DLP, debugging, BIG-IP-hosted content • Load balancing decision overruling • Client authentication • EID • Security • Rate-limiting • Content-based filtering • Sideband connections 4 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Programming iRules stuff homepage http://devcentral.f5.com/ API > iRules Wiki iRules Basics 101 iRules CodeShare TCL command reference http://www.tcl.tk/man/tcl8.4/TclCmd/contents.htm 5 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Concepts when EVENT { operations } eventide järjestus iRule’i kirjelduse lõikes pole oluline # comment () [] {} and " can be used, but must be paired !! enne hash-märki võib samal real olla programmikood kõikide muutujad on string-tüüpi numbriliste operaatorite parameetrid teisendatakse numbriteks, pärast tehet tagasi stringiks set myvariable [ expr ( 1 / 2 ) ] 6 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Concepts kui ühe VS küljes on mitu iRule’i või sama eventi on kirjeldatud iRule'i sees mitu korda, siis eventi saabudes käiakse iRule’de/kirjelduste järjekorras kõik eventi kirjeldused läbi when EVENT priority 100 { } default priority 500 priority range 0...1000 0 is the highest priority 7 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Variables Local variables scope: single TCP connection assigning: varname using: $varname Global variables scope: all connections, available in all rules attached to any virtual server assigning: ::varname using: $::varname 8 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Variables Session variables Tables Static variables 9 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Logging via BIG-IP local syslog daemon log "logging record" → /var/log/ltm log user.notice "another logging record" → /var/log/user.log UDP syslog directly to remote server log 192.168.1.1 user.notice "remote logging record" log 192.168.1.1:1999 user.notice "remote logging record" Mar 9 04:02:15 local/tmm1 notice tmm1[6723]: Rule log_test <HTTP_REQUEST>: remote logging record log -noname 192.168.1.1:1999 user.notice "short record" Mar 9 04:02:15 local/tmm1 notice tmm1[6723]: short record 10 www.smn.ee © 2009-2013 Tarmo Mamers iRules: High-Speed Logging pure data set hsl [HSL::open -proto UDP -pool syslog_pool] HSL::send $hsl "logging message" soovitavalt mitte-binary !! syslog message set hsl [HSL::open -proto TCP -pool syslog_pool] set $log "<158>" # fac.crit encoded 158 = local3.info append log "log message" append log "log message continuation" append log "log message continuation more more" HSL::send $hsl $log 11 www.smn.ee © 2009-2013 Tarmo Mamers 12 syslog facility/severity codes facility ↓ level / severity → 0 1 2 3 4 5 6 7 emerg/ panic alert crit err/ error warn/ warning notice info debug 0 kern kernel 0 1 2 3 4 5 6 7 1 user miscellaneous user-level 8 9 10 11 12 13 14 15 2 mail mail system 16 17 18 19 20 21 22 23 3 daemon system daemons 24 25 26 27 28 29 30 31 4 auth authorization 32 33 34 35 36 37 38 39 5 syslog generated internally by syslogd 40 41 42 43 44 45 46 47 6 lpr line printer subsystem 48 49 50 51 52 53 54 55 7 news network news subsystem 56 57 58 59 60 61 62 63 8 uucp UUCP subsystem 64 65 66 67 68 69 70 71 9 cron clock daemon 72 73 74 75 76 77 78 79 10 authpriv security/authorization 80 81 82 83 84 85 86 87 11 ftp FTP daemon 88 89 90 91 92 93 94 95 12 ntp NTP subsystem 96 97 98 99 100 101 102 103 13 audit / security audit 104 105 106 107 108 109 110 111 14 console console 112 113 114 115 116 117 118 119 15 cron2 clock daemon 120 121 122 123 124 125 126 127 16 local0 local use 0 128 129 130 131 132 133 134 135 17 local1 local use 1 136 137 138 139 140 141 142 143 18 local2 local use 2 144 145 146 147 148 149 150 151 19 local3 local use 3 152 153 154 155 156 157 158 159 20 local4 local use 4 160 161 162 163 164 165 166 167 21 local5 local use 5 168 169 170 171 172 173 174 175 22 local6 local use 6 176 177 178 179 180 181 182 183 23 local7 local use 7 184 185 186 187 188 189 190 191 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Samples when HTTP_REQUEST { if { [[IP::remote_addr] starts_with "192.168."] } { ;# check pvt addresses HTTP::respond 200 content { <html><head><title>No access</title></head> <body>No access from internal network!</body></html> } } } when HTTP_RESPONSE_DATA { set remarks [regexp -all -inline -indices {<![ \r\n\t]*--([^\-]|/[\r\n]|-[^\])*[^/][^/]--[ \r\n\t]*>} [HTTP::payload]] ;# find all HTML comments foreach idx $remarks { ;# loop through all HTML comments set start [lindex $idx 0] set len [expr {[lindex $idx 1] - $start + 1}] HTTP::payload replace $start $len [string repeat " " $len] } } 13 www.smn.ee © 2009-2013 Tarmo Mamers iRules: GeoLocation when HTTP_REQUEST { set loc [URI::query [HTTP::uri] loc] set c "<html><body>" if { $loc ne "" } { append c "IP address $loc is located in:<br>" append c "single string: [whereis $loc]<br>" append c "continent: [whereis $loc continent]<br>" append c "country: [whereis $loc country]<br>" append c "zip: [whereis $loc zip]<br>" append c "area_code: [whereis $loc area_code]<br>" append c "latitude: [whereis $loc latitude]<br>" append c "longitude: [whereis $loc longitude]<br>" append c "state: [whereis $loc state]<br>" append c "state abbrev: [whereis $loc abbrev]<br>" append c "org: [whereis $loc org]<br>" append c "ISP: [whereis $loc isp]<br>" } else { append c "loc parameter missing" } append c "</body></html>" HTTP::respond 200 content $c } 14 www.smn.ee © 2009-2013 Tarmo Mamers iRules: GeoLocation when CLIENT_ACCEPTED { if { !(([whereis [IP::client_addr] abbrev] equals "MO") or ([whereis [IP::client_addr] abbrev] equals "IL")) } { pool rejected } } when CLIENT_ACCEPTED { set region [class match -value [whereis [IP::client_addr] abbrev] equals us_regions] if { $region ne "" } { switch $region { midwest { pool $region } east { HTTP::redirect http://my-east.servers.com } south { HTTP::redirect http://my-south.servers.com } west { HTTP::redirection http://my-west.servers.com } } else { pool default } } 15 www.smn.ee © 2009-2013 Tarmo Mamers 16 iRules: HTTP Events' Flowchart Image: http://devcentral.f5.com/weblogs/jason/archive/2009/09/08/irules-insight-http-event-order.aspx www.smn.ee © 2009-2013 Tarmo Mamers iRules: Order of Events (1) Initializing event 1. RULE_INIT Client request events 2. CLIENT_ACCEPTED 3. CLIENTSSL_HANDSHAKE 4. CLIENTSSL_CLIENTCERT 5. HTTP_REQUEST CACHE_REQUEST RTSP_REQUEST SIP_REQUEST HTTP_CLASS_FAILED HTTP_CLASS_SELECTED 6. STREAM_MATCHED 7. CACHE_UPDATE 8. CLIENT_DATA RTSP_REQUEST_DATA HTTP_REQUEST_DATA 9. AUTH_RESULT AUTH_WANTCREDENTIAL 10. LB_SELECTED LB_FAILED PERSIST_DOWN 17 http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=344 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Order of Events (2) Server request events 11. SERVER_CONNECTED 12. SERVER_SSL_HANDSHAKE 13. HTTP_REQUEST_SEND SIP_REQUEST_SEND Server response events 14. CACHE_RESPONSE 15. HTTP_RESPONSE RTSP_RESPONSE SIP_RESPONSE 16. STREAM_MATCHED 17. HTTP_RESPONSE_CONTINUE 18. HTTP_RESPONSE_DATA SERVER_DATA RTSP_RESPONSE_DATA Disconnect events 19. SERVER_CLOSED 20. CLIENT_CLOSED 18 http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=344 www.smn.ee © 2009-2013 Tarmo Mamers HTTP: multiple requests CLIENT_ACCEPTED HTTP_REQUEST & HTTP_REQUEST_DATA HTTP_RESPONSE & HTTP_RESPONSE_DATA CLIENT_CLOSED 19 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Errors Syntax error - ilmneb rule'i salvestamisel või “tmsh load sys config” Runtime error - katkestab iRule'i töö ja sulgeb TCP ühenduse vaata /var/log/ltm Mar 22 09:29:08 local/tmm err tmm[5558]: 01220001:3: TCL error: test_cert_rule <CLIENTSSL_CLIENTCERT> - while executing "X509::whole [SSL::cert 0]" aitab catch: if { [catch { codewhichmayresultinruntimeerror } ] } { } if { [catch { codewhichmayresultinruntimeerror } errmsg ] } { log “Catched TCL run-time error: $errmsg” } 20 www.smn.ee © 2009-2013 Tarmo Mamers iRules: Managing Without ☺ HTTP profile: header insert X-Forwarded-For HTTP profile: header insert, remove HTTP profile: fallback host HTTP profile: compression HTTP profile: redirect HTTP profile: ramcache Stream profile: content search/replace Class profile: URI matching & pool selection Request logging profile Analytics profile ................. 21 www.smn.ee
© Copyright 2024