F5 | iCookServers-&-Networks

I often implement large list of IP and URL whitelisting/HTTP header based controls on F5 using iRules and Data Groups. What I found is “Data Groups” are one of the easiest way to handle a large number of matching keys and values! As per F5 official documents – data group is the simplest way to maintain a list of permanently matched keys and values. A large list IP address or URL or any string/integer matching can be easily fit within iRule using data groups. Add/Remove entries within data groups are super easy.

Some old documents mentioned that data groups have impact on performance – truth is since TMOS v10.x and above data groups have minimum performance impact. F5 did some testing on performance using data groups and here’s some of the results (copied from F5 site):

The testing was done using 10,000 CPS, 1 HTTP request per TCP connection.

Baseline: TCP + HTTP profile + Blank iRule (when RULE_INIT { } )

Baseline results: Total CPU % used = 23%; TMM CPU % used = 16%; TMM Mem (MB) = 254

Check using iRule that I used in the video against datagroup with 1,000 entries (and no match found, so the entire group is forced to be searched).

Results: Total CPU % used = 25%; TMM CPU % used = 18%; TMM Mem (MB) = 259

Check against datagroup with 2,000 entries (no match found).

Results: Total CPU % used = 25%; TMM CPU % used = 18%; TMM Mem (MB) = 261

Check against datagroup with 10,000 entries (no match found).

Results: Total CPU % used = 26%; TMM CPU % used = 18%; TMM Mem (MB) = 277

So, even with a datagroup with 10,000 entries, the performance hit is minimal.

Here is an example of how to use data groups within iRules; lets say – to whitelist a list of IP address and block requests at TCP layer (TCP three-way handshake which happens before HTTP) – (i)we will create two test data groups and (ii)then bundle them together in an iRule and (iii)finally apply to a virtual server.

i. create data group A – iRules > Data Group List – create “test_data_group_A”; set type Address; enter all the IP address or you can import list file or add them to “/config/bigip.conf” (reload configuration if you edit the /config/bigip.conf manually). This is what it looks like –

ltm data-group internal /Common/test_data_group_A {
 records {
 1.1.1.1/32 { }
 1.1.1.2/32 { }
 1.1.1.3/32 { }
 2.2.2.1/32 { }
 2.2.2.22/32 { }
 }
 type ip
}

ii. follow the same above and create “test_data_group_B”
iii. create an iRule and put them together to allow requests only from the listed IPs (use “class match” command to refer to a data group) –

when CLIENT_ACCEPTED {
if {[class match [IP::client_addr] equals test_data_group_IP_A] } 
{}
elseif {[class match [IP::client_addr] equals test_data_group_IP_B] }
{} 
else
{drop }
}

iv. Apply the above iRule to a virtual server

Thats all! the above should only allow the IPs listed on the Data Groups.

In case if it is required to add/remove new IPs – then only add them to the data groups; no need to touch the iRule anymore.

These are the few handy (10) F5 LTM iRules I use very often. I am keeping a copy here as my reference and this might help others as well.

1. Log all http access headers (client access request & response) – this will send logs to /var/log/ltm.

`++++`

when HTTP_REQUEST {

set LogString “Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]”

log local0. “=============================================”

log local0. “$LogString (request)”

foreach aHeader [HTTP::header names] {

log local0. “$aHeader: [HTTP::header value $aHeader]”

}

log local0. “=============================================”

}

when HTTP_RESPONSE {

log local0. “=============================================”

log local0. “$LogString (response) – status: [HTTP::status]”

foreach aHeader [HTTP::header names] {

log local0. “$aHeader: [HTTP::header value $aHeader]”

}

log local0. “=============================================”

}

+++++

2. Log client_ip only (the above example show IP as well) – this will send client_ip address to /var/log/ltm.

+++

when CLIENT_ACCEPTED {

log “CONNECT: [IP::client_addr]”

}

+++++

3. Redirect HTTP to > HTTPS

++++
when HTTP_REQUEST {
if { [string tolower [HTTP::host]] ends_with “.myfqdn.com.au” } {
HTTP::redirect https://www.myfqdn.com.au [HTTP::uri] #no space
}
else {
reject
}
}
+++++

4. Allow our DNS host names only – we don’t allow domain names which doesn’t belongs to us. We only accept “mydomain.com.au” and subdomains within it for our virtual servers.

++++

when HTTP_REQUEST {

if { [string tolower [HTTP::host]] equals “mydomain.com.au” || [string tolower [HTTP::host]] ends_with “.mydomain.com.au” } {

}

else {

reject

}

+++++

5. If all pool members are down – redirect HTTP Requests to our maintenance web site –

+++++

when HTTP_REQUEST {

if { [active_members [LB::server pool]] == 0 } {

HTTP::redirect “https://maintenance.mydomain.com.au/ ” #no space

}

++++++

6. If ALL pool member is down, display “site is under maintenance from the F5” from the F5.

++++++
when HTTP_REQUEST {
if { [active_members [LB::server pool]] == 0 } {
HTTP::respond 200 content “<p><h3>This site is currently under maintenance – please try again later.</h3></p>”
}
}
+++++

7. If all pool members are down – return 200 OK with content from the F5 –

++++

when HTTP_REQUEST {

if { [active_members [LB::server pool]] == 0 } {

HTTP::respond 200 content “<p><h3>This site is currently under maintenance – please try again later.</h3></p>”

}

+++++

8. URI rewrite – if client try to access “/application” rewrite/send them to “/application/ver1.1”

++++

when HTTP_REQUEST {

switch [HTTP::uri] {

“/application” {

HTTP::uri “/application/ver1.1”

}

+++++++++

9. Rewrite URI based on HTTP Header – URI rewrite is transparent to client whereas HTTP::redirect to new address is not which return HTTP code 3xx to client.

+++++

when HTTP_REQUEST {

switch [HTTP::header X-APP-Version] {

“app1.0” {

HTTP::uri “/app/default1.0”

}

“app2.0” {

HTTP::uri “/app/default2.0”

}

++++++

10. HTTP redirect based on http header – HTTP redirect 307 preserve what present within a initial POST request whereas other 30x such as 301/302 does not preserve any data in initial POST.

++++

when HTTP_REQUEST {

set LogString “Client [IP::client_addr]:[TCP::client_port] -> [HTTP::host][HTTP::uri]”

log local0. “=============================================”

log local0. “$LogString (request)”

foreach aHeader [HTTP::header names] {

log local0. “$aHeader: [HTTP::header value $aHeader]”

}

log local0. “=============================================”

}

when HTTP_RESPONSE {

log local0. “=============================================”

log local0. “$LogString (response) – status: [HTTP::status]”

foreach aHeader [HTTP::header names] {

log local0. “$aHeader: [HTTP::header value $aHeader]”

}

log local0. “=============================================”

}

+++

when CLIENT_ACCEPTED {

log “CONNECT: [IP::client_addr]”

}

+++++

++++

when HTTP_REQUEST {

if { [string tolower [HTTP::host]] equals “mydomain.com.au” || [string tolower [HTTP::host]] ends_with “.mydomain.com.au” } {

}

else {

reject

}

}

+++++

+++++

when HTTP_REQUEST {

if { [active_members [LB::server pool]] == 0 } {

HTTP::redirect “https://maintenance.mydomain.com.au/ ” #no space

}

}

++++++

++++

when HTTP_REQUEST {

if { [active_members [LB::server pool]] == 0 } {

HTTP::respond 200 content “<p><h3>This site is currently under maintenance – please try again later.</h3></p>”

}

}

+++++

++++

when HTTP_REQUEST {

switch [HTTP::uri] {

“/application” {

HTTP::uri “/application/ver1.1”

}

}

}

+++++++++

+++++

when HTTP_REQUEST {

switch [HTTP::header X-APP-Version] {

“app1.0” {

HTTP::uri “/app/default1.0”

}

“app2.0” {

HTTP::uri “/app/default2.0”

}

}

}

++++++

+++++++

when HTTP_REQUEST {

if { [HTTP::header X-APP-NAME] contains “myapp1”}

{

HTTP::respond 307 “Location” “https://myapp.abc.com/api/myapp1.0 ” #no space

}

else {

HTTP::respond 307 “Location” “https://myapp.abc.com/api/myapp2.0 ” #no space

}

}

+++++++++

`++++`