F5上基于HTTP的iRule配置

1HTTPClassProfile2WhatistheHTTPClassTheHTTPClassprofileprovidesawaytomatchspecificcriteriafromanHTTPconnectionand–Selectapoolbasedonthespecifiedcriteria–PerformaURIredirectionbasedonthecriteria–SendallmatchingtrafficthroughtheApplicationSecurityManagermodulebasedonthespecifiedcriteria–SendallmatchingtrafficthroughtheWebAcceleratormodulebasedonthespecifiedcriteriaTheHTTPClassisessentiallyacompiledinversionofaniRule.3HTTPClassProfileFoundundertheProfileProtocolsectionRequiresanHTTPprofileontheVirtualServer4Howdoesmatchingwork?SeeSOL5422onaskf5.comaboutmatchingThefieldsusedtomatchagainstareasfollows:–Hostname(ex.)–URIPath(ex./*.jpg)–HTTPHeader(ex.Accept-Encoding:gzip,deflate)–Cookie(ex.BigIPServer)RegularExpressionscanbeusedMultiplematchselectionswithinadefinedHTTPClassarealogicalAND.5MatchExampleTheHTTPclassmatchesagainstselectedcriteriaandgoestotheselectedpooland/ortheURIcanberewrittenifthereisamatch.Inthisexample,ifthehostcontains:theredirectionsyntaxisthesameasaniRulesyntax.7MoreusesHTTPClassisalsothelinktotheASMorWA.EnableASMorEnableWAfortheHTTPClassandthiswillsendallmatchingtraffictotheenabledmodulebeforesendingitontotheselectedpool.TheASMorWAselectionsareonlyvisibleifthemoduleislicensed.8HTTPClassassociationTheHTTPClassrequiresanHTTPprofiletobepresentonthevirtualserverHTTPClassesoperatejustlikeiRuleswhentheyareassociatedwiththevirtualserver.–Firstlisted,firstparsed(ordercanbechangebyUp/Downbuttons)–Fallthroughtothenextlisted–DefaultpoolusedofnoHTTPclassismatched10BigIPv9PracticaliRules11ProgramminglanguageintegratedintoTMOS–TMOS(TrafficManagementOperatingSystem)BasedonindustrystandardTCLlanguage–TCL(ToolCommandLanguage)iRulesprovidetheabilitytointercept,inspect,transform,directandtrackinboundoroutboundapplicationtrafficCoreoftheF5“secretsauce”andkeydifferentiatoriRules12WhatmakesiRulessounique?Full-fledgedscripts,executedagainsttrafficonthenetwork,atwire-speedPowerfullogicaloperationscombinedwithdeeppacketinspectionTheabilitytoroute,re-route,re-direct,retry,orblocktrafficCommunitysupport,toolsandinnovation13iRulesMyths-debunkediRulesareslow!Theykillnetworkperformance.OnlysoftwaredeveloperswillunderstandhowtowriteallthatcodeIt’saburdentouserstomakethingsthisgranular,theyshouldbecheck-boxesorpointandclicklikecompetitorsF5won’tevensupportiRulesfortheircustomersNooneisactuallyusingiRules,it’sjusthype14HowdoiRulesWork?•CodedaroundEvents•Suchas,HTTP_REQUEST,HTTP_RESPONSE,CLIENT_ACCEPTEDetc.•iRulesallowyoutoperformdeeppacketinspection(entireheaderandpayload)•Fullscriptinglanguageallowsforbidirectionalandgranularcontrolofinspection,alterationanddeliveryofapplicationtrafficonapacketbypacketbasisRequestsHTTP_REQUESTiRuleTriggeredHTTPEventsFiredModifiedResponses**Note:BIG-IP’sBi-DirectionalProxycapabilitiesallowittoinspect,modifyandroutetrafficatnearlyanypointinthetrafficflow,regardlessofdirection.HTTP_RESPONSEiRuleTriggeredHTTPEventsFired16iRulesReacttoChainEventsiRulesEventsAreaNaturalPartofTMOSInternalRealTimeProcessFlowsClientSideContextServerSideContext17KeyelementsofaniRuleEventdeclarations–Definewhencodewillbeexecuted–EveryiRulewillhaveaneventOperators–DefineunderwhatconditionsyouwillperformanactioniRulecommands–Definetheactiontoperform18iRuleelements-EventsEventsareanythingthatmaytriggertheprocessingoftheruleinthefirstplaceExamples:–HTTP_REQUEST–HTTP_RESPONSE–CLIENT_ACCEPTED–LB_FAILEDAdditionaleventsfoundat{if{[HTTP::host]ends_with“bob.com”}{poolhttp_pool1}}19SomeiRuleEventsAUTHAUTH_ERRORAUTH_FAILUREAUTH_RESULTAUTH_SUCCESSAUTH_WANTCREDENTIALCACHECACHE_REQUESTCACHE_RESPONSECLIENTSSLCLIENTSSL_CLIENTCERTCLIENTSSL_HANDSHAKEDNSDNS_REQUESTDNS_RESPONSENAME_RESOLVEDGLOBALLB_FAILEDLB_SELECTEDRULE_INITHTTPHTTP_CLASS_FAILEDHTTP_CLASS_SELECTEDHTTP_REQUESTHTTP_REQUEST_DATAHTTP_REQUEST_SENDHTTP_RESPONSEHTTP_RESPONSE_CONTINUEHTTP_RESPONSE_DATAIPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATALINECLIENT_LINESERVER_LINERTSPRTSP_REQUESTRTSP_REQUEST_DATARTSP_RESPONSERTSP_RESPONSE_DATASIPSIP_REQUESTSIP_REQUEST_SENDSIP_RESPONSESERVERSSLSERVERSSL_HANDSHAKESTREAMSTREAM_MATCHEDTCPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATAUSER_REQUESTUSER_RESPONSEUDPCLIENT_ACCEPTEDCLIENT_CLOSEDCLIENT_DATASERVER_CLOSEDSERVER_CONNECTEDSERVER_DATAXMLXML_BEGIN_DOCUMENTXML_BEGIN_ELEMENTXML_CDATAXML_END_DOCUMENTXML_END_ELEMENTXML_EVENTAUTHCACHECLIENTSSLDNSGLOBALHTTPIPLINERTSPSIPSERVERSSLSTREAMTCPUDPXML20iRuleelements-OperatorsTherearetwotypesoroperators,RelationalandLogicalRelationaloperators–contains,matches–equals–starts_with,ends_with,–matches_regex,switchLogicaloperators–if,else,elseif–and,not,orwhenHTTP_REQUEST{if{[HTTP::host]ends_with“bob.com”}{poolhttp_pool1}}whenHTTP_REQUEST{if{([