CODEWITHSUNDEEP
f5irule
dachiz
dachiz

Reputation: 851

f5 LTM irule - can a pool name be generated in an irule

I need to setup a configuration for many similar environments. Each will have a different hostname that follows a pattern, e.g. env1, env2, etc.

I can use a pool per environment and a single virtual server with an irule that selects a pool based on hostname.

What I'd prefer to do is dynamically generate and select the pool name based on the requested hostname rather than listing out every pool in the switch statement. It's easier to maintain and automatically handles new environments.

The code might look like:

when HTTP_REQUEST {
  pool [string tolower [HTTP:host]]
}

and each pool name matches the hostname.

Is this possible? Or is there a better method?

EDIT

I've expanded my hostname pool selection. I'm now trying to include the port number. The new rule looks like:

when HTTP_REQUEST {
  set lb_port "[LB::server port]"
  set hostname "[string tolower [getfield [HTTP::host] : 1]]"
  log local0.info "Pool name $hostname-$lb_port-pool"
  pool "$hostname-$lb_port-pool"

}

This is working, but I'm seeing no-such-pool errors in the logs because somehow a port 0 request is coming into the pool. It seems to be the first request and the followed by the request with the legitimate port.

Wed Feb 17 20:39:14 EST 2016    info    tmm tmm[6519]       Rule /Common/one-auto-pool-select-by-hostname-port <HTTP_REQUEST>: Pool name my.example.com-80-pool
Wed Feb 17 20:39:14 EST 2016    err tmm1    tmm[6519]   01220001    TCL error: /Common/one-auto-pool-select-by-hostname-port <HTTP_REQUEST> - no such pool: my.example.com-0-pool (line 1) invoked from within "pool "$hostname-$lb_port-pool""
Wed Feb 17 20:39:14 EST 2016    info    tmm1    tmm[6519]       Rule /Common/one-auto-pool-select-by-hostname-port <HTTP_REQUEST>: Pool name my.example.com-0-pool

What is causing the port 0 request? And is there any workaround? e.g. could I test for port 0 and select a default port or ignore it?

ONE MORE EDIT

Rebuilt the virtual server, and now the error has gone. The rebuild of the VS was just to rename it though. I'm fairly sure I recreated the settings exactly the same.

Upvotes: 0

Views: 2851

Answers (2)

TimRiker
TimRiker

Reputation: 73

The simple case mentioned by Michael works. I'd recommend removing the port value if present:

when HTTP_REQUEST {
    pool "pool_[string tolower [getfield [HTTP::host] : 1]]_[LB::server port]"
}

Keep in mind that clients might send a partial hostname. If the DNS search path is set to example.org then the client might hit shared/ which maps to shared.example.org, but the HTTP::host header will just have shared. Some API libraries may append the port number even if it's on the default port. Simple code might not send a Host header. Malicious code might send completely bogus Host headers. You could trap these cases with catch.

You can also use a datagroup to map hostnames to pools. This allows multiple hosts to use the same pool. Sample code:

when HTTP_REQUEST {
    set host [string tolower [getfield [HTTP::host] ":" 1]]
    if { $host == "" } {
        # if there's no Host header, pull from virtual server name
        # we use: pool_<virtualserver>_PROTOCOL
        set host [getfield [virtual name] _ 2]
    } elseif { not ($host contains ".") } {
        # if Host header does not contain a dot, assume example.org
        set host $host.example.org
    }
    set pool [class match -value $host[HTTP::uri] starts_with dg_shared.example.org]
    if { $pool ne ""} {
        set matched [class match -name $host[HTTP::uri] starts_with dg_shared.example.org]
        set log(matched) $matched
        set log(pool) $pool
        if { [catch { pool $pool } ] } {
            set log(reason) "Failed to Connect to Pool"
            call hsllog log
            call errorpage 404 $log(reason) "https://[HTTP::host][HTTP::uri]" log
        }
    } else {
        call errorpage 404 "No Pool Found" "https://[HTTP::host][HTTP::uri]" log
    }
}

when SERVER_CONNECTED {
    if {!($pool ends_with "_HTTPS") } {
        SSL::disable serverside
    }
}

This allows host.example.org/path1 to be on a different pool than host.example.org or host.example.org/path2 by including separate entries in the datagroup. I didn't include the hsllog and errorpage procs here. They dump the log array as well as the other passed parameters.

We then disable serverside ssl for pools that don't end in _HTTPS.

Note: As with dynamically generated pool names, the BIG-IP UI does not look inside datagroups for pool references, so the interface will allow you do delete one of these pools thinking it's not in use.

We use BigIPReport to identify orphan pools: https://devcentral.f5.com/s/articles/bigip-report

Upvotes: 1

Michael
Michael

Reputation: 123

Yes, you can specify the pool name in a string. What you have there would work as long as you have a pool with that same name. Though it doesn't show an example of doing it this way, you can also check out the pool wiki page on DevCentral for more information.

As an aside, in my environment I generally create pools with the suffix _pool to distinguish them from other objects when looking at config files. So in my iRules, I would do something like this (essentially the same thing):

when HTTP_REQUEST {
    pool "[string tolower [HTTP::host]]_pool"
}

Upvotes: 3

Related Questions