iRule Examples – 10.x

Below shows a number of iRule examples that you may find useful when creating or deploying iRules on the BIGIP F5 device.

For the latest in iRule tips and tricks hop over to our iRule Cookbook  – click here

WWW redirect

This simple iRule redirects any HTTP traffic without the prepending www to a www address.

when HTTP_REQUEST {
if { [HTTP::host] starts_with “fir3net.com” } {
HTTP::redirect https://www.fir3net.com[HTTP::uri]
}
}

{loadposition content_lock}

HTTP Redirect

This iRule will action a HTTP redirect response when a HTTP request URI contains the string ‘Secure’.

when HTTP_REQUEST {
if { [HTTP::uri] contains “Secure” } {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
}

HTTP Redirect (using 2 Conditions)

This iRule will action a HTTP redirect response when a HTTP request URI ends with the string ‘/sendmesomewhereelse’ and the host header contains the domain ‘mydomain.com’.

when HTTP_REQUEST {
if { ([HTTP::host] equals “mydomain.com”) and ([HTTP::uri] ends_with “/sendmesomewhereelse”) } {
HTTP::redirect http://google.com
}
}

URI Pool Selection

This iRule will distribute traffic to Pool2 when the HTTP Request URI ends with ‘txt’.

when HTTP_REQUEST {
if {[HTTP::uri] ends_with “txt”} {
pool Pool1
}
else { pool Pool2 }
}

Switch

This iRule will distrubte traffic to the nessecary pool based on the URL.

when HTTP_REQUEST {
switch -glob [HTTP::host] {
example-url1                            { pool POOL-172.16.1.35-80-1 }
example-url2                            { pool POOL-172.16.1.35-80-2 }
example-url3                            { pool POOL-172.16.1.35-80-3 }
example-url4                            { pool POOL-172.16.1.35-80-4
persist source_addr 255.255.255.248 1800 }
example-url5                            { pool POOL-172.16.1.35-80-5
persist source_addr 255.255.255.248 1800 }
example-url6                            { pool POOL-172.16.1.35-80-7
persist source_addr 255.255.255.248 1800 }
default                                 { pool POOL-172.16.1.35-80-8 }
}
}

SNAT

This iRule will translate the source address for any traffic originating from any address defined within the data group net-group and destined for TCP port 8181.

when CLIENT_ACCEPTED {
if { [TCP::local_port] == 8181 and [class match [IP::client_addr] equals net-group ] } {
snat 192.168.1.131
}
else {
forward
}
}

Insert Header

The following iRule inserts a custom header named SOURCE_IP containing the client source IP address.

when HTTP_REQUEST {
HTTP::header insert SOURCE_IP [IP::remote_addr]
}

Create HTTP Session ID

The following iRule creates a unique id for each HTTP request. The unique id is generated by using the IP/Port of the Local/Remote host and a random number between 1 and 100,000,000. This value is then hashed.
This unique id is then appended to the HTTP request via a custom HTTP header named X-SESSIONID.

when HTTP_REQUEST {
set id “[IP::client_addr][TCP::client_port][IP::local_addr][TCP::local_port][expr { int(100000000 * rand()) }]”
binary scan [md5 $id] H* md5var junk
HTTP::header insert X-SESSIONID $md5var
}

SSL Server Side

This iRule allows you to only perform server side SSL on a selection of pool members. These pool members are defined within a datagroup (named ‘poolmember-group’).

when LB_SELECTED {
SSL::disable serverside
if {[class match [LB::server addr] equals poolmember-group ]} {
SSL::enable serverside
}
}

Troubleshooting

This iRule is used to troubleshoot connections. It creates a log for the HTTP Request and HTTP Response. Within these logs the following is recorded,

• Source IP address
• X-Forwarded-For, in case you are coming from a CDN
• A unique ID so that you can match the HTTP Request and Response.
• The HTTP Response code returned by the server.
• The backend Server IP.
• Time between the F5 receiving the HTTP Request and sending on the HTTP Request.
• Time between the F5 sending the HTTP Request and receiving the HTTP Response.

when HTTP_REQUEST {
    set CLIENT_ADDR [IP::client_addr]
    set XFF [HTTP::header X-Forwarded-For]
    set ID "[TCP::local_port][expr { int(100000000 * rand()) }]"
    set REQUEST_RECEIVE [clock clicks -milliseconds]
}

when HTTP_REQUEST_SEND {
    set REQUEST_SEND [clock clicks -milliseconds]
    set REQUEST_WAIT [expr {$REQUEST_SEND - $REQUEST_RECEIVE}]
    log local0. "SRC:$CLIENT_ADDR  XFF:$XFF ID:$ID"
}

when HTTP_RESPONSE {
    set RESPONSE_TIME [expr {[clock clicks -milliseconds] - $REQUEST_SEND}]
    log local0. "SRC:$CLIENT_ADDR XFF:$XFF ID:$ID - HTTP[HTTP::status] $RESPONSE_TIME\ms/$REQUEST_WAIT\ms [LB::server addr]"
}

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an F5 Loadbalancers expert?

Here is our hand-picked selection of the best courses you can find online:
F5 BIG-IP 101 Certification Exam – Complete Course
F5 BIG-IP 201 Certification Exam – Complete Course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial