F5-iRule 規(guī)則編寫詳解[知識課件]

1、F5 iRule詳詳解解 F5 Networks 2 L4和和L7交換的本質(zhì)區(qū)別交換的本質(zhì)區(qū)別 L2 Payload L3L4 L7 Header Full Payload 對不定址，不定長的特征碼不定址，不定長的特征碼進行的交換是L7交換的特征 L2L3L4L7 特征碼MACIPPort？ 地址 長度 對L7交換特征的提取-iRule F5 Networks 3 What is an iRule? iRule是一種腳本語言工具 它的語法是基于TCL語言的 大部分TCL語言的功能都被支持 同時還有很多iRule的擴展功能 它能幫你實現(xiàn)許多擴展功能 當你在CLI/GUI介面無法找到對應(yīng)的命令/菜

2、單 請相信iRule！ F5 Networks 4 iRules的的組組成元素成元素 iRules是基于事件驅(qū)動事件驅(qū)動(Event-Driven)的 由LTM系統(tǒng)觸發(fā)你在iRules中指定/期望的事件 iRules是由以下的基本元素構(gòu)成： 事件聲明 操作符 iRules命令 F5 Networks 5 iRules的基本格式的基本格式 事件聲明 表達式 iRules 命令 when CLIENT_ACCEPTED if IP:addr IP:remote_addr equals “/24” discard F5 Networks 6 iRule的的創(chuàng)創(chuàng)建和管理（建和管理

3、（1） ） F5 Networks 7 iRule的的創(chuàng)創(chuàng)建和管理（建和管理（2） ） F5 Networks 8 Datagroup的的創(chuàng)創(chuàng)建（建（1） ） F5 Networks 9 Datagroup的的創(chuàng)創(chuàng)建（建（2） ） F5 Networks 10 iRule Editor F5 Networks 11 iRule的引用（的引用（1） ） -新建新建virtual server F5 Networks 12 iRule的引用（的引用（2） ）-已有已有virtual server F5 Networks 13 iRule案例（案例（1） ） when HTTP_REQUEST if

4、 HTTP:uri starts_with /csp/dwr/ and HTTP:uri ends_with .js pool csp6_cache_pool elseif HTTP:uri starts_with /csp/js/ pool csp6_cache_pool elseif HTTP:uri starts_with /csp/resources/ pool csp6_cache_pool elseif HTTP:uri starts_with /csp_help/ pool csp6_cache_pool elseif HTTP:uri starts_with /csp/esal

5、es/ pool csp6_esales_pool else pool csp6_professional_pool F5 Networks 14 iRule例子（例子（2） ） when HTTP_REQUEST if HTTP:header exists x-up-calling-line-id persist uie HTTP:header values x-up-calling-line-id # log local0. the phonenumber is-HTTP:header values x-up-calling-line-id- 根據(jù)根據(jù)http數(shù)據(jù)包中的手機號數(shù)據(jù)包中的手機

6、號碼碼做會做會話話保持保持 F5 Networks 15 iRule例子（例子（3） ） when HTTP_REQUEST if matchclass HTTP:uri ends_with $:class_end pool pool_gateway log local0. the uri is $HTTP:uri, match uri class“ elseif matchclass HTTP:host contains $:class_domain pool pool_gateway log local0. the domain name is $HTTP:host, match clas

7、s_domain“ else pool CSS-W3log local0. the uri is $HTTP:uri, use cache $: 全局全局變變量，在量，在v10在不要再采用，而是直接把在不要再采用，而是直接把$:去掉去掉 class class_domain class class_end .aspx .cfm .cgi .jsp .php .phtml .shtml“ F5 Networks 16 iRule案例（案例（4） ） when CLIENT_ACCEPTED log local0. the client is IP:remote_addr, the server

8、is IP:local_addr if (IP:addr IP:local_addr equals /23 | IP:addr IP:local_addr equals /23 | IP:addr IP:local_addr equals /23) path=/; domain=%s $ckname $ckvalue . HTTP:respond 302 Location Set-Cookie $cookie when HTTP_RESPONSE if HTTP:sta

9、tus = 302 foreach aCookieName HTTP:cookie names set currentCookie $aCookieName=HTTP:cookie value $aCookieName set cookies $cookiesrnSet-Cookie: $currentCookie HTTP:respond 200 content Forbidden Redirect From remote ServerThe server is trying to redirect the client to an external site, but it is forb

10、idden Set-Cookie $cookies F5 Networks 70 TMOSCMD:HTTP CommandDescription HTTP:release釋放HTTP:collect獲取的內(nèi)容 HTTP:close關(guān)閉HTTP連接 HTTP:redirect 立即發(fā)送HTTP 302重定向 HTTP:fallback指定或者修改fallback host HTTP:is_keepaliveReturns a true value if this is a Keep-Alive connection. HTTP:is_redirectReturns a true value if

11、 the response is a redirect. HTTP:request_num返回此連接上已經(jīng)完成的HTTP請求數(shù)量 (Keep-alive) HTTP:request返回完整的HTTP request內(nèi)容 F5 Networks 71 iRules事件事件 如何聲明事件 when body An example: when CLIENT_ACCEPTED if IP:addr IP:remote_addr equals 0 pool my_pool1 F5 Networks 72 iRules事件事件 事件類型 Global Events IP Events TC

12、P/UDP Events HTTP/SSL/DNS/Auth/Cache Events Others (F5還在不斷擴充支持的事件類型) SIP/XML/RTSP, etc F5 Networks 73 TMOS Events 祥解祥解 1 第一部分 全局事件 TCP/IP事件 HTTP F5 Networks 74 事件清事件清單單 1 Event ClassEvents List CACHECACHE_REQUEST, CACHE_RESPONSE, DNSDNS_REQUEST, DNS_RESPONSE, NAME_RESOLVED, GLOBALLB_FAILED, LB_SELEC

13、TED, NAME_RESOLVED, PERSIST_DOWN, RULE_INIT, HTTP HTTP_CLASS_FAILED, HTTP_CLASS_SELECTED, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE, HTTP_RESPONSE_DATA, IP CLIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA, SERVER_CLOSED, SERVER_CONNECTED, SERVER_DATA, TCP C

14、LIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA, SERVER_CLOSED, SERVER_CONNECTED, SERVER_DATA, USER_REQUEST, USER_RESPONSE, F5 Networks 75 事件清事件清單單 2 Event ClassEvents List AUTH AUTH_ERROR, AUTH_FAILURE, AUTH_RESULT, AUTH_SUCCESS, AUTH_WANTCREDENTIAL, CLIENTSSL CLIENTSSL_CLIENTCERT, CLIENTSSL_HANDSHAKE,

15、LINE CLIENT_LINE, SERVER_LINE, RTSP RTSP_REQUEST, RTSP_REQUEST_DATA, RTSP_RESPONSE, RTSP_RESPONSE_DATA, SCTP CLIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA, SERVER_CLOSED, SERVER_CONNECTED, SERVER_DATA, SIP SIP_REQUEST, SIP_REQUEST_SEND, SIP_RESPONSE, SERVERSSL SERVERSSL_HANDSHAKE, STREAM STREAM_MATCHE

16、D, UDP CLIENT_ACCEPTED, CLIENT_CLOSED, CLIENT_DATA, SERVER_CLOSED, SERVER_CONNECTED, SERVER_DATA, XML XML_BEGIN_DOCUMENT, XML_BEGIN_ELEMENT, XML_CDATA, XML_END_DOCUMENT, XML_END_ELEMENT, XML_EVENT, F5 Networks 76 事件：事件：Global EventsTriggered RULE_INIT when an iRule is added or is modified LB_SELECTE

17、D when the system selects a pool member LB_FAILED when the system fails to select a pool or a pool member, or when a selected pool member or node fails to respond to a connection request or is unreachable PERSIST_DOWN when persistence dictates that a connection would be sent to a pool or a pool memb

18、er or node which has been marked down * PERSIST_DOWN does not fire if cookie persistence or MSRDP persistence is used. NAME_RESOLVED after a NAME:lookup command has been issued and a response has been received F5 Networks 77 事件：事件：Global:LB_FAILED EventsTriggered LB_FAILED when the system fails to s

19、elect a pool or a pool member, or when a selected pool member or node fails to respond to a connection request or is unreachable LTMs default tcp profile sets Maximum Syn Retransmissions to 4, so with the default setting, LB_FAILED would be triggered if server didnt respond in 45 seconds: 1st SYN: 0

20、 2nd SYN: +3 seconds 3rd SYN: +6 seconds 4th SYN: +12 seconds 5th SYN: +24 seconds = LB_FAILED: 45 seconds Reducing Maximum Syn Retransmissions to 2 will result in the trigger of the LB_FAILED event in 9 seconds, which makes recovery logic in the LB_FAILED event much more useful as a backup to monit

21、oring. (Health monitors only retry twice.) F5 Networks 78 事件：事件：IP/TCP EventsTriggered CLIENT_ACCEPTED when a client has established a connection CLIENT_DATA when new data is received from the client while the connection is in “collect” state CLIENT_CLOSED at the end of any client connection, regard

22、less of protocol SERVER_CONNECTED when a connection has been established with the target node SERVER_DATA when new data is received from the target node after TCP:collect command has been issued SERVER_CLOSED when the Server side connection closes F5 Networks 79 事件：事件：TCP EventsTriggered USER_REQUES

23、T by command TCP:notify request It executes in a server-side context. USER_RESPONSE by command TCP:notify response It executes in a client-side context. when SERVER_DATA TCP:release TCP:collect log local0. in SERVER_DATA, calling TCP:notify response to trigger USER_RESPONSE event TCP:notify response

24、 when USER_RESPONSE log local0. in USER_RESPONSE F5 Networks 80 事件：事件：HTTP EventsTriggered HTTP_REQUESTwhen the system fully parses a complete client request header HTTP_REQUEST_DATAwhen an HTTP:collect command has collected the specified amount of request data HTTP_REQUEST_SENDimmediately before an

25、 HTTP request is sent to the server-side TCP stack HTTP_RESPONSEwhen the system parses all of the response status and header lines from the server response HTTP_RESPONSE_CONTINUE whenever the system receives a 100 Continue response from the server HTTP_RESPONSE_DATAwhen an HTTP:collect command has c

26、ollected the specified amount of response data F5 Networks 81 Advanced Persistence with iRules UIE - Universal Inspection Engine Hash F5 Networks 82 iRules命令命令:Global:persist CommandDescription persist simple persist source_addr persist sticky persist dest_addr persist ssl persist msrdp persist uie

27、persist hash persist none F5 Networks 83 iRules命令命令:Global:persist CommandDescription persist cookie insert | rewrite | passive | hash F5 Networks 84 iRules命令命令:Global:persist CommandDescription persist add persist lookup all | node | port | pool all or no specification returns a list containing the

28、 node, port and pool name. persist delete = simple | source_addr | sticky | dest_addr | ssl | uie | hash = = any pool 根據(jù)相關(guān)條件訪問/刪除persist table內(nèi)的項目 = The timeout in seconds F5 Networks 85 iRules命令命令:Global:session CommandDescription session add Stores users data under the specified key for the specified persistence mode session lookup Return