Thursday 8 August 2019

Finding traffic that's hitting a F5 vip via IRule

So let say you have  traffic hitting a f5 VirtualServer,  but you want to  find out what/who  is hitting it and what URI they are asking for,  you can do  a log Statement inside   a iRule defining what you want to log ( src addr, host_header URI )   


e.g

ltm rule HOSTSWITCHER {
    when HTTP_REQUEST {
    switch [HTTP::host] { 
   "mysite.mydomain.com" {

    persist cookie insert "c00k3yM0nst3r" "7d 00:00:00"
    log local0. " The site name  [HTTP::host] and uri  [HTTP::uri]  is hitting  the mysite.mydomain.com" 
    pool mysite.mydomain.com_pool
   }
   
  

   default {
   log local0. " The site name  [HTTP::host] and uri  [HTTP::uri] and client's address  [IP::client_addr]   is hitting  the default" 
   persist cookie insert "de3fAUlt" "1d 00:00:00"
   pool default_pool
  }
 }
}
}


This helps to find DNS entries that could be lefted over and pointing to your public address. By generating a log message for the host and|or URI  you can easily debugged left over or bad configurations.

The f5 logs  for  ltm will show something similar ;

No comments:

Post a Comment

iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...