F5 Agility Labs - Index¶
Welcome¶
Welcome to the Cooking with iRules - HTTP lab at F5 Agility 2020
The content contained here leverages a full DevOps CI/CD pipeline and is sourced from the GitHub repository at https://github.com/f5devcentral/f5-agility-labs-irules. Bugs and Requests for enhancements can be made using by opening an Issue within the repository.
Getting Started¶
Please follow the instructions provided by the instructor to start your lab and access your jump host.
Note
All work for this lab will be performed exclusively from the Windows jumphost. No installation or interaction with your local system is required.
Lab Topology¶
The following components have been included in your lab environment:
- 2 x F5 BIG-IP VE (v12.1)
- 1 x F5 iWorkflow VE (v2.1)
- 1 x Linux LAMP Webserver (xubuntu 14.04)
- 1 x Windows Jumphost
Lab Components¶
The following table lists VLANS, IP Addresses and Credentials for all components:
| Component | VLAN/IP Address(es) | Credentials |
|---|---|---|
| Sample Host |
|
admin/admin |
Cooking with iRules - HTTP¶
This class covers the following topics:
- HTTP Protocol Review
- HTTP Request Side Overview
- HTTP Response Side Overview
- HTTP Related Events
- HTTP Headers
- STREAM Command
- HTTP Payload Capture and Manipulation (If time permits)
- SSL::profile (If time permits)
Expected time to complete: 1.25 hours
Note
All work for this lab will be performed exclusively from the Windows jumphost. No installation or interaction with your local system is required.
Lab Components¶
The following table lists the Credentials for all components:
| Component | VLAN/IP Address(es) | Credentials |
|---|---|---|
| BigIP | Management: bigip1 | admin/admin.F5demo.com |
| Jumphost | Jumphost: TBD | external_user/P@ssw0rd! |
Cooking with iRules Labs¶
This is the collection of HTTP Labs. Here is where you get to prove you listened in class :)
Lab 1 - Create an iRule that Parses the URI to Route Traffic¶
The goal of this lab is to route incoming HTTP requests to a specfic pool based on the incoming http host name.
Please create an iRule that will route traffic based on the following table:
| Host Name | Pool Name |
|---|---|
| dvwa.f5lab.com | dvwa_pool_http |
| peruggia.f5lab.com | peruggia_http_pool |
| wackopicko.f5lab.com | wackopicko_http_pool |
Important
- Estimated completion time: 10 minutes
Open Chrome Browser
Enter https://bigip1 into the address bar and hit Enter
- Login with username: admin
password: admin.F5demo.com
Click Local Traffic -> iRules -> iRules List
Click Create button
Enter Name of URI_Routing_iRule
Enter your code
Click Finished
Click Local Traffic -> Virtual Servers -> Virtual Server List
Click on http_irules_vip
Click on the Resources tab
Click Manage button for the iRules section
Click on URI_Routing_iRule from the Available box and click the << button, thus moving it to the Enabled box.
Click the Finished button
Open a new tab in Chrome
Enter http://dvwa.f5lab.com/ and ensure you get there
Now enter http://peruggia.f5lab.com/ and ensure you get to the app
Finally, enter http://wackopicko.f5lab.com/ and ensure you can get to that app
If you see this image below - it means your iRule did not work.
Hint
If you need a basic hint here is some example code:
Here is a link to DevCentral: https://clouddocs.f5.com/api/irules/HTTP__host.html
If you are really stuck, here is what we are looking for:
- When HTTP_Request comes in
- Evaluate the HTTP_host name
- If it matches send it to the correct pool.
- Loop through all the host names you want to match on and continue to direct to the correct pools.
- Now you should have enough to understand and the majority of code needed to create the iRule. If not here is the complete iRule.
Lab 2 - Log and Change Headers¶
Your iRule should:
- Log all HTTP request headers.
- Log all HTTP response headers.
- Remove the header named Server from all HTTP responses.
Attention
OPTIONAL: Instead of removing the Server header in the response, change the value of the Server header to Microsoft-IIS/7.0.
Important
- Estimated completion time: 15 minutes
Open Chrome Browser
Enter https://bigip1 into the address bar and hit Enter
- Login with username: admin
password: admin.F5demo.com
Click Local Traffic -> iRules -> iRules List
Click Create button
Enter Name of Header_Log_Strip_iRule
Enter Your Code
Click Finished
Click Local Traffic -> Virtual Servers -> Virtual Server List
Click on http_irules_vip
Click on the Resources tab
Click Manage button for the iRules section
Click on Header_Log_Strip_iRule from the Available box and click the << button, thus moving it to the Enabled box, your first and now second iRule should be in the Enabled box.
Click the Finished button
Open the Firefox browser
Click the 3 horizontal line button on the far right of the address bar
Use developer tools in Mozilla, or use Chrome to view headers
Enter http://dvwa.f5lab.com/ and ensure you get there
Now enter http://wackopicko.f5lab.com/
Finally, enter http://peruggia.f5lab.com/ and ensure you can get to that app
Look at the headers for each of your requests. Did you log them all? What is the value of the Server header?
Attention
OPTIONAL: Instead of removing the Server header in the response, change the value of the Server header to Microsoft-IIS/7.0.
Hint
Basic Hint if you need a hint here is some example code:
Link to DevCentral: https://clouddocs.f5.com/api/irules/HTTP__header.html
If you are really stuck, here is what we are looking for:
Lab 3 - HTTP to HTTPS Redirect¶
- Create an iRule to redirect all traffic that arrives at an HTTP virtual server to be redirected to the same IP address but using an HTTPS port.
- The full original HTTP request should be maintained when re-directing. Example http://my.domain.com/app1/index1.html should redirect to https://my.domain.com/app1/inex.html
- Traffic goes to the HTTPS virtual server should still perform the pool selection and should still perform the header stripping from previous labs.
Important
- Estimated completion time: 20 minutes
Open Chrome Browser
Enter https://bigip1 into the address bar and hit Enter
- Login with username: admin
password: admin.F5demo.com
Click Local Traffic -> iRules -> iRules List
Click Create button
Enter Name of HTTP_to_HTTPS_iRule
Enter Your Code
Click Finished
Click Local Traffic -> Virtual Servers -> Virtual Server List
Click on http_irules_vip
Click on the Resources tab.
Click Manage button for the iRules section.
Click on HTTP_to_HTTPS_iRule from the Available box and click the << button, thus moving it to the Enabled box, your first, second, and now third iRule’s should be in the Enabled box.
Click the Finished button.
Click Local Traffic -> Virtual Servers -> Virtual Server List.
Click on https_irules_vip
Click on the Resources tab
Click Manage button for the iRules section
Click on the 2 iRules you require to enable pool selection and Server header removal from the previous labs from the Available box and click the << button, thus moving them to the Enabled box.
Enter http://dvwa.f5lab.com/ and ensure you get redirected to the HTTPS virtual server.
Now enter http://wackopicko.f5lab.com/ and ensure you get redirected to the HTTPS virtual server.
Finally, enter http://peruggia.f5lab.com/ ensure you get redirected to the HTTPS virtual server.
From the previous lab the next two tests should confirm everything is working as before, but using HTTPS.
Look at the headers for each of your requests. Did you log them all? What is the value of the Server header?
Attention
OPTIONAL: Instead of removing the Server header in the response, change the value of the Server header to Microsoft-IIS/7.0.
Hint
Basic Hint if you need a hint here is some example code:
Link to DevCentral: https://clouddocs.f5.com/api/irules/HTTP__redirect.html
If you are really stuck, here is what we are looking for:
Lab 4 - Stream Profile¶
Create a Stream Profile to change the body of the DVWA site
Important
- Estimated completion time: 10 minutes
Open Chrome Browser
Enter https://bigip1 into the address bar and hit Enter
- Login with username: admin
- password: admin.F5demo.com
Click Local Traffic -> iRules -> iRules List
Click Create button
Enter Name of Stream_iRule
Enter Your Code
Click Finished
Click Local Traffic -> Virtual Servers -> Virtual Server List
Click on https_irules_vip
In the Configuration section ensure it says Advanced in the drop down
Go to the Stream Profile section and select stream
Scroll to the bottom and click the Update button
Click on the Resources tab at the top of the page.
Click Manage button for the iRules section
Click on Stream_iRule from the Available box and click the << button, thus moving it to the Enabled box, your first and now second iRule should be in the Enabled box.
Click the Finished button
Open the Firefox browser
Enter https://dvwa.f5lab.com and ensure you get there and it is HTTPS and that the word Damn is replaced with Darn
Hint
Basic Hint if you need a hint here is some example code:
Link to DevCentral: https://clouddocs.f5.com/api/irules/STREAM.html
If you are really stuck, here is what we are looking for:
- When HTTP_Request comes in
- Second we need to disable both encoding the stream profile for the request
- When HTTP_RESPONSE comes back
- Next we need to change our stream matching string and turn on the stream profile again.
- Now you should have enough to understand and the majority of code to create the iRule. If not here is the complete iRule.
Lab 5 - HTTP Payload Manipulation¶
Collect an HTTP payload, change it, and release it to the client. As in the previous lab replace Damn with Darn, or get creative. We arent going to use a stream profile this time we are using an HTTP::payload command instead.
Important
- Estimated completion time: 20 minutes
Open Chrome Browser
Enter https://bigip1 into the address bar and hit Enter
- Login with username: admin
- password: admin.F5demo.com
Click Local Traffic -> iRules -> iRules List
Click Create button
Click Create button
Enter Name of HTTP_Payload_iRule
Enter Your Code
Click Finished
Click Local Traffic -> Virtual Servers -> Virtual Server List
Click on http_irules_vip
Click on the Resources tab.
Click Manage button for the iRules section.
What should you do here? (Hint: Remove Stream_iRule and replace with HTTP_Payload_iRule)
Click the Finished button
Open the Firefox browser
Enter https://dvwa.f5lab.com and ensure you get there and it is HTTPS
Hint
Basic Hint
if you need a hint here is some example code:
Link to DevCentral: https://clouddocs.f5.com/api/irules/HTTP__collect.html
Link to DevCentral: https://clouddocs.f5.com/api/irules/HTTP__release.html
If you are really stuck, here is what we are looking for:
- When HTTP_Request comes in
- Second change the version of HTTP and disable compression for the request
- When HTTP_RESPONSE comes back
- Next we need to collect some HTTP::collect some data.
- Now when we get HTTP_RESPONSE_DATA
- Now we will set some find and replace strings.
- Finally we will perform a regsub on the payload and replace with new text.
- Now you should have enough to understand and the majority of code to create the iRule. If not here is the complete iRule.
iRules Summary¶
# if / elseif version
when HTTP_REQUEST {
if {[HTTP::host] equals "dvwa.f5lab.com"} {
pool dvwa_pool_http
} elseif {[HTTP::host] equals "peruggia.f5lab.com"} {
pool peruggia_http_pool
} elseif {[HTTP::host] equals "wackopicko.f5lab.com"} {
pool wackopicko_http_pool
}
}
# switch version
when HTTP_REQUEST {
switch [HTTP::host] {
dvwa.f5lab.com { pool dvwa_pool_http }
peruggia.f5lab.com { pool peruggia_http_pool }
wackopicko.f5lab.com { pool wackopicko_http_pool }
}
}
# Advanced, data group lookup version!
when HTTP_REQUEST {
if { [class match [HTTP::host] equals "hostnames_dg"] } {
pool [class lookup [HTTP::host] "hostnames_dg"]
}
}
# Header_Strip_Log_iRule
when HTTP_REQUEST {
log local0. "Request Headers: [HTTP::header names]"
}
when HTTP_RESPONSE {
log local0. "Response Headers: [HTTP::header names]"
HTTP::header remove Server
}
# Advanced - Bonus and prettier
when HTTP_REQUEST {
foreach header [HTTP::header names] {
log local0. "Request Header $header: [HTTP::header $header]"
}
}
when HTTP_RESPONSE {
foreach header [HTTP::header names] {
log local0. "Response Header $header: [HTTP::header $header]"
if {$header equals "Server"} {
HTTP::header remove $header
}
}
HTTP::header insert Server "Microsoft-IIS/8.0"
}
# HTTP_to_HTTPS_iRule
when HTTP_REQUEST {
HTTP::redirect "https://[HTTP::host][HTTP::uri]"
}
# Factory F5 https redirect iRule
when HTTP_REQUEST {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
# Stream_iRule
when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
STREAM::disable
}
when HTTP_RESPONSE {
STREAM::expression @Damn@Darn@
STREAM::enable
}
# HTTP_Payload_iRule
when HTTP_REQUEST {
HTTP::version 1.0
HTTP::header remove Accept-Encoding
}
when HTTP_RESPONSE {
HTTP::collect [expr 1024*1024]
}
when HTTP_RESPONSE_DATA {
set find "Damn"
set replace "***"
if {[regsub -all $find [HTTP::payload] $replace new_response] > 0} {
HTTP::payload replace 0 [HTTP::payload length] $new_response
}
}
iRules Events¶
Complete listing of events - https://clouddocs.f5.com/api/irules/Events.html
Master list of iRule Commands - https://clouddocs.f5.com/api/irules/Commands.html
BIG-IP Commands and Events by Version - https://clouddocs.f5.com/api/irules/BIGIP_Commands_by_Version.html
iRules HTTP Events¶
HTTP Flow Order grabbed form here - https://devcentral.f5.com/s/contentdocument/0691T000005oRxAQAU
iRules HTTPS Events¶
HTTPS Flow Order grabbed from here - https://devcentral.f5.com/s/contentdocument/0691T000005nCt6QAE
