• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Nine Ways to Use Network-Side Scripting
 

Nine Ways to Use Network-Side Scripting

on

  • 4,547 views

Nine examples of how to use network-side scripting for better performance, security, and scalability of applications.

Nine examples of how to use network-side scripting for better performance, security, and scalability of applications.

Statistics

Views

Total Views
4,547
Views on SlideShare
4,406
Embed Views
141

Actions

Likes
2
Downloads
0
Comments
0

3 Embeds 141

http://devcentral.f5.com 128
http://www.slideshare.net 12
http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Nine Ways to Use Network-Side Scripting Nine Ways to Use Network-Side Scripting Presentation Transcript

    • Nine ways to use network-side scripting to architect more scalable, secure, and fast applications Presented by: F5 Networks
    • Network-side scripting executes discrete application functions on the application delivery platform. Network Administrator Application Developer Application delivery platform Application
    • Cookie Encryption 1 2 3 4 1 2 3 4 Web request received by BIG-IP application delivery platform. Encrypted cookie is decrypted and reinserted into the HTTP header Request sent to appropriate web application server where processing occurs normally Response is sent from web application server back to BIG-IP application delivery platform BIG-IP application delivery platform receives response, encrypts appropriate cookie and reinserts into the HTTP header and returns to the browser
    • Cookie Encryption when RULE_INIT { # Generate Unique Key set ::key [AES::key] } when HTTP_RESPONSE { set decrypted [HTTP::cookie "MyCookie"] if { "" ne $decrypted } { # remove the original cookie, encrypt it, and then insert the encrypted value HTTP::cookie remove "MyCookie" set encrypted [b64encode [AES::encrypt $::key $decrypted]] HTTP::cookie insert name "MyCookie" value $encrypted } } when HTTP_REQUEST { set encrypted [HTTP::cookie "MyCookie"] if { "" ne $encrypted } { # remove encrypted cookie, decrypt it, and insert the decrypted value. HTTP::cookie remove "MyCookie" set decrypted [AES::decrypt $::key [b64decode $encrypted]] HTTP::cookie insert name "MyCookie" value $decrypted } }
    • Session Persistence 1 2 3 4 1 2 3 4 A first web request received by BIG-IP application delivery platform. BIG-IP chooses a server a forwards the request When the request returns BIG-IP notes the specified session id (JSESSIONID, PHPSESSIONID, etc..) in its session table along with the server and returns the request to the browser A second request is received. The BIG-IP application delivery platform extracts the session id cookie and determines to which server the request should be sent based on its session table Request is sent to the same server, preserving session state in the web application
    • Session Persistence
      • when HTTP_REQUEST {
      • if { [HTTP::cookie exists "JSESSIONID"] } {
      • persist uie [HTTP::cookie "JSESSIONID"]
      • } else {
      • set jsess [findstr [HTTP::uri] "jsessionid" 11 ";"]
      • if { $jsess != "" } {
      • persist uie $jsess
      • }
      • }
      • }
    • URI Rewrite 1 2 1 2 Web request received by BIG-IP application delivery platform. An iRule recognizes the URI and executes code to change the URI Request sent to appropriate web application server where processing occurs normally
    • URI Rewrite
      • when HTTP_REQUEST {
      • if {[HTTP::uri] == "/"}{
      • HTTP::uri "/New/URI"
      • log local0. "URI matched from - IP: [IP::client_addr]"
      • }
      • }
    • Application Switching 1 2 3 4 1 2 3 4 Web request received by BIG-IP application delivery platform. BIG-IP examines the request and determines to which server it should be sent. Request sent to appropriate web application server where processing occurs normally Another request is received by BIG-IP application delivery platform. BIG-IP examines the request and determines to which server it should be sent Request sent to appropriate web application server where processing occurs normally GET /image.jpg GET /mypage.html
    • Application Switching
      • class mimes {
      • “ jpg pool1”
      • “ asp pool2”
      • }
      • when HTTP_REQUEST {
      • set myType [string range [string last “.” [string tolower [HTTP::uri]]] end]
      • if { [matchclass $::mimes starts_with $myType] } {
      • pool [findclass $myType $::mimes " "]
      • } else {
      • pool defaultPool
      • }
      • }
    • Exception Handling 1 2 3 4 1 2 3 4 Web request received by BIG-IP application delivery platform. BIG-IP examines the request and determines to which server it should be sent. Request sent to appropriate web application server where processing occurs normally BIG-IP recognizes that the response contains an error indicated by a 404 status or a 200 status with content containing an exception (a stack trace, for example) BIG-IP retries the request on another server and when it comes back valid returns it to the browser
    • Exception Handling
      • when CLIENT_ACCEPTED {
      • set retries 0
      • }
      • when HTTP_REQUEST {
      • set request [HTTP::request]
      • log "HTTP request: $request"
      • }
      • when LB_SELECTED {
      • if { $retries >= 1 } {
      • LB::reselect pool http_pool
      • }
      • }
      when HTTP_RESPONSE { if { [HTTP::status] starts_with &quot;4&quot; } { incr retries log &quot;4xx error caught: retry $retries out of [active_members [LB::server pool]]“ if { $retries < [active_members [LB::server pool]] } { HTTP::retry $request } } }
    • Data Scrubbing 1 2 3 4 1 2 3 4 Web request received by BIG-IP application delivery platform. BIG-IP examines the request and determines to which server it should be sent. Request sent to appropriate web application server where processing occurs normally BIG-IP recognizes that the response contains a credit card number. The iRule “scrubs” the number by replacing all digits in the credit card number with an X BIG-IP returns the response with the “clean” data to the browser
    • Data Scrubbing
      • when HTTP_REQUEST {
      • # Don't allow data to be chunked
      • if { [HTTP::version] eq &quot;1.1&quot; } {
      • if { [HTTP::header is_keepalive] } {
      • HTTP::header replace &quot;Connection&quot; &quot;Keep-Alive&quot;
      • }
      • HTTP::version &quot;1.0&quot;
      • }
      • }
      • when HTTP_RESPONSE {
      • # Only check responses that are a text content type
      • # (text/html, text/xml, text/plain, etc).
      • if { [HTTP::header &quot;Content-Type&quot;] starts_with &quot;text/&quot; } {
      • # Get the content length so we can request the data to be
      • # processed in the HTTP_RESPONSE_DATA event.
      • if { [HTTP::header exists &quot;Content-Length&quot;] } {
      • set content_length [HTTP::header &quot;Content-Length&quot;]
      • } else {
      • set content_length 1000000000
      • }
      • if { $content_length > 0 } {
      • HTTP::collect $content_length
      • }
      • }
      • }
    • when HTTP_RESPONSE_DATA { # Find ALL the possible credit card numbers in one pass set card_indices [regexp -all -inline -indices {(?:3[4|7]d{2})(?:[ ,-]?(?:d{5}(?:d{1})?)){2}|(?:4d{3})(?:[ ,-]?(?:d{4})){3}|(?:5[1-5]d{2})(?:[ ,-]?(?:d{4})){3}|(?:6011)(?:[ ,-]?(?:d{4})){3}} [HTTP::payload]] foreach card_idx $card_indices { set card_start [lindex $card_idx 0] set card_end [lindex $card_idx 1] set card_len [expr {$card_end - $card_start + 1}] set card_number [string range [HTTP::payload] $card_start $card_end] # Remove dash or space if they exist and count the occurences in variable cutouts. set cutouts [regsub -all {[- ]} $card_number &quot;&quot; card_number] # Adjsut card_len variable but keep it for later use. set new_card_len [expr {$card_len - $cutouts}] set double [expr {$new_card_len & 1}] set chksum 0 set isCard invalid # Calculate MOD10 for { set i 0 } { $i < $new_card_len } { incr i } { set c [string index $card_number $i] if {($i & 1) == $double} { if {[incr c $c] >= 10} {incr c -9} } incr chksum $c } # Determine Card Type switch [string index $card_number 0] { 3 { set type AmericanExpress } 4 { set type Visa } 5 { set type MasterCard } 6 { set type Discover } default { set type Unknown } } # If valid card number, then mask out numbers with X's if { ($chksum % 10) == 0 } { set isCard valid HTTP::payload replace $card_start $card_len [string repeat &quot;X&quot; $card_len] } # Log Results log local0. &quot;Found $isCard $type CC# $card_number&quot; } }
    • Intelligent Compression 1 2 3 1 2 3 A first web request received by BIG-IP application delivery platform. BIG-IP checks the client’s bandwidth and chooses a server a forwards the request The request is handled normally by the web application server/web server and returned to BIG-IP BIG-IP takes into consideration the bandwidth available and the type of content and determines whether it will be a performance plus or negative to apply compression, then acts on that decision and returns the response to the client
    • Intelligent Compression
      • when HTTP_REQUEST {
      • set nocompress 0
      • log local0. &quot;comp enabled default &quot;
      • if {[matchclass [string tolower [HTTP::uri]] ends_with $::ok_extension] or [matchclass [string tolower [HTTP::uri]] contains $::compress_dir ] and not [matchclass [IP::remote_addr] equals $::no_compress_ip ] } {
      • set nocompress 0
      • log local0. &quot;setted 0 for ok_extension or compress_dir or ip [IP::remote_addr]&quot;
      • } elseif {[matchclass [string tolower [HTTP::uri]] ends_with $::no_extension] or [matchclass [string tolower [HTTP::uri]] contains $::no_compress_dir ] or [matchclass [IP::remote_addr] equals $::no_compress_ip ] } {
      • set nocompress 1
      • log local0. &quot;setted 1 for no_extension or no_compress_dir or your ip [IP::remote_addr]&quot;
      • }
      • }
      when HTTP::REQUEST { if {[TCP::bandwidth] < XXX} { pool slowHTTP } }
    • LDAP Connection Proxy 1 2 3 4 1 2 3 4 Request received by BIG-IP application delivery platform. BIG-IP examines the request by looking at the TCP payload and finds the string that represents the unbind command. BIG-IP releases the client binding to the LDAP server BIG-IP keeps the TCP connection to the LDAP server open for reuse The original unbind command is discarded and LDAP server’s overhead reduced
    • LDAP Connection Proxy when CLIENT_ACCEPTED { TCP::collect } when CLIENT_DATA { binary scan [TCP::payload] xc ber_len if { $ber_len < 0 } { set ber_index [expr 2 + 128 + $ber_len] } else { set ber_index 2 } # message id binary scan [TCP::payload] @${ber_index}xcI ber_len ber_len_ext if { $ber_len < 0 } { set ext_len [expr 128 + $ber_len] set ber_len [expr (($ber_len_ext>>(4-$ext_len)*8)+(0x100^$ext_len))%(0x100^$ext_len)] } else { set ext_len 0 } incr ber_index [expr 2 + $ext_len + $ber_len] # ldap message binary scan [TCP::payload] @${ber_index}c ber_type if { [expr $ber_type & 0x1f] == 2 } { log local0. &quot;unbind => detach&quot; TCP::payload replace 0 [TCP::payload length] &quot;&quot; LB::detach } TCP::release TCP::collect }
    • Homerize your errors 1 2 3 4 1 2 3 4 Web request received by BIG-IP application delivery platform. BIG-IP examines the request and determines to which server it should be sent. Request sent to appropriate web application server where processing occurs normally BIG-IP recognizes that the response is a 404 not found. The iRule responds by rewriting the content and p lacing an embedded wav file of homer saying “Doh!” in the response. BIG-IP returns the response with the “clean” data to the browser
    • Homerize Your Errors when HTTP_REQUEST { # Check for sensitive documents. set check_content 1 # Don't allow data to be chunked. if {[HTTP::version] == &quot;1.1&quot;} { if {[HTTP::header is_keepalive]} { # Adjust the Connection header. HTTP::header replace &quot;Connection&quot; &quot;Keep-Alive&quot; } HTTP::version &quot;1.0&quot; } } when HTTP_RESPONSE { #check to see if it is a 404 if { [HTTP::status] == &quot;404&quot; } { if {$check_content == 1} { set replace_now 1 # Calculate the amount to collect set content_length 0 if {[HTTP::header exists &quot;Content-Length&quot;]} { set content_length [HTTP::header &quot;Content-Length&quot;] } # If the header is missing, use a sufficiently large number if {$content_length == 0} { set content_length 4294967295 } HTTP::collect $content_length } } } when HTTP_RESPONSE_DATA { set payload [HTTP::payload [HTTP::payload length]] set fun_payload &quot;<html> <body> <EMBED src =&quot;http://www.fortunecity.com/lavendar/poitier/135/nevertry.wav&quot; width=&quot;144&quot; height=&quot;60&quot; autostart=&quot;true&quot; loop=&quot;true&quot; hidden=&quot;true&quot;> 404 error Page not found</body> </html>&quot; #check to see if it should replace the content due to a 404 if {$replace_now == 1} { # Replace the content if there was any matches HTTP::payload replace 0 [HTTP::payload length] $fun_payload } }
      • Community driven support
      • Code sharing
      • Forums
      • Ideas from real developers and architects from organizations around the world
      • Blogs
      • Documentation
      For more ideas and Information on F5’s network-side scripting capabilities and technology, visit DevCentral (http://devcentral.f5.com)
    • THANK YOU!