Introducing Application Delivery Networking
advertisement
1
Seattle DevCentral User Group
iRules Optimization Techniques
Joe Pruitt – Senior Strategic Architect
2
Agenda
iRules Overview
Optimization Techniques
Troubleshooting Tips
Open Q&A
3
What are iRules?
Programming language integrated into TMOS
Traffic Management Operating System
Based on industry standard TCL language
Tool Command Language
Provide ability to intercept, inspect, transform,
direct and track inbound or outbound application
traffic
Core of the F5 “secret sauce” and key
differentiator
4
What makes iRules so unique?
Full-fledged scripts, executed against traffic on
the network, at wire-speed
Powerful logical operations combined with deep
packet inspection
The ability to route, re-route, re-direct, retry, or
block traffic
Community support, tools and innovation
5
How do iRules Work?
• iRules allow you to perform deep packet inspection (entire header and payload)
• Coded around Events
(HTTP_REQUEST, HTTP_RESPONSE, CLIENT_ACCEPTED etc.)
• Full scripting language allows for extremely granular control of inspection,
alteration and delivery on a packet by packet basis
Requests
iRule Triggered
HTTP Events Fire
(HTTP_REQUEST,
HTTP_RESPONSE, etc.)
Modified Responses*
*Note: BIG-IP’s Bi-Directional Proxy capabilities allow it to
inspect, modify and route traffic at nearly any point in the
traffice flow, regardless of direction.
6
What can an iRule do?
Read, transform, replace header or payload information
(HTTP, TCP, SIP, etc.)
Work with any protocol, such as SIP, RTSP, XML, others,
whether with native (HTTP::cookie) or generic (TCP::payload)
commands
Authentication assistance, offload, inspection and more for
LDAP, RADIUS, etc.
Caching, compression, profile selection, rate shaping and
much, much more
7
Key elements of an iRule
Event declarations
–
Define when code will be executed
Operators
–
Define under what conditions you will perform an
action
iRule commands
–
Define the action to perform
8
iRule elements - Events
Events are anything that may trigger the processing of
the rule in the first place
when HTTP_REQUEST {
Examples:
–
–
–
–
HTTP_REQUEST
HTTP_RESPONSE
CLIENT_ACCEPTED
LB_FAILED
http_pool1
}
Additional events found at
http://devcentral.f5.com/wiki/default.aspx/iRules/Events.html
9
iRule elements - Operators
There are two types or operators, Relational and
Logical
Operators compare the operands in an
when HTTP_REQUEST {
expression
if{[HTTP::host] ends_with
pool http_pool1
Relational operators
–
contains, matches, equals,
“bob.com”}{
}
}
starts_with, ends_with,
matches_regex, switch
Logical operators
– if, and, not, or
when HTTP_REQUEST {
if{([HTTP::host] ends_with “bob.com”) or
([HTTP::uri] contains “/portal/”)}{
pool http_pool1
}
}
10
iRule elements – iRule commands
As implied, the action that is to be carried out upon a operator
match
Does the rule look for data, manipulate data, send to a location?
Statement commands – can cause actions such as destination
selection or SNAT assignment
Query commands – search for header or content data, such as
IP::remote_addr
Data manipulation – as stated, manipulate the data content, such as
insert or remove headers
Utility commands – useful for parsing data and manipulating
content, such as decode_uri <string>
Many additional commands available http://devcentral.f5.com/wiki/default.aspx/iRules/Commands.html
11
iRule Event Taxonomy
AUTH
AUTH_ERROR
AUTH_FAILURE
AUTH_RESULT
AUTH_SUCCESS
AUTH_WANTCREDENTIAL
CACHE
CACHE
CACHE_REQUEST
CACHE_RESPONSE
CLIENTSSL
CLIENTSSL
GLOBAL
GLOBAL
LB_FAILED
LB_SELECTED
RULE_INIT
HTTP
HTTP
HTTP_CLASS_FAILED
HTTP_CLASS_SELECTED
HTTP_REQUEST
HTTP_REQUEST_DATA
HTTP_REQUEST_SEND
HTTP_RESPONSE
HTTP_RESPONSE_CONTINUE
HTTP_RESPONSE_DATA
IP
IP
DNS_REQUEST
DNS_RESPONSE
NAME_RESOLVED
CLIENT_LINE
SERVER_LINE
RTSP
RTSP
CLIENTSSL_CLIENTCERT
CLIENTSSL_HANDSHAKE
DNS
DNS
LINE
LINE
CLIENT_ACCEPTED
CLIENT_CLOSED
CLIENT_DATA
SERVER_CLOSED
SERVER_CONNECTED
SERVER_DATA
RTSP_REQUEST
RTSP_REQUEST_DATA
RTSP_RESPONSE
RTSP_RESPONSE_DATA
SIP
SIP
SIP_REQUEST
SIP_REQUEST_SEND
SIP_RESPONSE
SERVERSSL
SERVERSSL
TCP
TCP
CLIENT_ACCEPTED
CLIENT_CLOSED
CLIENT_DATA
SERVER_CLOSED
SERVER_CONNECTED
SERVER_DATA
USER_REQUEST
USER_RESPONSE
UDP
UDP
CLIENT_ACCEPTED
CLIENT_CLOSED
CLIENT_DATA
SERVER_CLOSED
SERVER_CONNECTED
SERVER_DATA
XML
XML
SERVERSSL_HANDSHAKE
STREAM
STREAM
STREAM_MATCHED
XML_BEGIN_DOCUMENT
XML_BEGIN_ELEMENT
XML_CDATA
XML_END_DOCUMENT
XML_END_ELEMENT
XML_EVENT
12
Prize Giveaway #1
What does TCL stand for?
13
iRules Optimization Techniques
14
Optimization Tip #1 – Don’t use an iRule
If you aren’t doing custom conditional testing, let the profiles
do the work.
• HTTP header insert
• HTTP header erase
• HTTP fallback
• HTTP compress uri <exclude|include>
• HTTP compress gzip level
• HTTP redirect rewrite
• HTTP insert xforwarded for
• HTTP ramcache uri <exclude|include|pinned>
• Stream Profile for content replacement
• Class profile for URI matching.
15
Optimization Tip #2 - Planning
Plan your iRule before attempting to code
– Determine what protocols involved
– Decide what commands you'll need
– Choose how to achieve the desired effect in the least
steps
– Confirm what needs to be logged
– Determine where/how you will test
16
Optimization Tip #3 – Tools and Preparation
Have a test System available
Install and get familiar with a packet capture tool
Find your favorite TCL resource(s)
Browse DevCentral
Use a code editing tool
17
F5 iRule Editor
First network rule editor
optimizes development
Includes:
–
–
–
–
–
–
–
–
Syntax checking
Auto-complete
Template support
Doc Links
Deployment integration
Statistics monitoring
Data group editing
Optional post to
CodeShare feature
Available: Now
Tutorials: on DevCentral
18
Optimization Tip #4 – Control Your Control
statements
Think “switch”, then “class”, then “if/elseif”
when HTTP_REQUEST {
switch –glob [HTTP::uri] {
“/img*” “/image*” “/pics*” { pool imagePool }
}
}
class image_dirs {
“/img”
“/image”
“/pics”
}
…
when HTTP_REQUEST {
if { [matchclass [HTTP::uri] starts_with $::image_dirs] } {
pool imagePool
}
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with “/img” } {
pool imagePool
} elseif { [HTTP::uri] starts_with “/image” } {
pool imagePool
} elseif { [HTTP::uri] starts_with “/pics” } {
pool imagePool
}
}
19
Optimization Tip #5 – Regex is EVIL
Regex’s are cool, but are CPU hogs and should be
considered pure evil. Most often there are better
when HTTP_REQUEST {
alternatives.
if { [regex {^/myPortal} [HTTP::uri] } {
regsub {/myPortal} [HTTP::uri] “/UserPortal” newUri
HTTP::uri $newUri
pool http_pool1
}
}
when HTTP_REQUEST {
if{[HTTP::uri] starts_with “/myPortal”}{
newUri [string map {myPortal UserPortal [HTTP::uri]]
HTTP::uri $newUri
pool http_pool1
}
}
But sometimes they are a necessary evil…
when HTTP_RESPONSE_DATA {
# Find ALL the possible credit card numbers in one pass
set card_indices [regexp -all -inline -indices {(?:30[05]\d{11})|(?:3[6|8]\d{12})|(?:3[4|7]\d{13})|(?:4\d{12})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})}
[HTTP::payload]]
}
20
Optimization Tip #6 – Don’t Use Variables
Don’t use variables unless you HAVE to. They may make
it easier to read, but they do chew up memory and CPU.
when HTTP_REQUEST {
set host [HTTP::host]
set uri [HTTP::uri]
if{[HTTP::host] contains “bob.com”}{
log “Host = $host”
log “URI = $uri”
pool http_pool1
}
}
when HTTP_REQUEST {
if{[HTTP::host] contains “bob.com”}{
log “Host = [HTTP::host] ; URI = [HTTP::uri]”
pool http_pool1
}
}
21
Optimization Tip #7 – Use Variables
Use variables to reduce repetitive costly evaluations, but
don’t make the names too long…
when HTTP_REQUEST {
if { [string tolower [HTTP::uri] starts_with “/img” } {
pool imagePool
} elseif { ([string tolower [HTTP::uri] ends_with “.gif”]) ||
([string tolower [HTTP::uri] ends_with “.jpg”]) ||
([string tolower [HTTP::uri] ends_with “.png”]) } {
pool imagePool
}
}
when HTTP_REQUEST {
set theUriThatIAmMatchingInThisiRule [string tolower [HTTP::uri]]
if { $theUriThatIAmMatchingInThisiRule starts_with “/img” } {
pool imagePool
} elseif { ($theUriThatIAmMatchingInThisiRule ends_with “.gif”) ||
($theUriThatIAmMatchingInThisiRule ends_with “.jpg”) ||
($theUriThatIAmMatchingInThisiRule ends_with “.png”) } {
pool imagePool
}
}
when HTTP_REQUEST {
set uri [string tolower [HTTP::uri]]
if { $uri starts_with “/img” } {
pool imagePool
} elseif { ($uri ends_with “.gif”) ||
($uri ends_with “.jpg”) ||
($uri ends_with “.png”) } {
pool imagePool
}
}
22
Optimization Tip #8 – Return Early
Use "return" to exit early to save as many CPU cycles as
possible.
when HTTP_REQUEST {
if { [HTTP::uri] contains “/images” {
pool imagePool
}
if { [HTTP::header exists “SomeHeader” } {
log local0. “SomeHeader found”
}
}
when HTTP_REQUEST {
if { [HTTP::uri] contains “/images” {
pool imagePool
return
}
if { [HTTP::header exists “SomeHeader” } {
log local0. “SomeHeader found”
}
}
23
Optimization Tip #9 – Operators and Data Types
• Polymorphism is a blessing and a killer.
• Use the right operator for the right type
• Use eq, ne on strings
• Use ==, != on numbers
set x 0
foreach dir {[split [HTTP::uri] "/"]} {
incr x
if {$x == 4} {
...
}
}
set x 0
foreach dir {[split [HTTP::uri] "/"]} {
incr x
if {$x eq 4} {
...
}
}
Use [IP::addr] to
compare addresses
if { [IP::addr [IP::client_addr]/8 equals 10.0.0.0] }
{ … }
Things are not
always as they seem
set x 5
if { $x
if { $x
if { $x
if { $x
==
eq
==
eq
5 } { } # this evaluates as true
5 } { } # this evaluates as true
05 } { } # this evaluates as true
05 } { } # this evaluates as false
24
Optimization Tip #9 – Operators and Data Types
Group expressions with curly’s to avoid unnecessary
conversions (especially with “expr”).
when CLIENT_ACCEPTED {
set newOct [expr 3 + [getfield [IP::client_addr] "." 4] ]
set total [expr 128 + $newOct]
...
}
when CLIENT_ACCEPTED {
set newOct [expr {3 + [getfield [IP::client_addr] "." 4]}]
set total [expr {128 + $newOct}]
...
}
25
Optimization Tip #10 – Timing
Use the “timing” command to turn on profiling statistics in
your iRule. Use the GUI, bigpipe, or the iRule Editor to
monitor and test your optimizations.
timing on
when HTTP_REQUEST {
if { [HTTP::uri] starts_with “/img” } {
pool imgPool
} elseif { [HTTP::uri] starts_with “/doc” } {
pool docPool
} elseif { [HTTP::uri] starts_with “/blog” } {
pool blogPool
}
}
when HTTP_RESPONSE {
if { [HTTP::status] == 500 } {
HTTP::respond 200 content “An error occurred”
}
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with “/img” } {
pool imgPool
} elseif { [HTTP::uri] starts_with “/doc” } {
pool docPool
} elseif { [HTTP::uri] starts_with “/blog” } {
pool blogPool
}
}
when HTTP_RESPONSE timing on {
if { [HTTP::status] == 500 } {
HTTP::respond 200 content “An error occurred”
}
}
26
Optimization Tip #11 – Use the community
27
Prize Giveaway #2
How may *::payload
iRule commands are there?
28
Troubleshooting tips
Verify that the rule is looking for the correct item
to act upon, such as the URI
Ensure you’re using the right events
Check the logs for hints
Try using single-case comparisons
Analyze traffic with a capture tool
Use “timing” to measure efficiency gains
29
Troubleshooting tips continued
Use log statements to verify the information
–
Logging practices that can be helpful:
•
•
•
•
Log variable values before and after each time they are set
Log at least once in each event to ensure all events are firing
as intended
Add a log entry inside each conditional block to see if the
conditional returned true or false (don't forget Else clauses)
Log the result of each command being executed if possible
by re-logging any variable that was effected
30
Where can I find out more?
F5 DevCentral:
– Home:
• http://devcentral.f5.com
– Editor:
• http://devcentral.f5.com/Default.aspx?tabid=66
TCL Links:
– Overview:
• http://en.wikipedia.org/wiki/Tcl
– Tutorial:
• http://www.tcl.tk/man/tcl8.5/tutorial/tcltutorial.html
– Reference:
• http://tmml.sourceforge.net/doc/tcl/index.html
31
Prize Giveaway #3
What two functions
does OneConnect perform?
32
Know How. Now.
