Search Authors: Harry Trott, Liz McMillan, Shelly Palmer, Lacey Thoms, Jayaram Krishnaswamy

Related Topics: Security, .NET, Virtualization, Web 2.0, Apache, SDN Journal

Security: Blog Feed Post

iRules – Is There Anything You Can’t Do?

iRules provide customers with unprecedented control to directly manipulate and manage any IP application traffic

Ex·ten·si·ble (in programming): Said of a system (e.g., program, file format, programming language, protocol, etc.) designed to easily allow the addition of new features at a later date. (from Dictionary.com)

Whenever I attend a F5 customer or partner gathering, I always ask of those who use iRules, ‘Do you deploy iRules due to BIG-IP not having a particular feature or because you need to solve a specific issue within your unique architecture?’  Overwhelmingly, the answer is to address something exclusive to the environment.

An iRule is a powerful and flexible feature of BIG-IP devices based on F5′s exclusive TMOS architecture. iRules provide customers with unprecedented control to directly manipulate and manage any IP application traffic and enables administrators to customize how you intercept, inspect, transform, and direct inbound or outbound application traffic.  iRules is an Event Driven scripting language which means that you’ll be writing code based off of specific Events that occur within the context of the connections being passed through the Virtual IP your iRule is applied to.

There are many cool iRule examples on our DevCentral Community site like Routing traffic by URI and even instances where an iRule helped patch an Apache Zero-Day Exploit (Apache Killer) within hours of it being made public and well before the official Apache patch.  An iRule was able to mitigate the vulnerability and BIG-IP customers who have Apache web servers were protected.  Risk of exploit greatly diminished.

Recently our own Joe Pruitt, Sr. Strategic Architect with the DevCentral team, wrote a cool iRule (and Tech Tip) to Automate Web Analytics.  Analysis on the usage patterns of site visitors is critical for many organizations.  It helps them determine how their website is being utilized and what adjustments are needed to make the experience as best as possible…among many other things.  Joe’s article discusses how to use an iRule to inject analytics code into HTML responses to enable the automation of analytics into your website software.  Adding a certain piece of JavaScript code into each web page that you would like monitored is one option but what happens if the release criteria for application code requires testing and adding content to pages in production is not allowed or multiple products from multiple application groups reside on a given server or even when 3rd party code is present where you don’t have access to all the source that controls page generation.

If you have BIG-IP fronting your web application servers, then you can add Joe’s iRule to inject client side JavaScript into the application stream without the application knowing about it.  Joe uses Google Analytics as an example, but, according to Joe, it is fairly easy to replace the content of the "analytics" variable with the replacement code for any other service you might be using.  Very cool indeed.

So while iRules might not be able to make your coffee in the morning – unless of course it is a slew of IP enabled coffee machines – they can help organizations create extremely agile, flexible and secure environments.  Like Oreos and Reese’s, there have been a bunch of imitators but nothing is as good as the original.




Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1] o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Read the original blog entry...

More Stories By Peter Silva

Peter Silva covers security for F5’s Technical Marketing Team. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.

Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.

Bringing the slightly theatrical and fairly technical together, he covers training, writing, speaking, along with overall product evangelism for F5’s security line. He's also produced over 200 F5 videos and recorded over 50 audio whitepapers. Prior to joining F5, he was the Business Development Manager with Pacific Wireless Communications. He’s also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others. He earned his B.S. from Marquette University, and is a certified instructor in the Wisconsin System of Vocational, Technical & Adult Education.