aFleX Examples

aFleX can address a large number of needs. Here are some examples:
  • Availability
  • Security
  • Flexibility
But keep in mind aFleX can be used to address many other needs too.




Availability

Provide a sorry page when all servers are down or the application is down

The following aFleX script replies with a sorry page when all the servers in the service group “Server_HTTP” are down.

when HTTP_REQUEST {

      if {[LB::status pool Server_HTTP] == “down” } {

           HTTP::respond 200 content “

     Transitional//EN”>

          My company app

      content=”text/html; charset=iso-8859-1″>

           Welcome to our web application. The service is momentarily

      unavailable and will be back online promptly.

           “

       }

}


Redirect end-users to the backup data center if all the servers are down or the application is dead The following aFleX script redirects end-users to the backup datacenter (backup.example.com) when all the servers in the service group “Server_HTTP” are down.

when HTTP_REQUEST {

     if {[LB::status pool Server_HTTP] == “down” } {

          HTTP::redirect “http://backup.example.com/”

     }

}


Security

Authorize only internal users to access web directory “/private” Three different aFleX scripts are provided as examples to reply to this need.

Note: In this example, we assume internal users are in the subnet 192.168.18.0/24.

The first example aFleX script drops all requests from external users accessing the “private” section of the web site.

when HTTP_REQUEST {

     if {not [IP::addr [IP::client_addr] equals 192.168.18.0/24] and ([HTTP::uri]

starts_with “/private”)} {

          drop

     }

}


Instead of dropping all requests from external users accessing the “private” section of the web site, the following aFleX script example redirects them to a page that explains why they cannot access that section of the web site.

Note: The not_authorized.html page is hosted on web server www.example.com.

when HTTP_REQUEST {     if {not [IP::addr [IP::client_addr] equals 192.168.18.0/24] and
([HTTP::uri] starts_with “/private”)} {

          HTTP::redirect “http://www.example.com/not_authorized.html”

     }

}


  • The following aFleX script example replies directly with a page that explains that external users cannot access that section of the web site.
  • Note: For this solution, no page needs to be hosted on the web server.


when HTTP_REQUEST

     {if {not [IP::addr [IP::client_addr] equals 192.168.18.0/24] and ([HTTP::uri] starts_with

“/private”)}

          {HTTP::respond 200 content “

          Transitional//EN”>

          My company

          content=”text/html; charset=iso-8859-1″>

            This web section is accessible only from our corporate offices.          “

      }

}


Flexibility

Transparently convert an HTTP web application to HTTPS The end-users access a VIP on HTTPS and the web servers are running on HTTP. This can be done simply with a VIP listening on HTTPS and servers on HTTP. But there are two points to which to pay attention:

  • If web servers send redirects to other pages (http://www.example.com/*), these have to be rewritten with HTTPS (https://www.example.com/*) Note: The web server redirects could be rewritten using the Redirect Rewrite option in an HTTP template (Config Mode > Service > Template > Application > HTTP) instead of using an aFleX script.
  • If web servers use absolute links (http://www.example.com/dir1/link.html) rather than relative links (/dir1/link.html), the absolute links need to be rewritten (https://www.example.com/dir1/link.html)

The following aFleX script rewrites web server redirects and absolute links.
 when HTTP_REQUEST {
# Force servers to not reply with compression (compression can be enabled on the AX)
HTTP::header remove Accept-Encoding
}


when HTTP_RESPONSE {

  # Test if the servers are sending a redirect and if so rewrite the redirect with https
if { [HTTP::header exists "Location"]} {

    if {([HTTP::header "Location"] starts_with “http://www.example.com”)} {
HTTP::header replace Location [string map {“http://www.example.com” “https://www.example.com”} [HTTP::header Location]]
}
}

  # Collect http response if the response time is text based to rewrite absolute links
if { [HTTP::header "Content-Type"] starts_with “text” } {
HTTP::collect
}
}


when HTTP_RESPONSE_DATA {
# Rewrite absolute links from http://www.example.com/* to https://www.example.com/*
set payload_length [HTTP::payload length]

  HTTP::payload replace 0 $payload_length [string map {“http://www.example.com” “https://www.example.com”} [HTTP::payload]]
HTTP::release
}


Note: In addition to the VIP on HTTPS, you may want to configure the VIP on HTTP too. That HTTP VIP will always redirect users on HTTPS to the same page they ask for on HTTP. That can be useful, for instance, for end-users with old browser bookmarks pointing to HTTP. The following aFleX script redirects the end-users on HTTPS to the same page they requested.

when HTTP_REQUEST {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}


Transparently add a new hostname to an existing web site
The web servers are configured to reply to a specific hostname (for instance, "intranet.example.com"). You want to also reply to a new hostname (for instance, "extranet.example.com").

  • This could be achieved by directly changing the web server configuration, but that approach can be complex and troublesome. The following aFleX script transparently performs the rewrites.
  • All end-user requests to “extranet.example.com” are rewritten to “intranet.example.com”.
  • The web servers redirect from “http://intranet.example.com/*” to “http://extranet.example.com/*”.
  • The web servers’ absolute links are translated from “http://intranet.example.com/*” to “http://extranet.example.com/*”.

when HTTP_RESPONSE_DATA {
set payload_length [HTTP::payload length]
HTTP::payload replace 0 $payload_length [string map {“intranet.abc.com”
“extranet.abc.com”} [HTTP::payload]]
HTTP::release
}

Microsoft Terminal Services stickiness

  • Microsoft Terminal Services (TS) use a specific persistence technique, a routing token. The following aFleX script looks at the TS routing token to select a server.
  • Note: See the deployment guide for more information: https://www.a10networks.com/support/axseries/appnotes


when CLIENT_DATA {
# Find and save the routing token in the variable “msts”
set payload [TCP::payload]
set index [ expr [string first "msts=" $payload] + [string length "msts="]]
set msts [string range $payload $index end]

     # Find and save the rawip@ in the variable “rawip”
set index2 [string first "." $msts]
set rawip [string range $msts 0 [expr $index2 -1]] 

     # Find and save the raw tcp port in the variable “rawport”
set msts2 [string range $msts [expr $index2 + 1] end]
set index3 [string first "." $msts2]  

     # Convert and save the real tcp port in the variable “port”
set port [ntohs [format "%d" $rawport]]  

     # Convert and save the real ip@ in the variable “ipaddr”
set bin [binary format i $rawip]
binary scan $bin cccc a b c d
set ipaddr “$a.$b.$c.$d”
node $ipaddr $port 

     # print the node
# log “node= $ipaddr2 $port”
}
Tags:

Add new comment