Skip to main content Skip to search
Blog

aFleX Examples

Updated: Nov 9, 2020

aFleX can address a large number of needs. Here are some examples:

  • Availability
  • Security
  • Flexibility
  • Logging

But keep in mind aFleX can be used to address many other needs too.

Availability

Provide a sorry page when all servers are down, or the application is down

The following aFleX script replies with a sorry page when all the servers in the service group “Server_HTTP” are down.

when HTTP_REQUEST {
  if {[LB::status pool Server_HTTP] equals "down" } {
    HTTP::respond 200 content "<html><head><title>Apology
    Page</title></head><body>We are sorry for the inconvenience, but
    the site is temporarily out of service<br>If you feel you have
    reached this page in error, please try again.<p></body></html>"
  }
}

Redirect end-users to the backup data center if all the servers are down or the application is dead

The following aFleX script redirects end-users to the backup data center (backup.example.com) when all the servers in the service group “Server_HTTP” are down.

when HTTP_REQUEST {
  if {[LB::status pool Server_HTTP] == "down" } {
    HTTP::redirect "https://backup.example.com"
  }
}

Security

Authorize only internal users to access web directory “/private”

Three different aFleX scripts are provided as examples to reply to this need.

Note: In this example, we assume internal users are in the subnet 192.168.18.0/24.

The first example aFleX script drops all requests from external users accessing the “private” section of the website.

when HTTP_REQUEST {
  if {not [IP::addr [IP::client_addr] equals 192.168.18.0/24] and ([HTTP::uri] starts_with "/private")} {
    drop
  }
}

Instead of dropping all requests from external users accessing the “private” section of the website, the following aFleX script example redirects them to a page that explains why they cannot access that section of the website.

when HTTP_REQUEST {
  if {not [IP::addr [IP::client_addr] equals 192.168.18.0/24] and ([HTTP::uri] starts_with "/private")} {
    HTTP::redirect "https://www.example.com/not_authorized.html"
  }
}

Note: The not_authorized.html page is hosted on web server www.example.com.

The following aFleX script example replies directly with a page that explains that external users cannot access that section of the website.

Note: For this solution, no page needs to be hosted on the web server.

when HTTP_REQUEST {
  if {not [IP::addr [IP::client_addr] equals 192.168.18.0/24] and ([HTTP::uri] starts_with "/private")} {
    HTTP::respond 200 content "This web section is accessible only from our corporate offices."
  }
}

Flexibility

Transparently convert an HTTP web application to HTTPS

This can be done simply with a VIP listening on HTTPS and servers on HTTP, but there are two points to which you should pay attention:

  • In addition to the VIP on HTTPS, you may want to configure the VIP on HTTP too. That HTTP VIP will always redirect users on HTTPS to the same page they ask for on HTTP. This can be useful, for instance, for end-users with old browser bookmarks pointing to HTTP.
  • If web servers send redirects to other HTTP pages, these have to be rewritten with HTTPS.

The following aFleX script redirects the end-users from HTTP to HTTPS.

Note: The HTTP to HTTPS redirection can also be done using the “redirect-to-https” CLI command (Using GUI: ADC > SLB > Virtual Servers > “VIP” > Virtual Port > Advanced Fields > Redirect to HTTPS).

# redirect HTTP request to https URL
when HTTP_REQUEST {
  HTTP::redirect https://[HTTP::host][HTTP::uri]
}

The following aFleX script rewrites web server redirects.

Note: The web server redirects could be rewritten using the “redirect rewrite” option in an HTTP template (using GUI: ADC > Templates > Layer 7 Protocols > HTTP > Redirect Rewrite) instead of using an aFleX script.

# rewrites relative and absolute redirects to absolute HTTPS redirects
when HTTP_REQUEST {
  set host [HTTP::host]
}

when HTTP_RESPONSE {
  if { [HTTP::is_redirect] } {
    if { [HTTP::header Location] starts_with "/" } {
      HTTP::header replace Location "https://$host[HTTP::header Location]"
    } else {
      HTTP::header replace Location "[string map {"http://" "https://"} [HTTP::header Location]]"
    }
  }
}

Logging

Log cipher name, bits, version and SNI field used in the SSL (Secure Sockets Layer)/TLS (Transport Layer Security) handshake.

The following aFleX script logs SSL/TLS cipher information and SNI field during SSL/TLS handshake:

when CLIENTSSL_HANDSHAKE {
  log "SSL cipher_name is [SSL::cipher name]"
  log "SSL cipher_bit is [SSL::cipher bits]"
  log "SSL cipher_version is [SSL::cipher version]"
  log "SSL SNI is [SSL::hostname]"
}

Note: Syntax and commands are a reflection of the version at the time this blog was written, adjustments may have to be made for future versions.

Related Posts

aFleX Scripting Language and Layer 7 Deep-packet Inspection

aFleX is a powerful and flexible scripting language that you can use to manage your traffic and provide enhanced benefits and services. It’s built into the Thunder® Application Delivery Controller (ADC), a high-performance load balancing solution that enables your applications to be highly secure, available, and accelerated.



Siddhartha Aggarwal
|
November 9, 2020

Siddhartha Aggarwal is currently a Lead Product Marketing Engineer at A10 Networks. He has more than 15 years of experience in the field of Data Networking (Routing/Switching), Network… Read More