aFleX Examples

aFleX Examples

Updated: Nov 9, 2020

aFleX can address a large number of needs. Here are some examples:

But keep in mind aFleX can be used to address many other needs too.

Availability

Provide a sorry page when all servers are down, or the application is down

The following aFleX script replies with a sorry page when all the servers in the service group “Server_HTTP” are down.

when HTTP_REQUEST {
  if {[LB::status pool Server_HTTP] equals "down" } {
    HTTP::respond 200 content "<html><head><title>Apology
    Page</title></head><body>We are sorry for the inconvenience, but
    the site is temporarily out of service<br>If you feel you have
    reached this page in error, please try again.<p></body></html>"
  }
}

Redirect end-users to the backup data center if all the servers are down or the application is dead

The following aFleX script redirects end-users to the backup data center (backup.example.com) when all the servers in the service group “Server_HTTP” are down.

when HTTP_REQUEST {
  if {[LB::status pool Server_HTTP] == "down" } {
    HTTP::redirect "https://backup.example.com"
  }
}

Security

Authorize only internal users to access web directory “/private”

Three different aFleX scripts are provided as examples to reply to this need.

Note: In this example, we assume internal users are in the subnet 192.168.18.0/24.

The first example aFleX script drops all requests from external users accessing the “private” section of the website.

when HTTP_REQUEST {
  if {not [IP::addr [IP::client_addr] equals 192.168.18.0/24] and ([HTTP::uri] starts_with "/private")} {
    drop
  }
}

Instead of dropping all requests from external users accessing the “private” section of the website, the following aFleX script example redirects them to a page that explains why they cannot access that section of the website.

when HTTP_REQUEST {
  if {not [IP::addr [IP::client_addr] equals 192.168.18.0/24] and ([HTTP::uri] starts_with "/private")} {
    HTTP::redirect "https://www.example.com/not_authorized.html"
  }
}

Note: The not_authorized.html page is hosted on web server www.example.com.

The following aFleX script example replies directly with a page that explains that external users cannot access that section of the website.

Note: For this solution, no page needs to be hosted on the web server.

when HTTP_REQUEST {
  if {not [IP::addr [IP::client_addr] equals 192.168.18.0/24] and ([HTTP::uri] starts_with "/private")} {
    HTTP::respond 200 content "This web section is accessible only from our corporate offices."
  }
}

Flexibility

Transparently convert an HTTP web application to HTTPS

This can be done simply with a VIP listening on HTTPS and servers on HTTP, but there are two points to which you should pay attention:

The following aFleX script redirects the end-users from HTTP to HTTPS.

Note: The HTTP to HTTPS redirection can also be done using the “redirect-to-https” CLI command (Using GUI: ADC > SLB > Virtual Servers > “VIP” > Virtual Port > Advanced Fields > Redirect to HTTPS).

# redirect HTTP request to https URL
when HTTP_REQUEST {
  HTTP::redirect https://[HTTP::host][HTTP::uri]
}

The following aFleX script rewrites web server redirects.

Note: The web server redirects could be rewritten using the “redirect rewrite” option in an HTTP template (using GUI: ADC > Templates > Layer 7 Protocols > HTTP > Redirect Rewrite) instead of using an aFleX script.

# rewrites relative and absolute redirects to absolute HTTPS redirects
when HTTP_REQUEST {
  set host [HTTP::host]
}

when HTTP_RESPONSE {
  if { [HTTP::is_redirect] } {
    if { [HTTP::header Location] starts_with "/" } {
      HTTP::header replace Location "https://$host[HTTP::header Location]"
    } else {
      HTTP::header replace Location "[string map {"http://" "https://"} [HTTP::header Location]]"
    }
  }
}

Logging

Log cipher name, bits, version and SNI field used in the SSL (Secure Sockets Layer)/TLS (Transport Layer Security) handshake.

The following aFleX script logs SSL/TLS cipher information and SNI field during SSL/TLS handshake:

when CLIENTSSL_HANDSHAKE {
  log "SSL cipher_name is [SSL::cipher name]"
  log "SSL cipher_bit is [SSL::cipher bits]"
  log "SSL cipher_version is [SSL::cipher version]"
  log "SSL SNI is [SSL::hostname]"
}

Note: Syntax and commands are a reflection of the version at the time this blog was written, adjustments may have to be made for future versions.

Related Posts


|
November 9, 2020

About Siddhartha Aggarwal

Siddhartha Aggarwal is currently a Lead Product Marketing Engineer at A10 Networks. He has more than 15 years of experience in the field of Data Networking (Routing/Switching), Network Security, Computer Programming and Linux/Windows systems. READ MORE