1 / 32

Seattle DevCentral User Group iRules Optimization Techniques

Seattle DevCentral User Group iRules Optimization Techniques. Joe Pruitt – Senior Strategic Architect. Agenda. iRules Overview Optimization Techniques Troubleshooting Tips Open Q&A. What are iRules?. Programming language integrated into TMOS Traffic Management Operating System

angie
Télécharger la présentation

Seattle DevCentral User Group iRules Optimization Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Seattle DevCentral User GroupiRules Optimization Techniques Joe Pruitt – Senior Strategic Architect

  2. Agenda • iRules Overview • Optimization Techniques • Troubleshooting Tips • Open Q&A

  3. What are iRules? Programming language integrated into TMOS Traffic Management Operating System Based on industry standard TCL language Tool Command Language Provide ability to intercept, inspect, transform, direct and track inbound or outbound application traffic Core of the F5 “secret sauce” and key differentiator

  4. What makes iRules so unique? Full-fledged scripts, executed against traffic on the network, at wire-speed Powerful logical operations combined with deep packet inspection The ability to route, re-route, re-direct, retry, or block traffic Community support, tools and innovation

  5. How do iRules Work? • iRules allow you to perform deep packet inspection (entire header and payload) • Coded around Events(HTTP_REQUEST, HTTP_RESPONSE, CLIENT_ACCEPTED etc.) • Full scripting language allows for extremely granular control of inspection, alteration and delivery on a packet by packet basis Requests iRule Triggered HTTP Events Fire (HTTP_REQUEST, HTTP_RESPONSE, etc.) Modified Request* Modified Responses* Original Request *Note: BIG-IP’s Bi-Directional Proxy capabilities allow it to inspect, modify and route traffic at nearly any point in the traffice flow, regardless of direction.

  6. What can an iRule do? Read, transform, replace header or payload information (HTTP, TCP, SIP, etc.) Work with any protocol, such as SIP, RTSP, XML, others, whether with native (HTTP::cookie) or generic (TCP::payload) commands Authentication assistance, offload, inspection and more for LDAP, RADIUS, etc. Caching, compression, profile selection, rate shaping and much, much more

  7. Key elements of an iRule Event declarations Define when code will be executed Operators Define under what conditions you will perform an action iRule commands Define the action to perform

  8. iRule elements - Events Events are anything that may trigger the processing of the rule in the first place Examples: HTTP_REQUEST HTTP_RESPONSE CLIENT_ACCEPTED LB_FAILED Additional events found at http://devcentral.f5.com/wiki/default.aspx/iRules/Events.html when HTTP_REQUEST { http_pool1 }

  9. iRule elements - Operators There are two types or operators, Relational and Logical Operators compare the operands in an expression Relational operators contains, matches, equals, starts_with, ends_with, matches_regex, switch Logical operators if, and, not, or when HTTP_REQUEST { if{[HTTP::host] ends_with “bob.com”}{ pool http_pool1 } } when HTTP_REQUEST { if{([HTTP::host] ends_with “bob.com”) or ([HTTP::uri] contains “/portal/”)}{ pool http_pool1 } }

  10. iRule elements – iRule commands As implied, the action that is to be carried out upon a operator match Does the rule look for data, manipulate data, send to a location? Statement commands – can cause actions such as destination selection or SNAT assignment Query commands – search for header or content data, such as IP::remote_addr Data manipulation – as stated, manipulate the data content, such as insert or remove headers Utility commands – useful for parsing data and manipulating content, such as decode_uri <string> Many additional commands available - http://devcentral.f5.com/wiki/default.aspx/iRules/Commands.html

  11. iRule Event Taxonomy AUTH AUTH_ERROR AUTH_FAILURE AUTH_RESULT AUTH_SUCCESS AUTH_WANTCREDENTIAL GLOBAL LB_FAILED LB_SELECTED RULE_INIT LINE CLIENT_LINE SERVER_LINE TCP CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA USER_REQUEST USER_RESPONSE AUTH GLOBAL LINE TCP RTSP RTSP_REQUEST RTSP_REQUEST_DATA RTSP_RESPONSE RTSP_RESPONSE_DATA RTSP HTTP HTTP_CLASS_FAILED HTTP_CLASS_SELECTED HTTP_REQUEST HTTP_REQUEST_DATA HTTP_REQUEST_SEND HTTP_RESPONSE HTTP_RESPONSE_CONTINUE HTTP_RESPONSE_DATA HTTP CACHE CACHE_REQUEST CACHE_RESPONSE CACHE UDP CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA UDP SIP SIP_REQUEST SIP_REQUEST_SEND SIP_RESPONSE SIP CLIENTSSL CLIENTSSL_CLIENTCERT CLIENTSSL_HANDSHAKE CLIENTSSL IP CLIENT_ACCEPTED CLIENT_CLOSED CLIENT_DATA SERVER_CLOSED SERVER_CONNECTED SERVER_DATA IP SERVERSSL SERVERSSL_HANDSHAKE SERVERSSL XML XML_BEGIN_DOCUMENT XML_BEGIN_ELEMENT XML_CDATA XML_END_DOCUMENT XML_END_ELEMENT XML_EVENT DNS DNS_REQUEST DNS_RESPONSE NAME_RESOLVED XML DNS STREAM STREAM_MATCHED STREAM

  12. Prize Giveaway #1 What does TCL stand for?

  13. iRules Optimization Techniques

  14. Optimization Tip #1 – Don’t use an iRule • If you aren’t doing custom conditional testing, let the profiles do the work. • HTTP header insert • HTTP header erase • HTTP fallback • HTTP compress uri <exclude|include> • HTTP compress gzip level • HTTP redirect rewrite • HTTP insert xforwarded for • HTTP ramcacheuri <exclude|include|pinned> • Stream Profile for content replacement • Class profile for URI matching.

  15. Optimization Tip #2 - Planning Plan your iRule before attempting to code Determine what protocols involved Decide what commands you'll need Choose how to achieve the desired effect in the least steps Confirm what needs to be logged Determine where/how you will test

  16. Optimization Tip #3 – Tools and Preparation Have a test System available Install and get familiar with a packet capture tool Find your favorite TCL resource(s) Browse DevCentral Use a code editing tool

  17. F5 iRule Editor First network rule editor optimizes development Includes: Syntax checking Auto-complete Template support Doc Links Deployment integration Statistics monitoring Data group editing Optional post to CodeShare feature Available: Now Tutorials: on DevCentral

  18. Optimization Tip #4 – Control Your Control statements • Think “switch”, then “class”, then “if/elseif” when HTTP_REQUEST { switch –glob [HTTP::uri] { “/img*” - “/image*” - “/pics*” { pool imagePool } } } class image_dirs { “/img” “/image” “/pics” } … when HTTP_REQUEST { if { [matchclass [HTTP::uri] starts_with $::image_dirs] } { pool imagePool } } when HTTP_REQUEST { if { [HTTP::uri] starts_with “/img” } { pool imagePool } elseif { [HTTP::uri] starts_with “/image” } { pool imagePool } elseif { [HTTP::uri] starts_with “/pics” } { pool imagePool } }

  19. Optimization Tip #5 – Regex is EVIL • Regex’s are cool, but are CPU hogs and should be considered pure evil. Most often there are better alternatives. when HTTP_REQUEST { if { [regex {^/myPortal} [HTTP::uri] } { regsub {/myPortal} [HTTP::uri] “/UserPortal” newUri HTTP::uri $newUri pool http_pool1 } } when HTTP_REQUEST { if{[HTTP::uri] starts_with “/myPortal”}{ newUri [string map {myPortalUserPortal [HTTP::uri]] HTTP::uri $newUri pool http_pool1 } } • But sometimes they are a necessary evil… when HTTP_RESPONSE_DATA { # Find ALL the possible credit card numbers in one pass set card_indices [regexp -all -inline -indices {(?:30[0-5]\d{11})|(?:3[6|8]\d{12})|(?:3[4|7]\d{13})|(?:4\d{12})|(?:4\d{15})|(?:5[1-5]\d{14})|(?:6011\d{12})} [HTTP::payload]] }

  20. Optimization Tip #6 – Don’t Use Variables • Don’t use variables unless you HAVE to. They may make it easier to read, but they do chew up memory and CPU. when HTTP_REQUEST { set host [HTTP::host] set uri [HTTP::uri] if{[HTTP::host] contains “bob.com”}{ log “Host = $host” log “URI = $uri” pool http_pool1 } } when HTTP_REQUEST { if{[HTTP::host] contains “bob.com”}{ log “Host = [HTTP::host] ; URI = [HTTP::uri]” pool http_pool1 } }

  21. Optimization Tip #7 – Use Variables • Use variables to reduce repetitive costly evaluations, but don’t make the names too long… when HTTP_REQUEST { if { [string tolower[HTTP::uri] starts_with “/img” } { pool imagePool } elseif { ([string tolower[HTTP::uri] ends_with “.gif”]) || ([string tolower[HTTP::uri] ends_with “.jpg”]) || ([string tolower[HTTP::uri] ends_with “.png”]) } { pool imagePool }} when HTTP_REQUEST { set theUriThatIAmMatchingInThisiRule [string tolower [HTTP::uri]] if { $theUriThatIAmMatchingInThisiRulestarts_with “/img” } { pool imagePool } elseif { ($theUriThatIAmMatchingInThisiRuleends_with “.gif”) || ($theUriThatIAmMatchingInThisiRuleends_with “.jpg”) || ($theUriThatIAmMatchingInThisiRuleends_with “.png”) } { pool imagePool } } when HTTP_REQUEST { set uri [string tolower [HTTP::uri]] if { $uristarts_with “/img” } { pool imagePool } elseif { ($uriends_with “.gif”) || ($uriends_with “.jpg”) || ($uriends_with “.png”) } { pool imagePool } }

  22. Optimization Tip #8 – Return Early • Use "return" to exit early to save as many CPU cycles as possible. when HTTP_REQUEST { if { [HTTP::uri] contains “/images” { pool imagePool } if { [HTTP::header exists “SomeHeader” } { log local0. “SomeHeader found” } } when HTTP_REQUEST { if { [HTTP::uri] contains “/images” { pool imagePool return } if { [HTTP::header exists “SomeHeader” } { log local0. “SomeHeader found” } }

  23. Optimization Tip #9 – Operators and Data Types • Polymorphism is a blessing and a killer. • Use the right operator for the right type • Use eq, ne on strings • Use ==, != on numbers set x 0 foreach dir {[split [HTTP::uri] "/"]} { incr x if {$x == 4} { ... } } set x 0 foreach dir {[split [HTTP::uri] "/"]} { incr x if {$x eq 4} { ... } } • Use [IP::addr] to • compare addresses if { [IP::addr [IP::client_addr]/8 equals 10.0.0.0] } { … } • Things are not always as they seem set x 5 if { $x == 5 } { } # this evaluates as true if { $x eq 5 } { } # this evaluates as true if { $x == 05 } { } # this evaluates as true if { $x eq 05 } { } # this evaluates as false

  24. Optimization Tip #9 – Operators and Data Types • Group expressions with curly’s to avoid unnecessary conversions (especially with “expr”). when CLIENT_ACCEPTED { set newOct [expr 3 + [getfield [IP::client_addr] "." 4] ] set total [expr 128 + $newOct] ... } when CLIENT_ACCEPTED { set newOct [expr{3 + [getfield [IP::client_addr] "." 4]}] set total [expr{128 + $newOct}] ... }

  25. Optimization Tip #10 – Timing • Use the “timing” command to turn on profiling statistics in your iRule. Use the GUI, bigpipe, or the iRule Editor to monitor and test your optimizations. timing on when HTTP_REQUEST { if { [HTTP::uri] starts_with “/img” } { pool imgPool } elseif { [HTTP::uri] starts_with “/doc” } { pool docPool } elseif { [HTTP::uri] starts_with “/blog” } { pool blogPool }} when HTTP_RESPONSE { if { [HTTP::status] == 500 } { HTTP::respond 200 content “An error occurred” }} when HTTP_REQUEST { if { [HTTP::uri] starts_with “/img” } { pool imgPool } elseif { [HTTP::uri] starts_with “/doc” } { pool docPool } elseif { [HTTP::uri] starts_with “/blog” } { pool blogPool }} when HTTP_RESPONSE timing on { if { [HTTP::status] == 500 } { HTTP::respond 200 content “An error occurred” }}

  26. Optimization Tip #11 – Use the community

  27. Prize Giveaway #2 How may *::payload iRulecommands are there?

  28. Troubleshooting tips Verify that the rule is looking for the correct item to act upon, such as the URI Ensure you’re using the right events Check the logs for hints Try using single-case comparisons Analyze traffic with a capture tool Use “timing” to measure efficiency gains

  29. Troubleshooting tips continued Use log statements to verify the information Logging practices that can be helpful: Log variable values before and after each time they are set Log at least once in each event to ensure all events are firing as intended Add a log entry inside each conditional block to see if the conditional returned true or false (don't forget Else clauses) Log the result of each command being executed if possible by re-logging any variable that was effected

  30. Where can I find out more? • F5 DevCentral: • Home: • http://devcentral.f5.com • Editor: • http://devcentral.f5.com/Default.aspx?tabid=66 • TCL Links: • Overview: • http://en.wikipedia.org/wiki/Tcl • Tutorial: • http://www.tcl.tk/man/tcl8.5/tutorial/tcltutorial.html • Reference: • http://tmml.sourceforge.net/doc/tcl/index.html

  31. Prize Giveaway #3 What two functions does OneConnect perform?

  32. Know How. Now.

More Related