Forum Discussion
Chadwick_McInni
Nimbostratus
NimbostratusBIG-IP as proxy
I'd like the BIG-IP to determine if an HTTP GET should go to our web proxy or not. I'd like the BIG-IP to examine [HTTP::host] in an HTTP_REQUEST, and if [HTTP::host] does NOT contain "mydomain" then use a pool that contains our webproxy. We proxy requests for external hosts, I'd like the BIG-IP to keep requests to internal hosts internal, and send requests to external hosts to our web proxy.
Below is what I have so far. This is working for requests to google and yahoo, but not for requests to "mydomain". If I go this route I'll have to list every external host name (google, yahoo, etc). That list might get a little big!
iRule bigproxy
when HTTP_REQUEST {
log "http host is [HTTP::host]"
if { [HTTP::host] contains "google" or
[HTTP::host] contains "yahoo" } {
pool bigproxy
}
}
Ideas? Suggestions?
Thanks!
Chad
hoolioCirrostratus
Hi Chad,
You can check if the requested host doesn't contain mydomain:when HTTP_REQUEST { log "http host is [HTTP::host]" if { not ([string tolower [HTTP::host]] contains "mydomain")} { pool bigproxy } }
Aaron
Chadwick_McInniThanks Aaron! That works great.
The BIG-IP is resetting the connections for any requests going to "mydomain". Since there is no "else" does the BIG-IP then just send a reset?- Chadwick_McInniThanks again Aaron, i have now specified an "else" pool, and that fixed that problem. Here's how the rule looks now:
when HTTP_REQUEST {
if { not ([string tolower [HTTP::host]] contains "mydomain")} {
pool use_webproxy
} else {
pool poolx
}
}
Here's an issue I'm working on, not sure if this is the correct forum to ask in or if I should open a case with F5 since it's a design question:
Internet
----------firewall----------
dmz (webproxy)
----------firewall----------
core (bigip)
The issue is that we want to bypass the webproxy in the dmz for requests that contain "mydomain" in the hostname. All HTTP requests from clients in the core have to go through the webproxy. So there's a vip on the BIG-IP in the core, we tell clients in the core to use this vip as their HTTP proxy, the iRule on the BIG-IP vip looks for "mydomain" in the hostname, if "mydomain" doesn't exist then BIG-IP forwards the request to the pool that contains the webproxy (this is working great), if "mydomain" does exist then BIG-IP forwards request to a different pool, poolx.
The problem is we don't want everything with "mydomain" to go to poolx, there will be many other internal servers that requests will need to go to, we don't want to manually specify them, we want this solution to be able to grow maintenance free.
I tried using a 302 redirect for "mydomain" requests, but that created a loop because the iRule told the client to come back to vip for another 302.
I read in 9.4 that there is a solution to forward requests to another vip, i think that would solve the problem. However we will be on 9.3.1 for awhile, is there a solution for 9.3.1?
Thanks,
Chad - Chadwick_McInniI've found a working solution with this iRule:
when HTTP_REQUEST {
if { not ([string tolower [HTTP::host]] contains "mydomain")} {
pool webproxy
} else {
[virtual name] vs_0_0_0_0_any
}
} - hoolioYou'll only be able to use the virtual command to specify a new VIP for the connection on 9.4+. The example you have listed above would output the current virtual server name--and cause a syntax error. Are you able to upgrade?
If not, there might be an option to use one pool of proxy servers and another pool of gateway(s).
Aaron