Forum Discussion
hc_andy_35682
Nimbostratus
NimbostratusBypassing a VIP based on destination address
Hi All,
Our LTM is configured with a PROXY_VIP and WEBMAIL_VIP which load balances proxy and webmail traffic for schools. Schools use the PROXY_VIP to access HTTP/HTTPS web sites and the IP address of the PROXY_VIP is hard coded in the student's browser.
So if schools need access to http://webmail.com, their request first gets served by the PROXY_VIP which load balances the request to a real proxy server and then the proxy server goes and fetches the webmail page which in turn gets load balanced by the WEBMAIL_VIP.
Can the LTM do the following:
1/ If the request is from a school IP address and the destination address is http://webmail.com, can we bypass the PROXY_VIP and redirect the request to the WEBMAIL_VIP.
2/ If 1 is not possible, once the request hits the PROXY_VIP and the destination address is http://webmail.com , can we use HTTP Redirection to redirect the request to the WEBMAIL_VIP but PRESERVE the School's IP address as the source IP rather than it being the IP address of the proxy server???
The reason for doing this is so that we can maintain source address persistence like so: school IP -> webmail machine rather than proxy server IP -> webmail machine.
Thanks.
Andy
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1172300/aff/5/showtab/groupforums/Default.aspx
10 Replies
HamishCirrocumulus
1. If the proxy ip address is hard-coded in the browser then it doesn't matter what you redirect to... It'll still go via the proxy... The only way around that really is to use a PAC file (It's a small javascript program that gets run for EVERY URL accessed. It can decide whether to use a proxy or go direct to a website).
Beaware though that because it gets run for EVERY URL, you really really do want to keep it small. And avoid IP address lookups etc.
2. redirects are no good.
The best way would be via PAC file. Note that you can setup the PAC file on an HTTP server and then have the browsers load it from there. Thus you don't have to distribute a file every time it changes. Failing that, I'd recommend using an iRule on the proxy_vip. Simply detect the host they're accessing, and if it's webmail.com then use the webmail pool. Otherwise use the default pool. You can also enable/disable SNAT in the iRUle so that when accessing the webmail servers, the webmail will see the client IP address. But this also pre-supposes that the webmail servers use the F5 as their route back to the clients (Either by default route, or routes in the network etc).
H
hc_andy_35682Thanks for the reply Hamish.
I'm probably more interested in option 2. If we redirect the packet to the webmail pool once it hits the PROXY_VIP, can we code the irule to set the persistence and timeout we want so that each school's ip will be bound to the same real webmail machine? And yes the webmail servers use the F5 as the route back to the clients.
Thanks.
Andy- hc_andy_35682Been playing with this, but can't figure it out...
How do I write an irule so that we can extract the webmail URL/IP from the packet that hits the proxy_vip and then redirect this to the webmail_vip/pool whilst maintaining the src ip as that of the school's IP???
Original request:
src ip (school) -> dest ip (proxy_vip)
Desired request:
src ip (school) -> dest_ip (webmail_vip)
The proxy_vip is a Performance L4 VIP, so I can't use any of the HTTP_REQUEST and HTTP::redirect irule statements - is there another way to do what i want to accomplish?
Thanks.
Andy - HamishOK, you're looking for either the CONNECT (If using HTTPS on webmail) or the GET/POST/whatever requests if using cleartext. YOu do something like (Completely untested, syntax may not be 100%... YMMV... ).
if { ([HTTP::uri] contains "webamil.server.com") || ([HTTP::header host] equals "webmail.server.com") } { use pool webmail_pool return } use pool proxy_pool snat automap
The basic logic is that we test for the webmail server being in the URI or the host header of the request (Some hosts don't use FQ URI's when talking to proxies apparently, so we test the URI and the host: header). If we have a match, then we use the webmail pool and just return.
Otherwise we fall through to the default actions... Which is to use the proxy pool, and perform snat automap (Or whatever snat you want).
The VS should NOT have SNAT enabled... The iRule will doit for you.
H - hc_andy_35682Thanks for the help Hamish... I've attempted to use the irule on the Performance L4 proxy_vip (Protocol TCP/FastL4 profile) but getting the following errors.
I'm using the code below which is exactly the same as what you suggested w/o the SNAT line. To be able to use any of the "HTTP::syntax", doesn't the vip have to be of type Performance (HTTP)??? Note that this is a proxy vip which is answering on TCP Port 3128.01070151:3: Rule [test] error: line 3: [command is not valid in current event context (CLIENT_ACCEPTED)] [HTTP::uri] line 3: [command is not valid in current event context (CLIENT_ACCEPTED)] [HTTP::header host]when CLIENT_ACCEPTED { if { ([HTTP::uri] contains "webamil.server.com") || ([HTTP::header host] equals "webmail.server.com") } { use pool WEBMAIL_HTTP_POOL return } use pool EDU_PROXY_POOL } - HamishSorry, the [HTTP::xx] commands are only available in the HTTP_ events... When CLIENT_ACCEPTED triggers, the only thing that has happened is the 3-way handshake... Move the HTP tests (For URI) out to the HTTP_REQUEST event, this event triggers after the client has sent their request (But before that request is sent to the server).
You'll also have to have an HTTP profile attached. And because you're inspecting L7 traffic you'll lose the acceleration. But then you don't really have a choice unless you have the client do it for you...
H - hc_andy_35682Thanks for the explanation Hamish.
One final question...How do I update the iRule so it matches on the following pattern: webmail.*.server.com. This is because schools connect to our
webmail system using their own domain name - eg: http://webmail.school123.server.com
I've tried various permutations to include the the regex to match only letters {^[A-Za-z]+$} within the iRule but keep getting errors. How do I place the
regex wildcard into the iRule.if { ([HTTP::uri] contains "webamil.*.server.com") || ([HTTP::header host] equals "webmail.*.server.com") }
Thanks.
Andy - HamishNote sure you require the complexity of a regex... You could try a glob... e.g.
if { [HTTP::uri] matches_glob "webmail.*.server.com"} ...
You could also get fancy with DG's and specific pools for specific domains if you really wanted.
Depending on performance, you may also want to investigate whether a pre filter on starts_with "webmail" might help as well (To avoid using the glob match if the URL is something other than webmail.*.server.com. This however depends on whether starts_with is a lot quicker than the glob is tries to avoid for every hit...
H - hc_andy_35682Hi Hamish,
Thanks for the config. I've got a working config now based on matching the URL as seen below.
This works great and it does exactly what I want and I see the source address hitting the webmail_pool as being that of the school's IP address. I wanted to improve on this and was wondering if you could make it match on destination IP address instead. You see all of the schools have a CNAME for their webmail.*.server.com that resolves to say 10.10.10.10.when HTTP_REQUEST { if { [HTTP::header host] matches_glob "webmail.*.server.com" } { persist source_addr 255.255.255.255 240 use pool WEBMAIL_HTTP_POOL return } use pool VMTEST_PROXY_POOL }
Could I match on the destination IP address of 10.10.10.10 and redirect that to the webmail_pool??? I've tried the code below and it works BUT the source address that hits the webmail_pool is that of the real proxy server instead of the school's IP address which is not what I want to happen.
I want it to persist based on the school's ip address which was possible when matching using the HTTP:xx code. Why doesn't it do the same when I change it to match on destination IP and keep the source IP as that of the school's IP address??? Is this just a limitation of the IP:xx code or do I need to modify the code in some way. Appreciate any further guidance. Thanks. Andywhen HTTP_REQUEST { if { [IP::addr [IP::local_addr] equals 10.10.10.10] } { persist source_addr 255.255.255.255 240 use pool WEBMAIL_HTTP_POOL return } use pool VMTEST_PROXY_POOL } - JRahm
Admin
Nice thread guys. Gave me an idea for a tech tip on command efficiencies:
http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084375/Investigating-Efficiencies-in-iRules-Handling-Wildcards-in-Hostnames.aspx
