Forum Discussion
Nimbostratuscannot target different APM VIPs from irule attached to HTTP_REQUEST event, because HTTP::path changes to my.policy, etc.
Hi there, I have a VS, no policy, with an irule on HTTP_REQUEST, that switches on HTTP::path, and routes the traffic to different APM VIPs:
on HTTP_REQUEST { switch -glob [HTTP::path] { "/uri1" {virtual VS_uri1} "/uri2" {virtual VS_uri2} }
The problem is that the first request gets through to the desired APM VIP, however this responds by redirecting to /my.policy. Therefore the subsequent requests will no longer match, so the policy gets started, but never completed.
Is there something more appropriate than HTTP::path that I can check in the irule, i.e. something that won't change.
Cheers in advance for any advice.
1 Reply
- Kevin_Stewart
Employee
That's an interesting and very valid scenario. Here are a few options:
-
Clientless-mode - if you don't have "disruptive" mechanisms in your access policy, like message boxes and logon forms, clientless-mode will bypass the /my.policy redirect, validate the access policy, send data to the server, and then add the APM session token to the FIRST server response. This is typically used with clients that don't support the redirects, but certainly an option here. You just need to add a "clientless-mode" header to the HTTP_REQUEST event of the APM VIPs:
when HTTP_REQUEST { HTTP::header insert "clientless-mode" 1 } -
When the APM VIP sends that /my.policy redirect, it'll also send the initialized session cookie. The trick then is to catch that response in an external LTM iRule and create a session table entry that maps the session cookie to the APM VIP. On subsequent requests, if "/my.policy", look up and forward based on the cookie. After policy evaluation is over, you should never see /my.policy again and can go back to URI-based balancing.
-
