Forum Discussion

igorzhuk's avatar
igorzhuk
Icon for Altostratus rankAltostratus
Oct 18, 2018

Client Auth + Pool Base URI

Hi today i have a VS with client cert request form client side profile i have a pool with 7 members and attached irule to VS :

when CLIENTSSL_CLIENTCERT {
 set cert [b64encode [SSL::cert 0]]
 }

when HTTP_REQUEST {
if { [info exists cert]  } {
if { [ class mutch [string tolower [HTTP]] start_with dg_urls] } {
HTTP::header insert Certificate "$cert"
}
}

in the datagroup i have url "/app1" and "/app2" now I need do when some go to "/app1" in http request go to other pool and i create this irule 

when CLIENTSSL_CLIENTCERT {
 set cert [b64encode [SSL::cert 0]]
 }

when HTTP_REQUEST {
if { [info exists cert]  } {
if { [ class mutch [string tolower [HTTP]] start_with dg_urls] } {
HTTP::header insert Certificate "$cert"
}
if { [string tolower [HTTP::uri]] starts_with "/app1" } {
    pool app1
}
}
}

now all its work but in Network Map i not see that this pool app1 is attach to VS i know when we do that on LTM policy i can see to pool attached to VS but i can do it in policy i need that if client go to /APP1 insert $cert header to webserver and fowerding a pool

Can I do this in any way for see the app1 pool also in "network map" ? If no can I do any way that irule be more effective ?

application delivery
iRules
LTM
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 18, 2018

    If you're making pool selections in an iRule, these relationships aren't going to show up in the network map. You could minimally attach any pool to the VIP, and then override it in the iRule.

     

    On the behavior of the iRule, a few questions.

     

    • There's no else condition for '[info exists cert]'. What happens if cert doesn't exist?
    • There's no else condition for the class match. What happens if the URI is not in the data group?
    • There's no else condition for the pool selection. What happens if the URI doesn't start with '/app1'?
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Oct 18, 2018

    Hi,

     

    You can use both, Irule for built and forward the header then a LTM Policy to Manage Pool.

     

    could you do that or you have constraints?

     

    Regars

     

  • igorzhuk's avatar
    igorzhuk
    Icon for Altostratus rankAltostratus
    Oct 18, 2018

    There's no else condition for '[info exists cert]'. What happens if cert doesn't exist? drop There's no else condition for the class match. What happens if the URI is not in the data group? not insert a cert header There's no else condition for the pool selection. What happens if the URI doesn't start with '/app1'? go to default port in vs now all work fine