Forum Discussion
jake_macabuag_4
Nimbostratus
NimbostratusContent switching with SSL offloading on a single virtual server address
Hi guys
we are planning to implement content-switching and just using one virtual server ip address. This single ip will represent multiple urls with SSL. This is in order for our client to save...
nitass
Employee
EmployeeBut how can I incorporate that with my previous HTTP iRUle? Basically, after doing a content switching, it will check if the client ip is allowed to access the pool before forewarding it. Else, it will be rejected. CLIENT_ACCEPTED event is triggered before HTTP_REQUEST event. so, we can reject client ip address in CLIENT_ACCEPTED and select pool based on url in HTTP_REQUEST.
iRules Insight - HTTP Event Order by Jason
https://devcentral.f5.com/blogs/us/irules-insight-http-event-order
e.g.
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.20.14:443
ip-protocol tcp
mask 255.255.255.255
profiles {
clientssl {
context clientside
}
http { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vlans-disabled
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
when CLIENT_ACCEPTED {
log local0. "-"
if { not [class match -- [IP::client_addr] equals allow_ip_class] } {
log local0. "[IP::client_addr]:[TCP::client_port] is rejected"
reject
} else {
log local0. "[IP::client_addr]:[TCP::client_port] is accepted"
}
}
when HTTP_REQUEST {
log local0. "-"
case insensitive
set uri [string tolower [HTTP::uri]]
switch -glob $uri {
"*opis*" { pool OPIS_POOL }
"*reseller*" { pool RESELLER_POOL }
default {
pool RESELLER_POOL
}
}
}
when SERVER_CONNECTED {
log local0. "-"
log local0. "client [IP::client_addr]:[TCP::client_port] | uri $uri | pool [LB::server pool] | pool member [LB::server addr]:[LB::server port]"
}
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal allow_ip_class
ltm data-group internal allow_ip_class {
records {
192.168.206.33/32 { }
}
type ip
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool OPIS_POOL
ltm pool OPIS_POOL {
members {
200.200.200.101:80 {
address 200.200.200.101
}
}
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool RESELLER_POOL
ltm pool RESELLER_POOL {
members {
200.200.200.111:80 {
address 200.200.200.111
}
}
}
[root@ve11a:Active:Changes Pending] config tail -f /var/log/ltm
Jan 14 14:58:59 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:58:59 ve11a info tmm1[11170]: Rule /Common/myrule : 172.28.19.251:49004 is rejected
Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:55244 is accepted
Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:25 ve11a info tmm1[11170]: Rule /Common/myrule : client 192.168.206.33:55244 | uri /opis/something | pool /Common/OPIS_POOL | pool member 200.200.200.101:80
Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : 192.168.206.33:55246 is accepted
Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : -
Jan 14 14:59:53 ve11a info tmm1[11170]: Rule /Common/myrule : client 192.168.206.33:55246 | uri /reseller/something | pool /Common/RESELLER_POOL | pool member 200.200.200.111:80
Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : -
Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : 192.168.206.33:55247 is accepted
Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : -
Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : -
Jan 14 15:00:14 ve11a info tmm[11170]: Rule /Common/myrule : client 192.168.206.33:55247 | uri /somethingelse | pool /Common/RESELLER_POOL | pool member 200.200.200.111:80
