For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Joseph_Lindsly's avatar
Joseph_Lindsly
Jan 25, 2016

Current reverse proxy irule having issues with the third party hosted site

I currently have a client requirement to reverse proxy specific URI traffic to a third party hosted site while the rest of the traffic is sent to our local datacenter servers. Also, the URL in the a...
application delivery
iRules
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 25, 2016

Hi Joseph,

 

your iRule covers already a lot of areas to translate the request and responses to/from the 3rd party site. Good job so far!

 

I can name just a very few things that are left out...

 

  • Translate Referer information send to the 3rd party site.
  • Translate cookie domains send from the 3rd party site.

But those things shouldn't create a server side redirect, that could bypass your Location header rewrite? Maybe a HTML / JScript based redirect on the client side?

 

Anyhow, I've reworked a little your iRule to cover the additional rewrites, removed some death code and added some performance related things. The optimized iRule would look like this...

 

when HTTP_REQUEST {
    if { ([HTTP::uri] starts_with "/it-jobs/")} {
        set www_xyz_com 1
        HTTP::header replace Host "www.xyz.com"
        if { [HTTP::header exists Referer] } then {
            HTTP::header replace Referer [string map -nocase { www.abc.com www.xyz.com } [HTTP::header value Referer]]
        }
        if { [set node [table lookup -notouch "DNS_www_xyz_com"]] eq "" } then {
            if { [set node [lindex [RESOLV::lookup @8.8.8.8 -a "www.xyz.com"] 0]]] ne "" } then {
                table add "DNS_www_xyz_com" $ip_www_xyz_com indef 300
            } else {
                HTTP::redirect "/errorpage_www_xyz_com_unreachable.htm
                TCP::close
                return
            }
        }
        node $ip_www_xyz_com
    }
}
when HTTP_RESPONSE {
    if { $www_xyz_com } then {
        if { [HTTP::header exists Location] } then {
            HTTP::header replace Location [string map -nocase { www.xyz.com www.abc.com } [HTTP::header value Location]]
        }
        if { [HTTP::header count Set-Cookie] == 1 } then {
            HTTP::header replace Set-Cookie [string map -nocase { www.xyz.com www.abc.com } [HTTP::header value Set-Cookie]]
        } elseif { [HTTP::header count Set-Cookie] > 1 } then {
            set cookies [string map -nocase { domain=www.xyz.com domain=www.abc.com domain=.xyz.com domain=.abc.com} [HTTP::header values Set-Cookie]]
            HTTP::header remove Set-Cookie
            foreach cookie $cookies {
                HTTP::header insert Set-Cookie $cookie
            }
        }
        if { [HTTP::header value Content-Type] starts_with "text" } then {
              STREAM::expression "@www.xyz.com@www.abc.com@"
              STREAM::enable
        } else {
            STREAM::disable
        }
    }
}

If those changes are not working out for you, you may want to install Fiddler or HTTP-Watch to find the differences in the HTTP requests, HTTP responses and related HTML and JScript contents. There must be one!

 

Cheers, Kai