Default pool

Nimbostratus

Mar 29, 2007

I see. Yes both examples assign a pool based on the conditions. However, the second example reacts differently than the first. Essentially, if the pool command reacted the same in the HTTP_REQUEST event as it does in the CLIENT_ACCEPTED event; the rule would work. The CLIENT_ACCEPTED event seems to set the default pool correctly where the HTTP_REQUEST event doesn't, however the CLIENT_ACCEPTED event is inadequate for the checks needed. I need the rule to set the default group as it does when using the CLIENT_ACCEPTED event, but also providing both the IP address and uri checks in the HTTP_REQUEST event. I also tried rewriting the check as previously suggested but, it doesn't change how the rule reacts.

Here are detailed examples of each scenario.

The first example, which I am using now, does exactly what it is intended to do until you try inserting certificates in the http header for the backend servers. The header insert gets lost, when users don't put the trailing slash on the url, unless a "default group" that is selected through the GUI is the server pool where traffic is headed. This is what the rule looks like.

when CLIENTSSL_CLIENTCERT {

set cur [SSL::sessionid]

session add ssl $cur [SSL::cert 0] 180

}

when HTTP_REQUEST {

set id [SSL::sessionid]

set the_cert [session lookup ssl [SSL::sessionid]]

if { $the_cert != "" } {

HTTP::header replace CertSubject [X509::subject $the_cert]

}

if { [matchclass [IP::client_addr] equals $::DVW] and

[HTTP::uri] starts_with "/NGQMRepository_com" or

[HTTP::uri] starts_with "/NGQMRepository_res" or

[HTTP::uri] starts_with "/q4" or

[HTTP::uri] starts_with "/QMSCTWeb" or

[HTTP::uri] starts_with "/qmwise4" or

[HTTP::uri] starts_with "/repxcl4" or

[HTTP::uri] starts_with "/SCPCentral" or

[HTTP::uri] starts_with "/SCPIntermediarySrvce" or

[HTTP::uri] starts_with "/SCPRemote" or

[HTTP::uri] starts_with "/2004content" or

[HTTP::uri] starts_with "/Faculty_Virtual"} {

use pool server_group_a

}

elseif { [matchclass [IP::client_addr] equals $::MIL] and

[HTTP::uri] starts_with "/NGQMRepository_com" or

[HTTP::uri] starts_with "/NGQMRepository_res" or

[HTTP::uri] starts_with "/q4" or

[HTTP::uri] starts_with "/QMSCTWeb" or

[HTTP::uri] starts_with "/qmwise4" or

[HTTP::uri] starts_with "/repxcl4" or

[HTTP::uri] starts_with "/SCPCentral" or

[HTTP::uri] starts_with "/SCPIntermediarySrvce" or

[HTTP::uri] starts_with "/SCPRemote" or

[HTTP::uri] starts_with "/2004content" or

[HTTP::uri] starts_with "/Faculty_Virtual"} {

use pool server_group_b

}

The second example reacts similarly to setting the "default group" selection in the GUI. The header inserts do not get lost when going to a different server pool than the selection in the GUI. But, the Client_Accepted event does not allow for uri commands. Incoming traffic needs to match both the IP address and the uri to direct the traffic as some ip addresses are in multiple groups. This is what that rule looks like.

when CLIENTSSL_CLIENTCERT {

set cur [SSL::sessionid]

session add ssl $cur [SSL::cert 0] 180

}

when CLIENT_ACCEPTED {

if { [matchclass [IP::client_addr] equals $::DVW] } {

use pool server_group_a

}

elseif { [matchclass [IP::client_addr] equals $::MIL] } {

use pool server_group_b

}

when HTTP_REQUEST {

set id [SSL::sessionid]

set the_cert [session lookup ssl [SSL::sessionid]]

if { $the_cert != "" } {

HTTP::header replace CertSubject [X509::subject $the_cert]

}

if { [matchclass [IP::client_addr] equals $::DVW] and

[HTTP::uri] starts_with "/NGQMRepository_com" or

[HTTP::uri] starts_with "/NGQMRepository_res" or

[HTTP::uri] starts_with "/q4" or

[HTTP::uri] starts_with "/QMSCTWeb" or

[HTTP::uri] starts_with "/qmwise4" or

[HTTP::uri] starts_with "/repxcl4" or

[HTTP::uri] starts_with "/SCPCentral" or

[HTTP::uri] starts_with "/SCPIntermediarySrvce" or

[HTTP::uri] starts_with "/SCPRemote" or

[HTTP::uri] starts_with "/2004content" or

[HTTP::uri] starts_with "/Faculty_Virtual"} {

use pool server_group_a

}

elseif { [matchclass [IP::client_addr] equals $::MIL] and

[HTTP::uri] starts_with "/NGQMRepository_com" or

[HTTP::uri] starts_with "/NGQMRepository_res" or

[HTTP::uri] starts_with "/q4" or

[HTTP::uri] starts_with "/QMSCTWeb" or

[HTTP::uri] starts_with "/qmwise4" or

[HTTP::uri] starts_with "/repxcl4" or

[HTTP::uri] starts_with "/SCPCentral" or

[HTTP::uri] starts_with "/SCPIntermediarySrvce" or

[HTTP::uri] starts_with "/SCPRemote" or

[HTTP::uri] starts_with "/2004content" or

[HTTP::uri] starts_with "/Faculty_Virtual"} {

use pool server_group_b

}

I tried forcing a trailing slash onto the incoming uri which solves the header problem, but the website doesn't like it. More than half the redirects in the site don't work once the user is on the site.

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

can't access on prem dns when using F5LTM as a gateway

Issue with TLS Version 1.1 Deprecated Protocol

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Related Content

C# Polling Default Pool Connections

Set Virtual Default Pool

Multiple Default Gateways

Default gateway pool persistence

Delete Management Default Route?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS