Forum Discussion
mart_58302
Nimbostratus
NimbostratusDestination based redirect irule, a'la cache.pac implementing?
Hello.
We are using F5 for proxy servers gateway, and everything works fine, but due routings in proxy's if the clients destination is local network, the proxy's can't connect to local network, so in web browsers are using cache.pac where is defined, that if destination is local network, traffic goes directly, not via F5. Example:
function FindProxyForURL(url, host) {
if(shExpMatch(host, "*[^0123456789.]*") == false)
if( isInNet(host, "127.0.0.0", "255.0.0.0")
|| isInNet(host, "172.17.0.0", "255.255.0.0")
|| isInNet(host, "172.18.0.0", "255.255.0.0")
)
return "DIRECT";
else
return "PROXY proxygateway.internal:8080; DIRECT";
)
But clients who can't read/use the cache.pac can't connect local network at all, so is it possible on the F5 with irule do same thing as with cache.pac, that if destination is local network F5 redirects all this traffic to the network directly and without any NAT/SNAT?
35 Replies
hoolioCirrostratus
Hi Mart,
Do you have a pool of proxy servers and another pool defined to handle the traffic? If so, you can use a rule like this:when HTTP_REQUEST { Check if host header value only contains numerals or colons ":" The format is {%[CHARS]}, where CHARS can be a character ranges or single characters. The literal hyphern character '-' needs to be listed first or last in the character set if {[scan [HTTP::host] {%[0-9:]}] eq [HTTP::host]}{ Split the host header value on the : if it exists and check if it's part of the stock private_net datagroup if {[matchclass [getfield [HTTP::host] ":" 1] eq $::private_net]}{ Use the direct pool pool direct_pool Stop processing this event in this rule return } } If we reached here, use the proxy pool pool proxy_pool }
Aaron- hoolioThe forum is munging the scan characters. Replace:
{%Ύ-9:]}
with:
{ % [ 0 - 9 : ] }
minus the spaces
Aaron 
mart_58302
Do you have a pool of proxy servers and another pool defined to handle the traffic? If so, you can use a rule like this:
Thank You from the example.
Yes I have proxy pool, but I don't have so called direct traffic pool yet. And this rule applies only for http traffic or global, as streaming etc may also needed to go directly?
I did found one example - http://devcentral.f5.com/Wiki/default.aspx/iRules/DestinationBasedRouting.html
But this redirecting direct traffic to some pool confused me. So seems I need it in any case?- hoolioIf you don't have a pool defined to handle the non-proxy requests, you could forward them according to the routing table to their destination. Try replacing 'pool direct_pool' with 'forward'.
Aaron - mart_58302
If you don't have a pool defined to handle the non-proxy requests, you could forward them according to the routing table to their destination. Try replacing 'pool direct_pool' with 'forward'.
Hmm, seems it doesn't work, as I can't even enable this irule:
01070394:3: HTTP_REQUEST event in rule (proxy_bypass) requires an associated HTTP or FASTHTTP profile on the virtual server (live-proxy).
As we are sending all traffic without any profile to proxy. Then I trid this without sucess:
when CLIENT_ACCEPTED {
if { [matchclass [IP::local_addr] equals $::255.240.0.0] } {
forward
} elseif { [matchclass [IP::local_addr] equals $::255.255.0.0] } {
forward
} else {
pool live-proxy-pool
}
} - hoolioCan you add an HTTP profile to the VIP and test with the example in my first post above? The HTTP profile is required to allow LTM to parse the request as HTTP.
The private_net class referenced in the example is a stock class of addresses defining RFC1918 internal IP's:
b class private_net list
class private_net {
network 10.0.0.0/8
network 172.16.0.0/12
network 192.168.0.0/16
}
If you don't want to parse the HTTP and can instead look at the requested IP address, you could use something like this:when CLIENT_ACCEPTED { if { [matchclass [IP::local_addr] equals $::private_net] } { forward } else { pool live-proxy-pool } }
As this rule doesn't inspect the HTTP headers/data you wouldn't need an HTTP profile on the VIP.
Aaron - mart_58302
Can you add an HTTP profile to the VIP and test with the example in my first post above? The HTTP profile is required to allow LTM to parse the request as HTTP.
I can't as full traffic goes true F5 to proxy's, without any profiles. So I'll give try with this second one, but did I understand correctly, that this private_net/local_addr is somewhere already declared or I must declare it/them by myself in this iRule? - hoolioIf you define a VIP on 0.0.0.0/0.0.0.0.0 on port 80, this more specific VIP would match all port 80 traffic and you could add an HTTP VIP. But if you want to filter based on the destination address of the connection attempt, the second rule would be more efficient and not require an HTTP profile.
The private_net datagroup is predefined in the /config/profile_base.conf, so you don't need to do anything to reference it.
Aaron - mart_58302
If you define a VIP on 0.0.0.0/0.0.0.0.0 on port 80, this more specific VIP would match all port 80 traffic and you could add an HTTP VIP. But if you want to filter based on the destination address of the connection attempt, the second rule would be more efficient and not require an HTTP profile.
The private_net datagroup is predefined in the /config/profile_base.conf, so you don't need to do anything to reference it.
Tried this global traffic rule, no luck, somehow all traffic will be dropped, direct and also true proxy. Any hint how to solve this is welcome. - hoolioIf the destination IP address on the client request is what you're trying to evaluate, can you try this rule on the 0.0.0.0:80 VIP with no HTTP profile?
when CLIENT_ACCEPTED { if { [matchclass [IP::local_addr] equals $::private_net] } { log local0. "[IP::client_addr]:[TCP::client_port]: Request to [IP::local_addr]:[TCP::local_port] matched local addresses" forward } else { log local0. "[IP::client_addr]:[TCP::client_port]: Request to [IP::local_addr]:[TCP::local_port] didn't match local addresses" pool live-proxy-pool } }
Can you try testing a request to an internal IP and an external IP? If it doesn't work, check the /var/log/ltm log file for log statements from the rule. Make sure you have routing in place for the non-local addresses. A tcpdump might help in troubleshooting any issues.
Aaron
