Forum Discussion
mart_58302
Nimbostratus
NimbostratusDestination based redirect irule, a'la cache.pac implementing?
Hello.
We are using F5 for proxy servers gateway, and everything works fine, but due routings in proxy's if the clients destination is local network, the proxy's can't connect t...
hoolio
Cirrostratus
CirrostratusI didn't have period character listed in the scan command, so the IP address check would have always failed. Here is an alpha rule example which checks the host header for IP addresses. If the requested host is an IP or IP:port, where the IP is an internal IP, the rule sends the request to the requested IP (or IP:port). All other requests are send to the proxy pool. I wasn't sure what a server would do with the Proxy-Connection header, so I removed it. I tested this with a few requests, but not thoroughly. It doesn't support SSL to the server. I'd have to do a bit more testing to try to support that.
Aaron
when HTTP_REQUEST {
Check if host header value only contains numerals, '.' or ':'
The format is {%[CHARS]}, where CHARS can be a character ranges or single characters.
The literal hyphern character '-' needs to be listed first or last in the character set
if {[scan [HTTP::host] { % [ 0 - 9 . : ] }] eq [HTTP::host]}{
log local0. "[IP::client_addr]:[TCP::client_port]: Matched header: [HTTP::host]"
Split the host header value on the : if it exists.
set ip [getfield [HTTP::host] ":" 1]
set port [getfield [HTTP::host] ":" 2]
log local0. "[IP::client_addr]:[TCP::client_port]: \$ip: $ip, \$port: $port"
Check if the IP is an internal IP address (matches the stock private_net datagroup).
Running matchclass against the parsed IP address verifies the
parsed IP address is valid so we don't need additional checks.
if {[matchclass $ip eq $::private_net] or 1}{
log local0. "[IP::client_addr]:[TCP::client_port]: Match class test, sending request to $ip:$port"
Request is to a local IP address, so use the host value and the port if it's included as the destination.
'string is integer' returns true for a null length variable, so check that the string length is greater than 1 and that the string is an integer
if {[info exists port] and [string length $port] and [string is integer $port]}{
node $ip $port
} else {
node $ip 80
}
Remove the Proxy-Connection header.
HTTP::header remove "Proxy-Connection"
Stop processing this event in this rule.
return
}
}
pool proxy_pool
log local0. "[IP::client_addr]:[TCP::client_port]: Didn't match header: [HTTP::host], or IP was not internal"
}
Make sure to remove the spaces in the scan parameter:
{ % [ 0 - 9 . : ] }
