Forum Discussion
mart_58302
Nimbostratus
NimbostratusDestination based redirect irule, a'la cache.pac implementing?
Hello.
We are using F5 for proxy servers gateway, and everything works fine, but due routings in proxy's if the clients destination is local network, the proxy's can't connect to local network, so in web browsers are using cache.pac where is defined, that if destination is local network, traffic goes directly, not via F5. Example:
function FindProxyForURL(url, host) {
if(shExpMatch(host, "*[^0123456789.]*") == false)
if( isInNet(host, "127.0.0.0", "255.0.0.0")
|| isInNet(host, "172.17.0.0", "255.255.0.0")
|| isInNet(host, "172.18.0.0", "255.255.0.0")
)
return "DIRECT";
else
return "PROXY proxygateway.internal:8080; DIRECT";
)
But clients who can't read/use the cache.pac can't connect local network at all, so is it possible on the F5 with irule do same thing as with cache.pac, that if destination is local network F5 redirects all this traffic to the network directly and without any NAT/SNAT?
35 Replies
mart_58302
Can you try testing a request to an internal IP and an external IP? If it doesn't work, check the /var/log/ltm log file for log statements from the rule. Make sure you have routing in place for the non-local addresses. A tcpdump might help in troubleshooting any issues.
Strange, I enabled this rule but absolutely nothing (according this rule, all audit etc stuff is still there) appeared in logs? Routing seems to be OK, as default route is our internal gateway.
This is very weird. I even tried to make so called forward pool, but still nothing in logs?
hoolioCirrostratus
If you add a RULE_INIT event with a log statement, do you see the log statement written to /var/log/ltm? If so, then I'd guess the traffic is matching a more specific VIP or not hitting LTM at all. If you don't see the log statement, it's probably because syslog-ng is configured for external logging or customized to not log to the default destination /var/log/ltm.when RULE_INIT { log local0. "Test" }
Aaron- mart_58302
If you add a RULE_INIT event with a log statement, do you see the log statement written to /var/log/ltm? If so, then I'd guess the traffic is matching a more specific VIP or not hitting LTM at all. If you don't see the log statement, it's probably because syslog-ng is configured for external logging or customized to not log to the default destination /var/log/ltm.
Added Your suggested iRule to proxy VIP and once into /var/log/ltm appeared:
tail -f /var/log/ltm
Sep 30 12:12:32 tmm tmm[1712]: Rule : Test
And syslog wasn't configured to the external server at all, so just now I did it. Btw, I'm running since yesterday BIG-IP 9.4.5 Build 1086.1 Hotfix HF2, before it was 9.2.4 Build 031.
So what next? - mart_58302
Can you try testing a request to an internal IP and an external IP? If it doesn't work, check the /var/log/ltm log file for log statements from the rule. Make sure you have routing in place for the non-local addresses. A tcpdump might help in troubleshooting any issues.
Hmm, something new appeared, suddenly I can see logs, and seems no matter what destination ip is (local or external), the log is same:
Sep 30 12:41:38 tmm tmm[1712]: Rule private_net_bypass_proxy_debug : 172.18.15.13:1327: Request to 192.168.121.125:8080 matched local addresses
And if destination ip is local (in private_net group) still no traffic goes true. - Nicolas_Menant
Employee
Hi,
Since you use v9.4.5 you must remove the "$" sign when calling a class, so it should be ::private_net instead of $::private_net. (this will make the irule being CMP compatible if using a CMP compatible platform)
if the destination ip is local, do you see at least the log line in /var/log/ltm ? - mart_58302
Since you use v9.4.5 you must remove the "$" sign when calling a class, so it should be ::private_net instead of $::private_net. (this will make the irule being CMP compatible if using a CMP compatible platform)
if the destination ip is local, do you see at least the log line in /var/log/ltm ?
Ok, I can test it tomorrow, but one more thing, we don't use transparent, but fixed proxy, like proxy.internal:8080, seems that now this iRule can't actually forward local traffic as the destination port for all traffic (proxy) is 8080 not 80 or 443 etc. Maybe this iRule need some remap or etc?
What You think about that? - Nicolas_MenantHi,
If your client connect to the VS on port 443 or 80 and you want to forward the traffic to port 8080 then:
-Your pool member must be configured with port 8080
-Your VS must have port translation checked (switch to advanced configuration in the VS to see this option)
Maybe you can show us your vs and pool configuration that may definitely help. It is in /config/bigip.conf file - mart_58302
Hi,
If your client connect to the VS on port 443 or 80 and you want to forward the traffic to port 8080 then:
-Your pool member must be configured with port 8080
-Your VS must have port translation checked (switch to advanced configuration in the VS to see this option)
Maybe you can show us your vs and pool configuration that may definitely help. It is in /config/bigip.conf file
VIP is configured without any profile and for all traffic , port translation is enabled, conf is here:pool live-proxy-pool { lb method member ratio action on svcdown reselect snat disable nat disable monitor all gateway_icmp and proxy-www.google.ee and proxy-www.neti.ee members 192.168.125.114:any ratio 9 192.168.125.115:any ratio 7 192.168.125.116:any ratio 3 virtual live-proxy { pool live-proxy-pool destination 192.168.125.113:any ip protocol tcp vlans Virtual enable persist source_addr translate service enable } - mart_58302
Posted By nmenant on 09/30/2008 2:58 AM
Hi,
Since you use v9.4.5 you must remove the "$" sign when calling a class, so it should be ::private_net instead of $::private_net. (this will make the irule being CMP compatible if using a CMP compatible platform)
if the destination ip is local, do you see at least the log line in /var/log/ltm ?
Ok, changed this rule, still all destination ip -s, local and nonlocal are catched as local:
Oct 1 12:50:32 tmm tmm[1712]: Rule private_net_bypass_proxy_debug : 172.18.15.13:4831: Request to 192.168.121.125:8080 matched local addresses - Nicolas_MenantHi,
With your configuration here is what is happening:
If client connects on port 80 then it will try to connect on port 80 on your pool since you specified "any" for the port on the vs and on each pool member.
If you want to receive all http connections on port 8080 on your pool then you should change the port information from any to 8080pool live-proxy-pool { lb method member ratio action on svcdown reselect snat disable nat disable monitor all gateway_icmp and proxy-www.google.ee and proxy-www.neti.ee members 192.168.125.114:8080 ratio 9 192.168.125.115:8080 ratio 7 192.168.125.116:8080 ratio 3 }
