Forum Discussion
Jason_Hook_4092
Nimbostratus
NimbostratusExpose pool member in response
I would like to expose which pool member responded to the request for tracking within TrueSight in front of the VIP.
This is what I feel will work, but I'd like some feedback whether this is clean and if I can add this on to VIPs that already have iRules on them. I don't have much experience with multiple iRules on a VIP and would like to know if this would interfere with others.
LTM v10.0.1
when HTTP_RESPONSE {
Remove header if already existing to keep from getting dups
HTTP::header remove "serverIP"
Insert header with responding server IP
HTTP::header insert "serverIP" [IP::server_addr]
}
19 Replies
hoolioCirrostratus
Hi Jason,
You could actually change this to for the same effect. If the header isn't present, it will still be inserted. This rule shouldn't conflict with other iRules.when HTTP_RESPONSE { Insert header with responding server IP HTTP::header replace "serverIP" [IP::server_addr] }
Aaron- Jason_Hook_4092Does it matter if this iRule is at the top or bottom of the iRule list (if there is more than one). Not sure if there is an order-of-events on iRules that will be affected by writing to the response header
- hoolioWith a header insert in HTTP_RESPONSE, I can't see the order of any other iRule interfering with this.
Aaron 
fujisenhi guys, this irule applies only for http VIP.
how to expose pool member for an https VIP.
is there a https_response irule possible?- Chris_Miller
Altostratus
Posted By fujisen on 01/12/2011 07:38 AM
hi guys, this irule applies only for http VIP.
how to expose pool member for an https VIP.
is there a https_response irule possible?
If the F5 LTM is doing the SSL decryption, it would be the same rule, just on an HTTPS VIP. - fujisenthanks,
I understand SSL client Cert is required on https VIP, to use same irule but can the pool memebers listen on port 443? or it should be on 80 - Chris_MillerPosted By fujisen on 01/12/2011 07:57 AM
thanks,
I understand SSL client Cert is required on https VIP, to use same irule but can the pool memebers listen on port 443? or it should be on 80
If you want encryption between the LTM and Pool Member (over 443,) then you'll need a serverSSL profile in addition to the clientSSL profile.Think of it like this:
1. Client Request hits LTM over HTTPS.
2. LTM uses the ClientSSL profile to decrypt the traffic so it can view the request.
3. If sending to the pool member over HTTPS, LTM uses the ServerSSL profile to re-encrypt the traffic (and decrypt it on the way back)
- fujisenthanks for very clear explanation,
last question on your 3rd point, traffic between LTM and Server without Server SSL but pool open on 443, in this case the traffic would be in clear text but what ports would be used ? - Chris_MillerPosted By fujisen on 01/12/2011 08:15 AM
thanks for very clear explanation,
last question on your 3rd point, traffic between LTM and Server without Server SSL but pool open on 443, in this case the traffic would be in clear text but what ports would be used ?
That's a mighty interesting question. I've never tried that before. I'd assume the pool member wouldn't like it but let me know. - Jason_Hook_4092If you have the server defined to the pool on 443 but do not have a ServerSSL profile configured, the request gets dropped on the floor and you don't get a response. Without a ServerSSL profile the back-side of the VIP can't handle the SSL handshake to the server.
