Forum Discussion
Getting around CORS with IRULES
Our website uses AJAX requests that makes requests from a page delivered from VIP A (www.acmecorp.com) to send requests to VIP B (api.acmecorp.com). We had to go ahead and put in a bunch of headers and do some special logic with IE 8 to allow this to occur. This results in many HTTP Options requests to ensure that the cross-domain origin access is permitted.
The problem is that our of our client's firewall rules are stripping out the HTTP Headers or denying the OPTIONS requests and it is becoming a pain to troubleshoot all of the various vendors.
Ideally I would like to do this for every/get post that used to take the form of this:
api.acmecorp.com/SomeNamedRoute?SomeVariousOptions=X
and instead make it like this:
www.acmecorp.com/api/SomeNamedRoute?SomeVariousOptions=X and then with the IRULE route it to the api.acmecorp.com but the request going to that server should be api.acmecorp.com/SomeNamedRoute?SomeVariousOptions=X
Is this possible?
you can use the ProxyPassV10 irule for this.
your datagroup content would look like this: www.acmecorp.com/api/ api.acmecorp.com/ pool_api_servers
the virtual server's default pool should be the one for the www.acmecorp.com servers and you must use a oneconnect profile in the VS as well.
the proxypass irule will rewrite any request going to www.acmecorp.com/api/XYZ to api.acmecorp.com/XYZ and send it to the pool pool_api_servers proxypass will also take care of the location header in http redirects and rewrite it for you.
- Andy_V_137639NimbostratusAm I on the right track here? when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/api" } { HTTP::uri [string map {"/api" ""} [HTTP::uri]] virtual API_VIP } }
- Simon_Kowallik1Historic F5 Account
you can use the ProxyPassV10 irule for this.
your datagroup content would look like this: www.acmecorp.com/api/ api.acmecorp.com/ pool_api_servers
the virtual server's default pool should be the one for the www.acmecorp.com servers and you must use a oneconnect profile in the VS as well.
the proxypass irule will rewrite any request going to www.acmecorp.com/api/XYZ to api.acmecorp.com/XYZ and send it to the pool pool_api_servers proxypass will also take care of the location header in http redirects and rewrite it for you.
- Andy_V_137639NimbostratusThanks, a lot more complex then the script I had above.
- Kevin_StewartEmployee
If I may add, if I understand you correctly, the Ajax is a client side thing. Script in the response content from www.acmecorp.com causes the client to make an Ajax call to api.acmecorp.com, but the client's firewall is stripping out the headers that are allowing this cross origin request to happen. So instead of the client making the request, you want the www.acmecorp.com VIP to make the request. If that's true, then I think you were on the right track to begin with, with a few modifications:
when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "/api" } { HTTP::header replace Host "api.acmecorp.com" HTTP::uri [string map {"/api" ""} [HTTP::uri]] virtual API_VIP } }
This will cause all "/api" requests to swing over to the API_VIP virtual server with the appropriate Host header and URI.
- Kevin_StewartEmployee
Another question, we have three LTMs sometimes we need to route to a different VIP that only exists on one of the three LTMS. If I get a request on LTM1 and need to get it to a VIP that only exists on LTM2 is that possible?
Absolutely, assuming the LTMs can route to/from one another. If so, you could create a pool on LTM1 that contains the VIP on LTM2, or you could simply use a node command in an iRule. Depending on how the traffic needed to flow, you could just send the request to this pool or node, or you could issue a sideband call within a request or response, ask the LTM2 VIP something, get a response, and then carry on with the original request and traffic flow.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com