Forum Discussion

Randy_Johnson_L's avatar
Randy_Johnson_L
Icon for Nimbostratus rankNimbostratus
Jul 13, 2017

'HairPinning' on LTM ?

I have a case where I have a Virtual Server provisioned, and accessible from the world at 'https://company.com'.

 

Now we need other, 'internal' applications to be able to call to 'https://company.com/urihere'.

 

While I know I could create an 'internally facing' virtual server for this, then I'm faced with DNS challenges, or using host files.

 

Is there a better way to do this ?

 

application delivery
LTM
  • ekaleido_26616's avatar
    ekaleido_26616
    Icon for Cirrocumulus rankCirrocumulus
    Jul 13, 2017

    Can you use an iRule to control who can access /urihere? Would seem to be the easiest way, given the information you've provided. There are cleaner ways, but this is a start...

    when HTTP_REQUEST {
  if { [HTTP::path] starts_with "/urihere" } {
    switch -glob [IP::client_addr] {
      "10.*" { return }
      "172.12.*" { return }
      "192.168.*" { return }
      default { discard }
    }
  }
}
    • Randy_Johnson_L's avatar
      Randy_Johnson_L
      Icon for Nimbostratus rankNimbostratus
      Jul 13, 2017

      Thaks, ekaleido-- Not quite what I'm going for, as my internal webservers do not seem to be able to even reach 'themselves' through the externally facing VIP / hairpinning. However, these 'internal' webservers are able to ping and traceroute from the internal servers to the external company.com. However, when attempting to connect to https://company.com, I get a 'Connection Reset'.

       

    • ekaleido_26616's avatar
      ekaleido_26616
      Icon for Cirrocumulus rankCirrocumulus
      Jul 13, 2017

      Do you need to enable or disable SNAT AutoMap on the virtual server?

       

  • ekaleido's avatar
    ekaleido
    Icon for Cirrus rankCirrus
    Jul 13, 2017

    Can you use an iRule to control who can access /urihere? Would seem to be the easiest way, given the information you've provided. There are cleaner ways, but this is a start...

    when HTTP_REQUEST {
  if { [HTTP::path] starts_with "/urihere" } {
    switch -glob [IP::client_addr] {
      "10.*" { return }
      "172.12.*" { return }
      "192.168.*" { return }
      default { discard }
    }
  }
}
    • Randy_Johnson_L's avatar
      Randy_Johnson_L
      Icon for Nimbostratus rankNimbostratus
      Jul 13, 2017

      Thaks, ekaleido-- Not quite what I'm going for, as my internal webservers do not seem to be able to even reach 'themselves' through the externally facing VIP / hairpinning. However, these 'internal' webservers are able to ping and traceroute from the internal servers to the external company.com. However, when attempting to connect to https://company.com, I get a 'Connection Reset'.

       

    • ekaleido's avatar
      ekaleido
      Icon for Cirrus rankCirrus
      Jul 13, 2017

      Do you need to enable or disable SNAT AutoMap on the virtual server?