For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Randy_Johnson_L's avatar
Randy_Johnson_L
Icon for Nimbostratus rankNimbostratus
Jul 13, 2017

'HairPinning' on LTM ?

I have a case where I have a Virtual Server provisioned, and accessible from the world at 'https://company.com'.   Now we need other, 'internal' applications to be able to call to 'https://company...
application delivery
LTM
ekaleido_26616's avatar
ekaleido_26616
Icon for Cirrocumulus rankCirrocumulus
Jul 13, 2017

Can you use an iRule to control who can access /urihere? Would seem to be the easiest way, given the information you've provided. There are cleaner ways, but this is a start...

when HTTP_REQUEST {
  if { [HTTP::path] starts_with "/urihere" } {
    switch -glob [IP::client_addr] {
      "10.*" { return }
      "172.12.*" { return }
      "192.168.*" { return }
      default { discard }
    }
  }
}
  • Randy_Johnson_L's avatar
    Randy_Johnson_L
    Icon for Nimbostratus rankNimbostratus
    Jul 13, 2017

    Thaks, ekaleido-- Not quite what I'm going for, as my internal webservers do not seem to be able to even reach 'themselves' through the externally facing VIP / hairpinning. However, these 'internal' webservers are able to ping and traceroute from the internal servers to the external company.com. However, when attempting to connect to https://company.com, I get a 'Connection Reset'.

     

  • ekaleido_26616's avatar
    ekaleido_26616
    Icon for Cirrocumulus rankCirrocumulus
    Jul 13, 2017

    Do you need to enable or disable SNAT AutoMap on the virtual server?