Forum Discussion

RAQS's avatar
RAQS
Icon for Cirrus rankCirrus
Jun 28, 2022

How to Forward traffic via F5

Hi Team, I need to forwrad tha traffic based on URI  from one domain to another and this should not visible in browser. For ex:- When user hit "https://api-q.abc.com:443/lontools-java" then F5 shou...
application delivery
  • Dario_Garrido's avatar
    Dario_Garrido
    Jul 19, 2022

    Hello RAQS,

    Sorry for the late response, but I'm on holiday.

    Taking into account your backend server is outside of your network (in Cloud), these are your chances:

    1. Using redirection.

    ----------                                                    |--------|
| Client |---------- GET https://api-q.abc.com... ----------->|   F5   |
|        |<-- 302 Redirect (https://cp.api.us01a.xyz.com...)--|        |
----------                                                    |--------|
|--------|                                                    |--------|
| Client |------- GET https://cp.api.us01a.xyz.com... ------->| Cloud  |
|        |<---------------------- 200 OK ---------------------| Server |
|--------|                                                    |--------|

    The redirection will occur transparently for the client, but the URL in the browser will change. 

    2. Using rewrite profile ( + policy for selecting a different pool)

    ----------                                                    |--------|
| Client |---------- GET https://api-q.abc.com... ----------->|   F5   |
|        |<---------------------- 200 OK ---------------------|        |
----------                                                    |--------|
|--------|                                                    |--------|
| F5     |------- GET https://cp.api.us01a.xyz.com... ------->| Cloud  |
|        |<---------------------- 200 OK ---------------------| Server |
|--------|                                                    |--------|

    The F5 will receive the query from the client and will replace the host header and URI. This implies that F5 has to reach the cloud server in order to serve the service.

    If this resource requires to use of a different backend server different than the default one, you can configure a policy to change the pool (to your Cloud Server) when the URL matches "https://api-q.abc.com:443/lontools-java".

    3. Using iRules (not so efficient as point 2, but also feasible)

    when HTTP_REQUEST {
	if { [HTTP::host] eq "api-q.abc.com"}{
		if { [HTTP::uri] contains "lontools-java"} {
			HTTP::header replace Host "cp.api.us01a.xyz.com"
			HTTP::uri "/qiontools-java"
			pool test_pool
		}
	}
}

    Using the previous iRule, the host header, the URI, and the pool will change when the condition matches.

    This is simple to configure and test, but take into account that only the request packet will be replaced, if you need to modify some of the content of the cloud server, you will need to use a rewrite profile (or dig into the payload using iRules).

    If this was helpful, please, don't forget to rate my answer as resolved or gimme some upvotes.

     

RAQS's avatar
RAQS
Icon for Cirrus rankCirrus

Thanks for your time and Parience Dario. So i applied http rewrite policy, but when i apply it site goes down.

There are some dynamic values in URI. Is that making any differences ?

 

Regards,

Raqs

Dario_Garrido's avatar
Dario_Garrido
Icon for MVP rankMVP
Jul 02, 2022

Hello RAQS. 

It's hard to know what is failing because each website is completely different.

Your chance is to use iRules to troubleshoot what is being rewritten and what not.

Capturing traffic with tcpdump + decrypting ssl (https://support.f5.com/csp/article/K12783074) is always a great deal.

 

  • RAQS's avatar
    RAQS
    Icon for Cirrus rankCirrus
    Jul 02, 2022

    Hi Dario,

    Really appreciate your time and patience with me. Thanks for all your effort. I took capture and what i oserved that F5 is rewriting host but it is communicating to backend member instead of redirecting. 

    WIth Irule it is not communicating with backend member. 

    Note :- Rediected URL is not hosted in F5. Its in AWS.

    Do i need to do some modifucation in rewrite policy or this can not be possible with F5 ?

    • Dario_Garrido's avatar
      Dario_Garrido
      Icon for MVP rankMVP
      Jul 09, 2022

      Hello RAQS. 

      I think you are mixing concepts. 

      • Redirecting (302 response) - it points the client to a new website, this access is not masked, the client will see the new URL in him/her browser. 
      • Rewriting (200 response) - the F5 manage both flows of the connection and the access is completely masked.

       

      • RAQS's avatar
        RAQS
        Icon for Cirrus rankCirrus
        Jul 11, 2022

        Hi Dario,

         

        Yeah i understand the difference between two concepts. May be i am not able to express my query in narritive way. let me give another try. 

        user hit "https://api-q.abc.com:443/lontools-java" then F5 should forward the traffic to " https://cp.api.us01a.xyz.com/qiontools-java" and user should not able to see this change in URL in browser. For user it will remain same as "https://api-q.abc.com:443/lontools-java".

        with "rewrite" option it seems cp.api.us01a.xyz.com need to be on default pool of LB VIP. But here the situtaion is that this URL is hosted on Cloud. So i am using below iRule to get this done.

        when HTTP_REQUEST {
        if { [HTTP::host] eq"api-q.abc.com"}{
        if { [HTTP::uri] contains "lontools-java/"} {
        HTTP::header replace Host "cp.api.us01a.xyz.com[HTTP::uri]"
        pool test_pool
        }

        }
        }
        In test_pool, i have defined the IP of URL "cp.api.us01a.xyz.com" and made the connectivity between self ip and IP of new URL (cp.api.us01a.xyz.com). Do you think will this work ? I am yet to test as need couple of approval to allow F5 to communicate with Cloud , tough it doesnt seems to best pratice to me.

         

        Regards,

        RAQS