For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

NiHo_202842's avatar
NiHo_202842
Icon for Cirrostratus rankCirrostratus
Jun 09, 2015

How to provide VS for separate access to nodes

Hi all.

We currently miss the following feature; our application support team needs to access the nodes directly. But as we are seggregating our network, everything will have to pass through the BigIP.

To solve this, I was thinking about using an iRule that, based on the URI and a iRule datagroup, sets the right type of persistence. I currently have the following code, but I do not really know how to do the persistance part. Will I need to do a persist clear theCookie ? (theCookie is our cookie persistence name)

For example; there are problems with application test on application server 1_0. The user will browse to https://direct.bigip.com/ test/ as_1_0 and the persistence will be set while he is redirected to the application server.

Following code is what i have right now:

 

when HTTP_REQUEST {
 Partition of your virtual server(s), leave empty for Common
set vs_partition "UNIX"
 Rest of the domain name of the virtual server
set vs_domain ".bru-hub.dhl.com"

if {[getfield [HTTP::uri] "/" 2] ne ""}{
set app "/$vs_partition/[getfield [HTTP::uri] "/" 2]-pool"
if {[catch {pool $app}]}{
  HTTP::respond 404 content " Application $app could not be found."
} else {
  if {[getfield [HTTP::uri] "/" 3] ne ""}{
    set app_server [getfield [HTTP::uri] "/" 3]
    set app_server "[getfield [HTTP::uri] "/" 2]_${app_server}"
    set node_addr [class match -value $app_server equals direct-node-list]

    log local0. "application server: $app_server"     
    log local0. "node addr: $node_addr"
    log local0. "new host header: [getfield [HTTP::uri] "/" 2]$vs_domain"

    HTTP::uri "/"
    HTTP::header replace Host "[getfield [HTTP::uri] "/" 2]$vs_domain"

    if { $node_addr ne "" }{
      set node_port [getfield $node_addr ":" 2]
      set node_addr [getfield $node_addr ":" 1]

      if {[catch {pool $app member $node_addr $node_port}]}{
        HTTP::respond 404 content "Server $node_addr:$node_port could not be found."
      } else {
        persist 
        persist cookie insert directCookie
      }
    } else {
      HTTP::respond 404 content "Application server $node_addr could not be found."
    }
  } else {
    HTTP::respond 404 content "No application server given. Example: https://direct.bru-hub.dhl.com/calms/as_1_3"
  }
}
} else {
HTTP::respond 404 content "No application found in URI. Example: https://direct.bru-hub.dhl.com/calms/as_1_3"
}
}

 

application delivery
availability
BIG-IP Access Policy Manager (APM)
design
devops
iRules
management
security

3 Replies

  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Jun 09, 2015

    If you don't want to do it for the subnet, you could create a host IP forwarding VS for each node permitting access based on a source network - however this wouldn't be the most scalable solution.

    Eg:

     

    ltm virtual fwd_vs {
  destination 10.0.0.1:0  
  ip-forward
  mask 255.255.255.255
  profiles {
    fastL4 {}
    }
  source 0.0.0.0/0
  vlans {
    external
    }
  vlans-enabled
  }

     

    Alternatively you could also create a network forwarding VS and use the subnet mask to restrict access to a certain range of IP addresses

Related Content