Forum Discussion
Rick_Deerberg_2
Nimbostratus
NimbostratusHow to write an iRule to redirect to multiple uri's and to specific TCP Port (81)
I am a newbie when it comes to load balancing and iRules.
I have a user who wants to the following configured.
Default or main page/site
https://default.domain.com/
Site A
https://differentserver.domain.com/siteA
Site B
https://default.domain.com/siteB/logon.html
Pools
Default Pool1.1.1.11.1.1.2 (Port 80)
SiteA Pool2.2.2.22.2.2.3 (Port 80)
SiteB Pool1.1.1.11.1.1.2 (TCP Port 81)
When the uri equals https://default.domain.com
After authenticating, send them to the Default Pool
When the uri equals https://default.domain.com/siteA
After authenticating, send them to pool SiteA Pool, and add /siteA to the end of the uri
When the uri equals https://default.domain.com/siteB
Direct them to pool SiteB Pool, and add /logon/logon.html to the end of the uri and make sure they are directed to TCP port 81
Additional Notes:
*We are terminating client ssl on the load balancer.
*We are not encrypting traffic between the load balancer and the servers.
*In the above case there are two physical servers.
*One server provides HTTP and port 81 (logon) services for the Default and SiteB Pool
*The other server provides services (HTTP) for the https://default.domain.com/siteA requests
I contacted technical support and they suggested using multiple virtual servers. Any assistance/examples/suggestions would be greatly appreciated.
Thanks
- I'm not sure I fully understand what you're trying to do, so let's try to refine the problem description:
When the uri equals https://default.domain.com
After authenticating, send them to the Default PoolWhat is meant by "after authenticating"? Unless you're using our PAM module to authenticate on LTM rather than the servers, you'd need to send the request somewhere for authentication. If authentication is handled by the servers themselves, all requests for that site should be forwarded to the Default pool. If auth is offloaded elsewhere, the servers will have to manage that communication. (Redirect to an auth server and back to the originally-requested URI is a SSO common approach)
When the uri equals https://default.domain.com/siteA
After authenticating, send them to pool SiteA Pool, and add /siteA to the end of the uriSame issue here re: auth, and also, if the URI path in the request already contains /siteA, it would appear that you could simply check for /"siteA" in the URI string and choose the pool accordingly.When the uri equals https://default.domain.com/siteB
Direct them to pool SiteB Pool, and add /logon/logon.html to the end of the uri and make sure they are directed to TCP port 81 For this one, I think you'd need to be able to differentiate an already-authenticated request from one that is not, and a redirect to the login page + logic to choose the correct pool containing port 81 nodes may be the best approach.
Once we have a better idea what exactly you need to do, we (hopefully) can point you in the right direction. You may be able to follow Support's suggestion to use separate virtuals and simplify any rule requirements.
/deb 
Rick_Deerberg_2Thanks for the reply.
When I indicate authentication, I'm referring to Microsoft AD authentication. When I connect to https://default.domain.com I enter my AD credentials and then if successful, I am allowed to view the default page. If authentication fails, I get not authorized to view the page.
Hope this helps.
Thanks- You'll need to direct requests to the server pools regardless of authentication status, then, either with a rule or by defining separate virtuals as suggested.
I just noticed that you have defined 2 different versions of Site A ("differenserver.domain.com" and "default.domain.com"), so some clarification there is needed to know which approach you need to follow.
And I'm still not sure what you're trying to accomplish with Site B. Are all requests for that site redirected to a login page? Then what happens?
/deb - Rick_Deerberg_2Hopefully, this may help explain what I'm trying to do.
The iRule below, for the most part, does what I want. However, instead of using specific IP addresses, I want to use a pool so I can load balance. The problem I'm running into is that when I use a pool for site-A or site-B it fails to append the /site-A or :81/logon/logon.html to the end of the uri.
Thanks
when HTTP_REQUEST {
if { [HTTP::uri] contains "site-A" } {
redirect to http://2.2.2.2/site-A }
elseif { [HTTP::uri] contains "site-B" } {
redirect to http://1.1.1.1:81/logon/logon.html }
else { pool Default_Pool}
} - OK, how about this then:
The pool for site A would contain the appropriate list of port 80 servers, and requests for any URI /already/ containing the string "site-A" would now include that string twice:when HTTP_REQUEST { set myURI [string tolower [HTTP::uri]] if { $myURI contains "site-a" } { HTTP::uri /site-A[HTTP::uri] pool site-A } elseif { $myURI contains "site-b" } { HTTP::uri /logon/logon.html pool site-B } else { pool Default_Pool } }
* URI sent by client: /site-A/somedir/somefile.txt
* URI sent to server: /site-A/site-A/somedir/somefile.txt
The pool for site B would contain the appropriate list of port 81 servers, and any requests for any URI containing "site-B" would be changed to request the login page:
* URI sent by client: /site-B/somedir/somefile.txt
* URI sent to server: /logon/logon.html
Defaul_Pool must also be defined to include the appropriate list of port 80 servers, and requests will be forwarded unmodified.
HTH
/deb - (edited last post to remove extraneous "/")
- Rick_Deerberg_2Thanks!! With just a small modification I think I've got it working. When I get everything cleaned up I'll let you know how it's going.
Thanks again. - no problem, glad I could help.
