For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

F5__152984's avatar
F5__152984
Icon for Nimbostratus rankNimbostratus
Sep 08, 2014

Inserting a 'virtual directory triplet' while rewriting the http header

I am doing reverse-proxying from one of the F5 VIP in DMZ to the same URL on the internal network, but on a a different Load balancer. For each request, I need to prefix the path with a consistently-derived set of non-existent virtual directories, for example changing "http://url1.abc.com/gateway.aspx" to "http://url1.abc.com/nsepn/webapps/einjjo674qdzvfxhq7581632726/gateway.aspx". For each response, make the same changes to any embedded URLs so that the next request is automatically sent to the modified host+path entry created above. I am looking for some help to do this with an irule.

 

Thanks RP

 

5 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 09, 2014

    Before getting into sort of coding examples, I would like to point out two things:

     

    1. While absolutely possible, this is not an easy thing to do, and would likely create significant latency in the application using iRules to parse through request and response payloads to rewrite URIs. It also gets very tricky when URIs aren't explicit HTML elements, like objects within JavaScript code.

       

    2. It just so happens that this is a feature of the access policy manager (APM) module referred to as "portal mode".

       

  • F5__152984's avatar
    F5__152984
    Icon for Nimbostratus rankNimbostratus
    Sep 10, 2014

    We have this setup on an Imperva Web Application Firewalls with Cisco ACE LB, which we are trying to migrate to F5 LTM + ASM/APM. We are aware of the overhead/latency, but is looking for some solution to start with.

     

    Thanks RP

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 10, 2014

    If you have APM, then the portal mode configuration is pretty straight forward and will accomplish pretty much exactly what you're looking for.

     

  • F5__152984's avatar
    F5__152984
    Icon for Nimbostratus rankNimbostratus
    Sep 10, 2014

    Right now, we dont have license for APM. That's why I was trying to achieve this through irules if possible. Thanks!

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 10, 2014

    Completely understood. But consider the effort required to parse through all of the response payloads to find every reference to a given set of URLs (images, css, javascript, other HTML documents, etc.) and rewrite those. And then rewrite them again in the requests. And if you have URLs buried in javascript code, you have to deal with that too. For that amount of effort, a seasoned, robust capability like APM portal mode is probably worth a closer look.