Forum Discussion
breasoner_11658
Nimbostratus
NimbostratusInserting WL-Proxy-SSL header via iRule
Hello -
I have an application that is a bit strange in the sense that certain pages require the "WL-Proxy-SSL: true" request header to display all elements on the page via SSL, but other pages on the site won't load with that header inserted. I am able to selectively remove the request header for the elements that won't use it, but there are about 25 of them as opposed to 4 elements that need the header. I have read everything that I can find regarding the HTTP::header insert string, but it just doesn't work for me. I'm running BIG-IP version 10.2.0 HF2. According to everything I've read, this should work! What am I missing?
Below is an excerpt of the current iRule:
Portal context
set portal_uri "/portal"
Layouts context
set layouts_uri "/_layouts"
Set Header information
set WLheader "WL-Proxy-SSL"
set WLheaderVal "true"
Retrieve the list of pools from the data group list
set clientPoolList [ findclass $host $DATA_GROUP_LIST " " ]
Route requests to Portal.
if { $uri starts_with $portal_uri }{
HTTP::header insert $WLheader $WLheaderVal
Identify the Portal pool
set portal_pool [getfield $clientPoolList " " 3]
log local0.notice "Forwarding to Portal pool: $portal_pool. Uri: $uri"
pool $portal_pool
return
} elseif { $uri starts_with $layouts_uri }{
HTTP::header insert $WLheader $WLheaderVal
log local0. "Inserting $WLheader: [HTTP::header value $WLheader]"
Identify the Portal pool
set portal_pool [getfield $clientPoolList " " 3]
log local0.notice "Forwarding to Portal pool: $portal_pool. Uri: $uri"
pool $portal_pool
return
15 Replies
- What exactly isn't working? Is the header not getting inserted or is the pool assignment not working sending it to your specified pool? The code looks good but I can't tell if the logic is correct since I don't know the contents of the DATA_GROUP_LIST data group, nor the URI's that you are testing.
You are using the HTTP::header and pool commands correctly so they should OK.
Have you looked at the output from your log messages? If so, are they looking correct?
-Joe 
breasoner_11658The traffic is getting directed to the pool correctly, but the header isn't getting inserted.
I have added a secondary iRule to capture all headers, and the log output of that iRule shows the correct header when I have it going in via the HTTP profile, but not when I have it going in via the iRule.
hoolioCirrostratus
Can you post the full iRule and logs from a failure? Feel free to anonymize both if they contain sensitive info.
Aaron- Also, odds are that the log statement
log local0. "Inserting $WLheader: [HTTP::header value $WLheader]"
will return the an empty string as the "insert" sub command is sometimes not effective yet and accessible with the "value" command until the request goes out. It has to do with some internal optimizations. Is that what you are going by in saying that the header is not getting inserted or are you doing a trace on your servers?
-Joe - hoolioI don't think values for HTTP::header are cached:
when HTTP_REQUEST { log local0. "\[HTTP::header my_header\] pre: [HTTP::header my_header]" HTTP::header insert my_header my_value log local0. "\[HTTP::header my_header\] post: [HTTP::header my_header]" }
< HTTP_REQUEST>: [HTTP::header my_header] pre:
< HTTP_REQUEST>: [HTTP::header my_header] post: my_value
Seeing the full rule and logs would help.
Aaron - breasoner_11658Sorry - Code tags not working for me - trying again...
- Looks to me like the header is getting inserted. How are you testing it on your backend server to verify that it's not making it there?
- breasoner_11658Nothing that sensitive in the iRule, here's the full text.
when HTTP_REQUEST { The Wfm3g Datagroup List set DATA_GROUP_LIST QA-Multiple-Portal Get the request Host set host [HTTP::host] Get the URI set uri [string tolower [HTTP::uri]] The Wfm3g session cookie name set wfm3g_cookie_name "JSESSIONID" The Jasper Server session cookie name set jasper_cookie_name "JASPERSESSIONID" The JasperServer web context set jasperreports_uri "/jasperserver-pro" The JasperServer is down URL set jasperisdownurl "/ute/jsp/reportingServerUnavailable.jsp" The default JasperServer Pool name. Used if one is not specified in the data group list for the client. set DEFAULT_JASPER_POOL "Default-Jasper-Pool" 3G wfm context set wfm3g_wfm_uri "/wfm" Script Resource context set scriptresource_uri "/scriptresource.axd" Web Resource context set webresource_uri "/webresource.axd" Portal context set portal_uri "/portal" set DEFAULT_PORTAL_POOL "Portal-PMQA-Pool" Layouts context set layouts_uri "/_layouts" Set Header information set WLheader "WL-Proxy-SSL" set WLheaderVal "true" Retrieve the list of pools from the data group list set clientPoolList [ findclass $host $DATA_GROUP_LIST " " ] Route requests to Portal. if { $uri starts_with $portal_uri }{ HTTP::header insert $WLheader $WLheaderVal Identify the Portal pool set portal_pool [getfield $clientPoolList " " 3] log local0.notice "Forwarding to Portal pool: $portal_pool. Uri: $uri" pool $portal_pool return } elseif { $uri starts_with $layouts_uri }{ HTTP::header insert $WLheader $WLheaderVal log local0. "Inserting $WLheader: [HTTP::header value $WLheader]" Identify the Portal pool set portal_pool [getfield $clientPoolList " " 3] log local0.notice "Forwarding to Portal pool: $portal_pool. Uri: $uri" pool $portal_pool return } elseif { $uri starts_with $scriptresource_uri }{ HTTP::header insert $WLheader $WLheaderVal Identify the Portal pool set portal_pool [getfield $clientPoolList " " 3] log local0.notice "Forwarding to Portal pool: $portal_pool. Uri: $uri" pool $portal_pool return } elseif { $uri starts_with $webresource_uri }{ HTTP::header insert $WLheader $WLheaderVal Identify the Portal pool set portal_pool [getfield $clientPoolList " " 3] log local0.notice "Forwarding to Portal pool: $portal_pool. Uri: $uri" pool $portal_pool return Route requests to Jasper. } elseif { $uri starts_with $jasperreports_uri }{ Identify the Jasper pool set jasper_pool [getfield $clientPoolList " " 2] If Jasper pool is not explicitly set for the client, use default if { $jasper_pool eq "" }{ set jasper_pool $DEFAULT_JASPER_POOL } Make sure there is at least one Jasper server running if { [active_members $jasper_pool] < 1 } { HTTP::redirect $jasperisdownurl } else { log local0.notice "Forwarding to Jasper Report pool: $jasper_pool. Uri: $uri" pool $jasper_pool return } Route WFM requests to 3G Pool } elseif { $uri starts_with $wfm3g_wfm_uri }{ set wfm3g_pool [getfield $clientPoolList " " 1] log local0.notice "Forwarding to WFM3G pool: $wfm3g_pool. Uri: $uri" pool $wfm3g_pool return } elseif { $uri equals "/" }{ HTTP::uri "/wfm" set wfm3g_pool [getfield $clientPoolList " " 1] log local0.notice "BLANK URI - Forwarding to WFM3G pool: $wfm3g_pool. Uri: $uri" pool $wfm3g_pool return } else { Identify the 3G pool set wfm3g_pool [getfield $clientPoolList " " 1] foreach header {WL-Proxy-SSL} { log local0. "Removing $header: [HTTP::header value $header]" HTTP::header remove $header log local0.notice "Forwarding to WFM3G pool: $wfm3g_pool. Uri: $uri" pool $wfm3g_pool return } } } when HTTP_RESPONSE { Secure the outbound Wfm3g cookie. if { [HTTP::cookie exists $wfm3g_cookie_name] } { HTTP::cookie secure $wfm3g_cookie_name enable } Secure the outbound JasperServer cookie. if { [HTTP::cookie exists $jasper_cookie_name] } { HTTP::cookie secure $jasper_cookie_name enable } }
Here's the output of the Header log iRule when I insert the header via the http profile:Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : ============================================= Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : Client -> Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : Accept: */* Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : Referer: https:// Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : Accept-Language: en-US Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322; MS-RTC LM 8; InfoPath.3) Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : Accept-Encoding: gzip, deflate Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : Host: Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : Connection: Keep-Alive Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : Cookie: JSESSIONID=8mnLPQ1F6hWCs5JL2jqx1pt9FGbBnhRz9p5v2LXNH2yS3KnlhvCn!-721761555 Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : WL-Proxy-SSL: true Mar 2 11:30:41 local/tmm1 info tmm1[5151]: Rule HeaderLogger : =============================================
And the Header log iRule output when I attempt to insert the header via the iRule:Mar 2 13:23:02 local/tmm info tmm[5150]: Rule HeaderLogger : ============================================= Mar 2 13:23:02 local/tmm info tmm[5150]: Rule HeaderLogger : Client (request) Mar 2 13:23:02 local/tmm info tmm[5150]: Rule HeaderLogger : Host: Mar 2 13:23:02 local/tmm info tmm[5150]: Rule HeaderLogger : User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Mar 2 13:23:02 local/tmm info tmm[5150]: Rule HeaderLogger : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Mar 2 13:23:02 local/tmm info tmm[5150]: Rule HeaderLogger : Accept-Language: en-us,en;q=0.5 Mar 2 13:23:02 local/tmm info tmm[5150]: Rule HeaderLogger : Accept-Encoding: gzip, deflate Mar 2 13:23:02 local/tmm info tmm[5150]: Rule HeaderLogger : Connection: keep-alive Mar 2 13:23:02 local/tmm info tmm[5150]: Rule HeaderLogger : Cookie: JSESSIONID=wrbfPRQFpZVfJ2x1P78LfnLwyBy9chTyxyNpPLshVDhVNwyY0K0v!-721761555 Mar 2 13:23:02 local/tmm info tmm[5150]: Rule HeaderLogger : =============================================
My previous post had the output of the logger with the wrong http profile associated. Sorry for any confusion. - breasoner_11658One more try at the iRule text. Am I adding too much info at once?
when HTTP_REQUEST { The Wfm3g Datagroup List set DATA_GROUP_LIST QA-Multiple-Portal Get the request Host set host [HTTP::host] Get the URI set uri [string tolower [HTTP::uri]] The Wfm3g session cookie name set wfm3g_cookie_name "JSESSIONID" The Jasper Server session cookie name set jasper_cookie_name "JASPERSESSIONID" The JasperServer web context set jasperreports_uri "/jasperserver-pro" The JasperServer is down URL set jasperisdownurl "/ute/jsp/reportingServerUnavailable.jsp" The default JasperServer Pool name. Used if one is not specified in the data group list for the client. set DEFAULT_JASPER_POOL "Default-Jasper-Pool" 3G wfm context set wfm3g_wfm_uri "/wfm" Script Resource context set scriptresource_uri "/scriptresource.axd" Web Resource context set webresource_uri "/webresource.axd" Portal context set portal_uri "/portal" set DEFAULT_PORTAL_POOL "Portal-PMQA-Pool" Layouts context set layouts_uri "/_layouts" Set Header information set WLheader "WL-Proxy-SSL" set WLheaderVal "true" Retrieve the list of pools from the data group list set clientPoolList [ findclass $host $DATA_GROUP_LIST " " ] Route requests to Portal. if { $uri starts_with $portal_uri }{ HTTP::header insert $WLheader $WLheaderVal Identify the Portal pool set portal_pool [getfield $clientPoolList " " 3] log local0.notice "Forwarding to Portal pool: $portal_pool. Uri: $uri" pool $portal_pool return } elseif { $uri starts_with $layouts_uri }{ HTTP::header insert $WLheader $WLheaderVal log local0. "Inserting $WLheader: [HTTP::header value $WLheader]" Identify the Portal pool set portal_pool [getfield $clientPoolList " " 3] log local0.notice "Forwarding to Portal pool: $portal_pool. Uri: $uri" pool $portal_pool return } elseif { $uri starts_with $scriptresource_uri }{ HTTP::header insert $WLheader $WLheaderVal Identify the Portal pool set portal_pool [getfield $clientPoolList " " 3] log local0.notice "Forwarding to Portal pool: $portal_pool. Uri: $uri" pool $portal_pool return } elseif { $uri starts_with $webresource_uri }{ HTTP::header insert $WLheader $WLheaderVal Identify the Portal pool set portal_pool [getfield $clientPoolList " " 3] log local0.notice "Forwarding to Portal pool: $portal_pool. Uri: $uri" pool $portal_pool return Route requests to Jasper. } elseif { $uri starts_with $jasperreports_uri }{ Identify the Jasper pool set jasper_pool [getfield $clientPoolList " " 2] If Jasper pool is not explicitly set for the client, use default if { $jasper_pool eq "" }{ set jasper_pool $DEFAULT_JASPER_POOL } Make sure there is at least one Jasper server running if { [active_members $jasper_pool] < 1 } { HTTP::redirect $jasperisdownurl } else { log local0.notice "Forwarding to Jasper Report pool: $jasper_pool. Uri: $uri" pool $jasper_pool return } Route WFM requests to 3G Pool } elseif { $uri starts_with $wfm3g_wfm_uri }{ set wfm3g_pool [getfield $clientPoolList " " 1] log local0.notice "Forwarding to WFM3G pool: $wfm3g_pool. Uri: $uri" pool $wfm3g_pool return } elseif { $uri equals "/" }{ HTTP::uri "/wfm" set wfm3g_pool [getfield $clientPoolList " " 1] log local0.notice "BLANK URI - Forwarding to WFM3G pool: $wfm3g_pool. Uri: $uri" pool $wfm3g_pool return } else { Identify the 3G pool set wfm3g_pool [getfield $clientPoolList " " 1] foreach header {WL-Proxy-SSL} { log local0. "Removing $header: [HTTP::header value $header]" HTTP::header remove $header log local0.notice "Forwarding to WFM3G pool: $wfm3g_pool. Uri: $uri" pool $wfm3g_pool return } } } when HTTP_RESPONSE { Secure the outbound Wfm3g cookie. if { [HTTP::cookie exists $wfm3g_cookie_name] } { HTTP::cookie secure $wfm3g_cookie_name enable } Secure the outbound JasperServer cookie. if { [HTTP::cookie exists $jasper_cookie_name] } { HTTP::cookie secure $jasper_cookie_name enable } } - hoolioAm I adding too much info at once?
No, it's just that the quick reply box doesn't handle multiple code blocks. You could either hit the reply button to reply to the post or use the quick reply box, edit your post and click submit to have it formatted correctly.
Can you post the logs from the actual iRule where the header should be inserted instead of the logs from the header logging rule?
Aaron
