Forum Discussion
Joe_Curl_105786
Nimbostratus
NimbostratusInternal Website
I have a group of web servers that reside on the inside of our network, that need to be presented to the Internet. The VS is an anonymous server that sends a redirect to a server on the inside of our network. I need the F5 to stay in conversation path. The website has links that refer to other servers that would not be available to the Internet, but just to servers on the inside. Has anyone done anything like this. Thanks for the help.
Joe
5 Replies
- Hi Joe --
It sounds like you need to make those other servers virtually available from the Internet, and you want requests to them to go thru LTM.
That means you would need to create a virtual server with a publicly routable VS address for each of those apps referencing pools containing the internal addresses of the real servers. (Or you could create an iRule to share a single VS among many apps, splitting traffic on hostname.)
If you need to handle internal vs. external traffic differently, you'd have to use either split DNS or different hostnames. (Or in some situations a iRule might do the trick there as well.)
Post back with more details if you'd like further assistance on a specific approach for your situation.
/deb 
Joe_Curl_105786Deb,
Since this is just the first application wanting this option, I would like to base it on one single VS for the many applications. Do to the large number of servers we have I am not sure that the DNS option would work. The management would be a nightmare.
As for the traffic it would be https coming in, and http or https going to the web server. Based on what we were seeing in manuals, it would seem that "Redirect Rewrite" in an http profile would cause the behavior that we are looking for. I am ok with trying to figure out a iRule, but since the LTM is a full proxy I would think that that ability is already written in one of the options somewhere.
Joe- Joe_Curl_105786Deb,
Here is the iRule I have been playing with for this issue as well. The server name is in the URL of the link.
when HTTP_REQUEST {
set uri [string tolower [HTTP::uri]]
if { $uri contains "corppdwqk9951" } {
pool nas-gpo-webapp-pool
}
} - If you want to direct traffic based on hostname, you'll want to use the HTTP::host command:
when HTTP_REQUEST { if { [string tolower [HTTP::host]] contains "corppdwqk9951" } { pool nas-gpo-webapp-pool } } - I'm not sure I understand the rest of your requirements, but I'll take a stab at addressing them.
"Redirect rewrite" will only rewrite redirects, not embedded links, and then only will change the redirect target in 1 of 3 ways:
1) rewrite the scheme from http to https for redirects matching the original hostname
2) rewrite the scheme from http to https for redirects to any hostname
or
3) insert the VS address in place of a real server address
You probably want to enable 1 since it sounds like you're decrypting @ LTM, but I don't think that addresses your "other private hosts" issue.
You can use the stream profile to replace the hostnames with different ones in embedded links as detailed in this article (Click here), but the hostnames would still have to be publicly resolvable names with publicly routable addresses defined on the LTM, and you'd have to define separate pools for each set of servers and then select them with an iRule:when HTTP_REQUEST { switch -glob [string tolower [HTTP::host]] { *host1* {pool pool1} *host2* {pool pool2} *host3* {pool pool3} default {pool pooldefault} } }
HTH
/deb
