Looking for an irule that will replace the IP address of outgoing traffic with the FQDN. Issue is external server does not have a valid PTR record to allow resolution. Owner of this server does not want to add PTR and communication with this server is required. If there is a better way to address this issue please direct me to it.

If by "outgoing: you mean response traffic then you would need to use HTTP::header replace Location "www.example.com" is hoolio's example as responses do not have a Host header. Also, if the IP address is embedded in the page you would need to use a stream profile to rewrite it. Since there seems to be only one host in question here a simple stream profile with the IP address in the Source field and the FQDN in the Target field should get it done. If there are multiple hosts in questions then you could do this with am irule: when HTTP_RESPONSE { Replace IP Addresses from HTTP responses if { [HTTP::header value "Content-Type"] contains "text"} { STREAM::expression "@1.1.1.1@host1.mysite.com@ @1.1.1.2@host2.mysite.com@ @1.1.1.3@host3.mysite.com@" STREAM::enable } else { STREAM::disable } } HTH, Joe

Hi Joe, Nice one. I wasn't sure if the original poster was trying to rewriite an outbound request or response. One note on the stream profile: it's applied to request and response payloads of both text and binary content types. So it's always a good idea to use an iRule to enable the stream filter only on the specific responses you want it for. Also, as there isn't a way to update the content-length header in requests using a stream profile and iRule, a stream profile isn't a valid option for rewriting request payloads when the find/replace strings are a different length. Aaron

Sorry for any confusion in my explanation, I will try again. We have a Apache web server that needs to send information to an external server. From what I am being told the encryption feature of this server is a resource hog so the F5 is needed for that task. The Apache server sends the information to the vip on the F5, the F5 encrypts the traffic and sends it to the pool member which is an external server. The issue I have is the node is defined by ip address 1.1.1.1 the external web server does not have a ptr record so reverse lookup will not work and connection fails. We are sending information to the external server there is no request nor is it a response. All traffic on this VIP will need to have the ip address changed to FQDN both values will stay the same. Does this make sense?

So the client is a server in your network. That Apache "client" opens a connection to the VIP and is load balanced to an external host. Does that sound about right? Who is doing a reverse lookup of the IP address to try to resolve it to a hostname? LTM doesn't need to a FQDN in the HTTP host header for load balancing. By default LTM would just translate the destination address on the TCP packets to the selected pool member and send the HTTP headers on unmodified. Is the device that needs to resolve an IP address inspecting the source or destination IP address on the packets or the HTTP host header value? Can you clarify what you've configured so far and what isn't working? Thanks, Aaron

IP to FQDN | DevCentral

30 Replies

msmith_64485
Nimbostratus
Jan 27, 2010
No connection will work if I use the actual FQDN but fails if I use the ip and host command with HTTP/1.1 400 Bad Request.

This connection is not a standard HTTPS web site there is a client server service that will be running on both sides so replacing the ip address with the FQDN I believe is the only issue. Pool members are configured with service port 443 wouldn't that be the port I would want for the encryption?
hoolio
Cirrostratus
Jan 27, 2010
So you could try configuring the VIP on port 80, the pool member(s) on port 443, and add the iRule. If you give that a go and it doesn't work, can you add logging to the iRule to make sure the Host header replacement is being done?

Aaron
msmith_64485
Nimbostratus
Jan 28, 2010
ok, what would the logging look like?

Are you an F5 employee?

If so is there a secure location where I can share all the sensitive information?

Mike

hoolio

Cirrostratus

Jan 28, 2010

Hi Mike,

No, I work for an F5 partner in the UK. If you want official F5 Support or consulting you can contact F5.

Can you try testing the VIP, pool and iRule? You could add logging like this:

 
 when HTTP_REQUEST { 
  
    log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] request to [HTTP::host][HTTP::uri]" 
  
     Check if Host header matches 1.1.1.1. 
     Use catch to handle non-IP Host values. 
     If IP::addr matches 1.1.1.1, $result will be 1 
    if {not ([catch {IP::addr [HTTP::host] equals 1.1.1.1} result]) && $result==1}{ 
  
       log local0. "[IP::client_addr]:[TCP::client_port]: Matched IP check for 1.1.1.1. Replacing host header" 
       HTTP::header replace Host "www.example.com" 
    } 
 } 
 when SERVER_CONNECTED { 
   log local0. "[IP::client_addr]:[TCP::client_port]: Connected to [IP::server_addr]:[TCP::server_port]" 
 }

Aaron

msmith_64485
Nimbostratus
Jan 28, 2010
OK, thanks, actually think I am getting better support from you!!

I will add this irule, give it a try, and let you know

Thanks again

Mike
msmith_64485
Nimbostratus
Jan 28, 2010
Aaron,

Yea I know they sent me here.....

So I added the rule and am receiving the logs

Jan 28 13:48:15 tmm tmm[1616]: Rule Test_Log : 10.10.101.183:1461: Connected to 1.1.1.1:443

So I am guessing I have something wrong in my replacement rule

when HTTP_REQUEST {

Check if Host header matches 1.1.1.1.

Use catch to handle non-IP Host values.

If IP::addr matches 1.1.1.1, $result will be 1

if {not ([catch {IP::addr [HTTP::host] equals 1.1.1.1} result]) && $result==1}{

HTTP::header replace Host "example.com"

}

}

when HTTP_REQUEST {

log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] request to [HTTP::host][HTTP::uri]"

Check if Host header matches 1.1.1.1.

Use catch to handle non-IP Host values.

If IP::addr matches 1.1.1.1, $result will be 1

if {not ([catch {IP::addr [HTTP::host] equals 1.1.1.1} result]) && $result==1}{

log local0. "[IP::client_addr]:[TCP::client_port]: Matched IP check for 1.1.1.1. Replacing host header"

HTTP::header replace Host "example.com"

}

}

when SERVER_CONNECTED {

log local0. "[IP::client_addr]:[TCP::client_port]: Connected to [IP::server_addr]:[TCP::server_port]"

}
hoolio
Cirrostratus
Jan 28, 2010
So that log line shows the connection being established with the server. Do you see a log line from these two previous log lines?

log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] request to [HTTP::host][HTTP::uri]"

log local0. "[IP::client_addr]:[TCP::client_port]: Matched IP check for 1.1.1.1. Replacing host header"

Aaron
msmith_64485
Nimbostratus
Jan 28, 2010
Jan 28 13:58:50 tmm tmm[1616]: Rule Test_Log : 10.10.101.183:1688: Connected to 1.1.1.1:443

Jan 28 13:58:51 tmm tmm[1616]: Rule Test_Log : 10.10.101.183:1689: GET request to 2.2.2.2:1234/Example.svc?wsdl

Jan 28 13:58:51 tmm tmm[1616]: Rule Test_Log : 10.10.101.183:1689: Connected to 1.1.1.1:443

Jan 28 13:58:53 tmm tmm[1616]: Rule Test_Log : 10.10.101.183:1690: GET request to 2.2.2.2:1234/Example.svc?wsdl

Jan 28 13:58:53 tmm tmm[1616]: Rule Test_Log : 10.10.101.183:1690: Connected to 1.1.1.1:443

1.1.1.1 is external pool node address

2.2.2.2 is internal VIP address
hoolio
Cirrostratus
Jan 28, 2010
Okay, so the iRule is looking for a request which contains the host header of 1.1.1.1. If the VIP is 2.2.2.2, then you can change the rule to check for 2.2.2.2. Or if you just want to rewrite the host header for all requests, you can remove the if check:

when HTTP_REQUEST { Replace the host header with www.example.com HTTP::header replace Host "www.example.com" }

Aaron
msmith_64485
Nimbostratus
Jan 28, 2010
Aaron,

Isn't the log catching both the 1.1.1.1 and 2.2.2.2 traffic now? the thing that is missing is the change from 1.1.1.1 to example. Or am I missing something?

Mike

Forum Discussion

IP to FQDN

30 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

Automating Certificate Management on F5 BIG-IP

FQDN nodes in non-default route domains

Use Fully Qualified Domain Name (FQDN) for GSLB Pool Member with F5 DNS

Pool Member with FQDN

BIG-IP security hardening and compliance checks

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS