Looking for an irule that will replace the IP address of outgoing traffic with the FQDN. Issue is external server does not have a valid PTR record to allow resolution. Owner of this server does not want to add PTR and communication with this server is required. If there is a better way to address this issue please direct me to it.

Do you want to check the Host header on all requests through the VIP and if it's one particular IP address, replace the value with a hardcoded value? If so, you can add an HTTP profile to the VIP and use a rule like this: when HTTP_REQUEST { Check if Host header matches 1.1.1.1. Use catch to handle non-IP Host values. If IP::addr matches 1.1.1.1, $result will be 1 if {not ([catch {IP::addr [HTTP::host] equals 1.1.1.1} result]) && $result==1}{ HTTP::header replace Host "www.example.com" } } If that's not an accurate assumption of your scenario, can you clarify what you're trying to do? Aaron

If by "outgoing: you mean response traffic then you would need to use HTTP::header replace Location "www.example.com" is hoolio's example as responses do not have a Host header. Also, if the IP address is embedded in the page you would need to use a stream profile to rewrite it. Since there seems to be only one host in question here a simple stream profile with the IP address in the Source field and the FQDN in the Target field should get it done. If there are multiple hosts in questions then you could do this with am irule: when HTTP_RESPONSE { Replace IP Addresses from HTTP responses if { [HTTP::header value "Content-Type"] contains "text"} { STREAM::expression "@1.1.1.1@host1.mysite.com@ @1.1.1.2@host2.mysite.com@ @1.1.1.3@host3.mysite.com@" STREAM::enable } else { STREAM::disable } } HTH, Joe

Hi Joe, Nice one. I wasn't sure if the original poster was trying to rewriite an outbound request or response. One note on the stream profile: it's applied to request and response payloads of both text and binary content types. So it's always a good idea to use an iRule to enable the stream filter only on the specific responses you want it for. Also, as there isn't a way to update the content-length header in requests using a stream profile and iRule, a stream profile isn't a valid option for rewriting request payloads when the find/replace strings are a different length. Aaron

Sorry for any confusion in my explanation, I will try again. We have a Apache web server that needs to send information to an external server. From what I am being told the encryption feature of this server is a resource hog so the F5 is needed for that task. The Apache server sends the information to the vip on the F5, the F5 encrypts the traffic and sends it to the pool member which is an external server. The issue I have is the node is defined by ip address 1.1.1.1 the external web server does not have a ptr record so reverse lookup will not work and connection fails. We are sending information to the external server there is no request nor is it a response. All traffic on this VIP will need to have the ip address changed to FQDN both values will stay the same. Does this make sense?

So the client is a server in your network. That Apache "client" opens a connection to the VIP and is load balanced to an external host. Does that sound about right? Who is doing a reverse lookup of the IP address to try to resolve it to a hostname? LTM doesn't need to a FQDN in the HTTP host header for load balancing. By default LTM would just translate the destination address on the TCP packets to the selected pool member and send the HTTP headers on unmodified. Is the device that needs to resolve an IP address inspecting the source or destination IP address on the packets or the HTTP host header value? Can you clarify what you've configured so far and what isn't working? Thanks, Aaron

IP to FQDN | DevCentral

30 Replies

hoolio
Cirrostratus
Jan 28, 2010
I was assuming originally that you were using a network VIP and only wanted to rewrite the host header when certain host header values were seen. If you want to rewrite the host header on all requests, you can remove the check for an IP of 1.1.1.1 (or 2.2.2.2) in the host header value.

If for some reason you do want to check that the host header value is a specific IP address before rewriting the host header, you could continue to use the if {not ([catch... line. But you'd want to check for the VIP address, not the actual server address. This is because clients who use an IP address in the host header will be making a request to the VIP address (2.2.2.2)--not the pool member IP (1.1.1.1).

Aaron
msmith_64485
Nimbostratus
Jan 29, 2010
Aaron,

Yes I need to change the request on specific traffic from ip to fqdn. The change needs to be on the traffic that is going to the pool node. So request is made from internal server to ltm, ltm sends traffic to pool node which is a server that is at a third party site. Currently traffic is trying to go out using ip address and communication fails I need to change this ip address to the fqdn so the communication can complete. I made the change you recommended and am still logging just ip addresses and connectio is still failing.

Mike
msmith_64485
Nimbostratus
Jan 29, 2010
Aaron,

Yea looks simular execpt When using ip the page can not be found when using fqdn it connects. The connection issue is between the ltm and pool member, not between requesting server and ltm.

Jan 29 09:09:18 tmm tmm[1616]: Rule Test_Log : 192.168.1.205:2112: GET request to 2.2.2.2:1234/example.svc?wsdl

Jan 29 09:09:18 tmm tmm[1616]: Rule Test_Log : 192.168.1.205:2112: Connected to 1.1.1.1:443

Jan 29 09:09:23 tmm tmm[1616]: Rule Test_Log : 192.168.1.205:2113: GET request to 2.2.2.2:1234/example.svc?wsdl

Jan 29 09:09:23 tmm tmm[1616]: Rule Test_Log : 192.168.1.205:2113: Connected to 1.1.1.1:443

Jan 29 09:09:26 tmm tmm[1616]: Rule Test_Log : 192.168.1.205:2114: GET request to 2.2.2.2:1234/example.svc?wsdl

Jan 29 09:09:26 tmm tmm[1616]: Rule Test_Log : 192.168.1.205:2114: Connected to 1.1.1.1:443

2.2.2.2 is ltm vip

1.1.1.1 is pool node member (where traffic needs to go)

1.1.1.1 needs to be server1.example.com as it leaves the ltm to the remote server

when HTTP_REQUEST {

log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] request to [HTTP::host][HTTP::uri]"

Check if Host header matches 2.2.2.2

Use catch to handle non-IP Host values.

If IP::addr matches 2.2.2.2, $result will be 1

if {not ([catch {IP::addr [HTTP::host] equals 2.2.2.2} result]) && $result==1}{

log local0. "[IP::client_addr]:[TCP::client_port]: Matched IP check for 2.2.2.2 Replacing host header"

HTTP::header replace Host "server1.example.com"

}

}

when SERVER_CONNECTED {

log local0. "[IP::client_addr]:[TCP::client_port]: Connected to [IP::server_addr]:[TCP::server_port]"

}

This is the current rule based on your last recommended configuration
hoolio
Cirrostratus
Jan 29, 2010
For some reason, the check of the Host header isn't matching and the host header isn't being replaced. However, I think replacing the host header on every request makes more sense for the scenario. Can you try testing this iRule:

when HTTP_REQUEST { Replace the host header with www.example.com HTTP::header replace Host "www.example.com" }

Thanks,

Aaron
msmith_64485
Nimbostratus
Jan 29, 2010
Aaron,

If I make this change the irule will only impact the vip that is configured to use the rule correct?
msmith_64485
Nimbostratus
Jan 29, 2010
Aaron,

I made the change and am still getting the same results. Does the log need to be changed to return the host value instead of the ip?
hoolio
Cirrostratus
Jan 29, 2010
Posted By msmith on 01/29/2010 7:01 AM

Aaron,

If I make this change the irule will only impact the vip that is configured to use the rule correct?

That's correct--an iRule only affects the VIP(s) it's added to.

So you've made the change but the requests still fail?

You can use this rule to log the change:

when HTTP_REQUEST { Replace the host header with www.example.com HTTP::header replace Host "www.example.com" } when HTTP_REQUEST priority 501 { Log the host header value log local0. "[IP::client_addr]:[TCP::client_port]: Current HTTP Host: [HTTP::host]" }

Aaron
msmith_64485
Nimbostratus
Jan 29, 2010
Aaron,

OK so it looks like it is changing the value

Jan 29 11:50:52 tmm tmm[1616]: Rule Test2 : 192.168.1.205:3700: Current HTTP Host: server1.example.com:3700

Jan 29 11:50:54 tmm tmm[1616]: Rule Test2 : 192.168.1.205:3701: Current HTTP Host: server1.example.com:3701

but I still get the page can not be displayed
msmith_64485
Nimbostratus
Jan 29, 2010
What is your address?

hoolio

Cirrostratus

Jan 29, 2010

  
  aaron dot hooley at integralis dot com  
         .          @             .

Aaron

Forum Discussion

IP to FQDN

30 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

Automating Certificate Management on F5 BIG-IP

FQDN nodes in non-default route domains

Use Fully Qualified Domain Name (FQDN) for GSLB Pool Member with F5 DNS

Pool Member with FQDN

BIG-IP security hardening and compliance checks

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS