Forum Discussion

Riaz_125436's avatar
Riaz_125436
Icon for Nimbostratus rankNimbostratus
Mar 13, 2015

iRule - http redirect and x-forward

Hi folks,

I need help to check if my iRule on LTM A (external) is redirecting the traffic to LTM B VIP correctly and iRule on LTM B will help keep the users host and uri and display the page on the servers. 

LTM A (External):
-------------------------------
VS: vs_abc_com_test
Destination IP: Public IP:80
Pool: pool_efg 
Member: 10.10.30.30

iRule on VS:
"abc.com" {
    if { [HTTP::uri] starts_with "/test"} {
        pool pool_abc_test
        snat automap
    }
    else {
      HTTP::redirect "https://abc.com[HTTP::uri]"
    }
    }
Pool in iRule: pool_abc_test
Member: 10.10.10.1  ----------------- which is the VIP on LTM B

LTM B (Internal): 
-----------------------------
VS: vs_pool_abc2_test2
Dest IP: 10.10.10.1
Pool: pool_abc2_test2
Members: 
20.20.20.1:80
20.20.20.2:80

iRule on VS:
when HTTP_REQUEST {
        if { ([HTTP::uri] contains "/xyz/login.aspx") || ([HTTP::uri] contains "/uvw/login.aspx")}{
          if {not [HTTP::header exists "X-Forwarded-For"]} {
                   HTTP::header insert X-Forwarded-For [IP::client_addr]
          }
}
}
application delivery
devops
http redirect
iRules
LTM
x-forwarded-for
  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Mar 13, 2015
    Just one question: Are the VIPs on the same box? I'm asking because it would need the "virtual vs_pool_abc2_test2" command instead of "pool_abc_test pool", otherwise we would face ARP problems. Have you tried running its setup and gave what outcome?
  • Riaz_125436's avatar
    Riaz_125436
    Icon for Nimbostratus rankNimbostratus
    Mar 13, 2015

    These are two different LTMs. One is Internet facing and other is Internal. I am unable to open the page. Seems like it is looping.

     

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Mar 13, 2015

    Well, I suppose the first iRule is complete in the first LTM box, and the VS 10.10.10.1 is on port 443 with SSL client profile enabled, can confirm this? if so, try to see if traffic is coming in the second box with the source IP of the first box with tcpdump for example and tell me what you see.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2015

    I guess you are doing some test with uri starting with /test. Does it have links like images referring to uri's other than starting with /test. In that case it will go into the redirect SSL page logic and get into loop.

     

    Also note you are doing SNAT on external LB, so the " X-Forwarded-For" in internal LB won't show actual client IP. May be you didn't show the insertion of X-Forwarded-For in external LB, then it's fine.

     

  • Riaz_125436's avatar
    Riaz_125436
    Icon for Nimbostratus rankNimbostratus
    Mar 18, 2015

    Thanks for your input guys. I have to get in touch with F5 support as we have proxypass coming in play as well. Thanks all.