Forum Discussion

Sriram_87174's avatar
Sriram_87174
Icon for Nimbostratus rankNimbostratus
May 16, 2013

iRule - newbie question

Hi F5 Guru's,

 

I am a newbie and this is my first post. My experience with iRules is very junior level. Would appreciate some expert advise on the following scenario.

 

 

1 VIP -----providing services to Http_Pool_A , Http_Pool_B, Https_Pool_A, Https_Pool_B

 

Questions -

 

1. 1 X Virutal IP - With Any port setup questions.

 

I have defined a virtual IP with service port : *All Ports

 

Advanced configuration options

 

a. Do i enable the HTTP Profile although this VIP is used for both HTTP and HTTPS traffic.

 

b. Port Translation - Is this required? as i want to map HTTP to HTTP and HTTTPs to HTTTPs if i hvae this not selected i am guessing F5 will just forward the connections on the port that comes in to the same port out.

 

2. Applying iRules -

 

(a). Need to redirect to different pools based on host header requests. I am able to successfully implement the redirect based on URI for port 80. How can i include this for 443 in the same iRule (i use F5 to terminate Client SSL )

 

(b). Do i need a iRule to set the ports for single vip http and https request (i found one which doesnt seem to work, but looking at that)

 

(c). I need to use both (a) and (b) iRules in one Virtual server profile . What order should i use ? or should i combine the code in one.

 

3. Finally i need some suggestion what is the bestway to do a health check on a VIP with multiple pools, do i create a default pool? or do i get F5 to redirect to another pool if the health check fails for any particular pool.

 

 

Any help will be really appreciated.

 

 

Regards

 

Sriram.

 

application delivery
dev
devops
iRules

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 17, 2013
    1a. If you're going to use HTTP-based iRules you must have an HTTP profile applied.

    1b. Considering that you're directing traffic to specific HTTP (port 80) and HTTPS (port 443) pools, then yes you should enable port translation, but it probably wouldn't hurt either way.

    2a. The important aspect of this configuration is that you're doing HTTP and HTTPS on the same VIP. It would be easier to use separate port 80 and port 443 VIPs with the same IP address. In a single VIP config, however, you need to be able to turn the client and server SSL profiles on or off based on the client request. Something like this should work: 

    
when CLIENT_ACCEPTED {
    if { [TCP::local_port] == 80 } {
        SSL::disable clientside
        SSL::disable serverside

         URI pool selection logic
        if { [string tolower [HTTP::uri] starts_with "/foo" } {
            pool Http_Pool_A
        } elseif { [string tolower [HTTP::uri]] starts_with "/bar" } {
            pool Http_Pool_B
        }
    } elseif { [TCP::local_port] == 443 } {
         URI pool selection logic
        if { [string tolower [HTTP::uri]] starts_with "/sslfoo" } {
            pool Https_Pool_A
        } elseif { [string tolower [HTTP::uri]] starts_with "/sslbar" } {
            pool Https_Pool_B
        }
    } else {
         drop everything else
        discard
    }
}

    With this iRule applied, you'll also want to set a client and server SSL profile on the VIP by default. When it encounters a port 80 request it'll turn them both off.

    2b. I think the above iRule covers that.

    2c. I think the above (single) iRule covers that too.

    3. Create your 4 pools and assign them their own individual monitors. The BIG-IP will handle the rest naturally.

  • Sriram_87174's avatar
    Sriram_87174
    Icon for Nimbostratus rankNimbostratus
    May 19, 2013

    Hi Kevin,

     

     

    Thanks for your time and suggestions, i will try and apply the iRule logic and see how that works.

     

    Appreciate your response :)

     

     

    Regards

     

    Sriram.