Forum Discussion

chris_16019's avatar
chris_16019
Icon for Nimbostratus rankNimbostratus
Dec 01, 2008

iRule & SNAT

Hi - I was hoping someone may be able to offer some assistance or point me at a URL that will help with some configuration work that is required.

 

 

Background - I have a backend server that has multiple IP addresses for SSL certificate purposes. I have added a new virtual server address that points to the backend server, however I am unable to add a SNAT for outgoing traffic to be hidden behind this virtual server address as the real address of the server already exists in the address pool of a different virtual server SNAT.

 

A pool is no good as I need a different SNAT for different website communications from the same server. So I'm thinking I need to use an iRule to change the SNAT based on a unique characteristic within the packet, something like the URL. However after a few hours searching the only previous examples I can find all relate to IP addresses. Is it a case of amending something like the below to have URL instead of IP address within the text, and if so is anyone able to offer some syntax assistance.

 

 

when CLIENT_ACCEPTED { if { [IP::addr [IP::local_addr] equals "A.A.A.A"] } {

 

use snat Z.Z.Z.Z

 

} elsif { [IP::addr [IP::local_addr] equals "B.B.B.B"] } {

 

use snat Y.Y.Y.Y

 

} else { use snat X.X.X.X

 

}

 

 

Many thanks.

 

 

Chris
application delivery
dev
devops
iRules
  • naladar_65658's avatar
    naladar_65658
    Icon for Altostratus rankAltostratus
    Dec 02, 2008
    I am far from being an expert on such things... that being said. You might try just turning on some logging and then throw some traffic at it. That way you can see if it is even being executed.

     

     

    when CLIENT_ACCEPTED {

     

    log local0. "[IP::local_addr]:[TCP::local_port]: Client Accepted"

     

    if { [IP::addr [IP::local_addr] equals "A.A.A.A"] } {

     

    log local0. "[IP::local_addr]:[TCP::local_port]: Using the A.A.A.A SNAT"

     

    use snat Z.Z.Z.Z

     

    } elsif { [IP::addr [IP::local_addr] equals "B.B.B.B"] } {

     

    log local0. "[IP::local_addr]:[TCP::local_port]: Using the B.B.B.B SNAT"

     

    use snat Y.Y.Y.Y

     

    } else {

     

    log local0. "[IP::local_addr]:[TCP::local_port]: Using the Default X.X.X.X SNAT"

     

    use snat X.X.X.X

     

    }

     

     

     

    Also, I do not believe it is possible to use the f5 to modify/change or even read traffic going over SSL when the f5 is not holding the SSL keys. So if your offloading all the SSL stuff to a different device I believe you are limited in what you can do with that traffic.
  • chris_16019's avatar
    chris_16019
    Icon for Nimbostratus rankNimbostratus
    Dec 04, 2008
    The SSL is offloaded to the F5, and it's client SSL so is unencrypted on the server side.

     

    When I try :

     

    when CLIENT_ACCEPTED {

     

    I am then unable to use

     

    if { [HTTP::host] equals "www.test.com" } {

     

    use snat 10.92.116.77

     

     

    Any ideas on how this should be phrased so that I can direct requests containing specific URLs to a specific SNAT?

     

     

    Thanks

     

     

    Chris
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Dec 04, 2008
    [HTTP::host] is only valid within an HTTP_REQUEST event. If your virtual server does not have an http profile attached you will not be able to use any HTTP iRule events. So you first need to replace CLIENT_ACCEPTED with HTTP_REQUEST and then make sure your vip has an http profile. Not sure if 'use snat' is correct either, I think it's just 'snat x.x.x.x'.

     

     

    EDIT: if you're offloading SSL most likely you do have an http profile on the vip already...

     

     

    Denny