Forum Discussion

MatthewStyles_3's avatar
MatthewStyles_3
Icon for Nimbostratus rankNimbostratus
Mar 20, 2017

iRule for custom traffic flow

Hi!

 

We currently have a setup where we have a HTTPS website which customers can upload both text and media (Sound or video) to a server and this data is stored in the cloud. This data is then passed onto another server on our premises for manual inspection.

 

I am looking to use our virtual F5 LTM (Which sits between the two above servers) to decrypt the HTTPS traffic and if it sees a file attachment pass the attachment off to one server and if it does not see any file attachment to then encrypt the data again and pass it to a different server.

 

I can decrypt the traffic no problems however I am a bit stuck with the traffic flow. I am lead to believe this is possible with an iRule, although I have no experience of these (Beyond reading what I have found on-line)

 

Is this possible with the F5 and can anyone point me in the right direction regarding the triggers I would potentially be using? Apologies for my lack of knowledge!

 

Many thanks Matt

 

  • Matt,

    To perform this action, there are a couple things you need.

    1. Client-ssl and server-ssl profile on the virtual server.
    2. Identify requests with content.

    Here is a simple example iRule that should accomplish what you need. I'm working under the assumption any POST will have content you want to inspect.

    when HTTP_REQUEST {
        if {![info exists DEFAULT_POOL]} { set DEFAULT_POOL [LB::server pool] }
    
        set INSPECT 0
        if {[HTTP::method] eq "POST"} {
             request should contain conent, select server the inspection pool
            pool inspection_servers
            set INSPECT 1
        } else {
            pool $DEFAULT_POOL
        }
    }
    when SERVER_CONNECTED {
         do not encrypt server-side if destined to inspection pool
        if {$INSPECT} { SSL::disable }
    }
    

    If you use a OneConnect profile, you should be able to remove the default pool selection as long as you're not running 11.5.3 HF2 or 12.0.0 - 12.0.0 HF3.

    when HTTP_REQUEST {
        set INSPECT 0
        if {[HTTP::method] eq "POST"} {
             request should contain conent, select server the inspection pool
            pool inspection_servers
            set INSPECT 1
        }
    }
    when SERVER_CONNECTED {
         do not encrypt server-side if destined to inspection pool
        if {$INSPECT} { SSL::disable }
    }
    

    As with anything, there is often more than one answer. Hopefully this will at least point you in the right direction.

  • Matt,

    To perform this action, there are a couple things you need.

    1. Client-ssl and server-ssl profile on the virtual server.
    2. Identify requests with content.

    Here is a simple example iRule that should accomplish what you need. I'm working under the assumption any POST will have content you want to inspect.

    when HTTP_REQUEST {
        if {![info exists DEFAULT_POOL]} { set DEFAULT_POOL [LB::server pool] }
    
        set INSPECT 0
        if {[HTTP::method] eq "POST"} {
             request should contain conent, select server the inspection pool
            pool inspection_servers
            set INSPECT 1
        } else {
            pool $DEFAULT_POOL
        }
    }
    when SERVER_CONNECTED {
         do not encrypt server-side if destined to inspection pool
        if {$INSPECT} { SSL::disable }
    }
    

    If you use a OneConnect profile, you should be able to remove the default pool selection as long as you're not running 11.5.3 HF2 or 12.0.0 - 12.0.0 HF3.

    when HTTP_REQUEST {
        set INSPECT 0
        if {[HTTP::method] eq "POST"} {
             request should contain conent, select server the inspection pool
            pool inspection_servers
            set INSPECT 1
        }
    }
    when SERVER_CONNECTED {
         do not encrypt server-side if destined to inspection pool
        if {$INSPECT} { SSL::disable }
    }
    

    As with anything, there is often more than one answer. Hopefully this will at least point you in the right direction.

    • MatthewStyles_3's avatar
      MatthewStyles_3
      Icon for Nimbostratus rankNimbostratus

      Hi Jeremy!

       

      Wow! Thank you for the quick response! As I understand it, the http POST method is used when uploading a file to a server, however in our instance, the upload has already been completed to our internet server, and it is this server that is then transferring the data via HTTPS to our internal server via the F5 in question, so I don't think the F5 would see a HTTP POST request? I may be wrong, my understanding of HTTP processes is limited!

       

      Many thanks Matt

       

    • Jeremy_Church_3's avatar
      Jeremy_Church_3
      Icon for Cirrus rankCirrus

      Matt,

       

      It is quite possible I did not understand your original question. Here is my interpretation.

       

      Current configuration:
      1. File transferred from client to server_1 via HTTPS and F5 virtual server.
      2. File transferred from server_1 to server_2 via HTTPS and F5 virtual server.
      Desired configuration:
      1. File transferred from client to server_1 via HTTPS and F5 virtual server.
      2. File transferred from server_1 via HTTPS and F5 virtual server to:

         

        a. server_2 via HTTPS if there is no attachment.

         

        b. server_3 via HTTP if there is an attachment.

      Is this correct? Are there any additional steps or something else missing?

       

      In step 2, if an HTTP(S) transfer is initiated from server_1 to server_2, server_1 is acting as an HTTP client.

       

    • MatthewStyles_3's avatar
      MatthewStyles_3
      Icon for Nimbostratus rankNimbostratus

      Hi Jeremy,

       

      Apologies for the wait, over the last week we've had a redesign of the application which now means that my original question no-longer applies to our situation. I didn't want to be one of those guys that never come back after an answer is given and so I just wanted to say thank you for helping me out, it really is very much appreciated.

       

      iRules are definitely something I will need to understand further and your answer was a very good start in helping me understand how they operate.

       

      Thanks again Matt