Forum Discussion
NimbostratusiRule for HTTPS IP:port redirection
hello,
I am trying to write an iRule to redirect HTTPS traffic to specific IP:port based on the input URI. as an example, if url is https://abc.com/data then it should be redirected to https://192.168.1.1:1000 else if url is https://abc.com/info then it should be redirected to https://192.168.1.2:2000 (abc.com has public IP address)
on my virtual server, I have applied ssl profiles (both clientssl and serverssl), http profile, TCP protocol. and it successfully redirects the traffic if port 443 is used on end servers. but the problem arises when we need to redirect the traffic to different port numbers (1000 and 2000 as an example)
I would appreciate if someone can help me figure this out.
right now my iRule is as follows:
when HTTP_REQUEST { set uri [string tolower [HTTP::uri]] if { $uri contains "data" } then {HTTP::redirect "https://192.168.1.1:1000" } elseif {$uri contains "info" } then {HTTP::redirect "https://192.168.1.2:2000" } }
8 Replies
- The_Bhattman
Hi Dew, What kind of message are getting when you run the iRule?
-=Bhattman=-
Dew_Jun_159953as soon as I type in URL in IE and click Enter, I get security certificate warning (which I assume it is from F5 due to clientssl profile), and then I get stuck there. clicking on 'continue to this website (not recommended)' does not go through. and on my F5 statistics, I do not see any hit on the nodes ( I do see statistics go up for my virtual server and iRule).
BTW correction on my iRule: when HTTP_REQUEST { set uri [string tolower [HTTP::uri]] if { $uri contains "data" } then {HTTP::redirect "https://192.168.1.1:1000/data" } elseif {$uri contains "info" } then {HTTP::redirect "https://192.168.1.2:2000/info" } }
it seems that my iRule does not take affect (although statistics are indicating that it is getting hit).
one more thing, I wouldn't want our customers see our private IP address in the URL if iRule was working. Please advise if I should take different approach.
thanks, Dew
giltjrPersonally I would setup two pools and select a different pool based on the URI. That way your users see the same virtual host. By doing a redirect, you need to have at least two virtual hosts, one for each port. Unless your virtual host is setup to accept traffic on all ports, in which case you would need an iRule to filter the ports you want.
when HTTP_REQUEST { if { [string tolower [HTTP::uri]] contains "/data" } { pool pl_data } else if { [string tolower [HTTP::uri]] contains "/info" } { pool pl_info } else- Dew_Jun_159953
thanks for the advice. I have created 2 pools including IP:port like pool pl-data has member= 192.168.1.1:1000 and pool pl-info has member= 192.168.1.2:2000
and I changed my iRule to what recommended above. now on the F5 statistics are indicating that the pool members (192.168.1.1:1000 and 192.168.1.2:2000) are getting hit) , but on the end servers (192.168.1.1 and 192.168.1.2) port 443 is getting hit which is not the desired destination port.
- giltjr
I would do a packet capture on the F5 using tcpdump and you can use Wireshark to look at it.
If the pool members have :1000 and :2000 that is what the F5 is sending to.
Do you have those servers defined in another pool that has port 443?
- Dew_Jun_159953
those servers are not used in any other pool. I'll do packet capture next week. I am very new to F5. Can you please walk me through to effective packet capturing. thanks a lot
- giltjr
ssh to the F5 as root
change to the /shared directory issue command:
tcpdump -s 0 -i any tcp "host 192.168.1.1 or host 192.168.1.2" -w file01.pcap &
Keep track of the PID number. Run your test then:
kill
Where is the PID. Then transfer the file to your computer using sftp and use wireshark.
Since the traffic is encrypted if you want to look at what is in the packets, you will need the private key.
- giltjr
oops that should be:
tcpdump -s 0 -i any "host 192.168.1.1 or host 192.168.1.2" -w file01.pcap &
