For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bigipjr28_13978's avatar
bigipjr28_13978
Icon for Nimbostratus rankNimbostratus
Sep 04, 2014

irule for multiple webservers

Hello,

 

I was wondering if there was such an irule or another solution out there that would send traffic coming in from an external ip and then directing them the appropriate pool. The pool contains 2 webservers that hold multiple virtual servers configs. We mainly use this for testing our applications externally before they going into production with customers.

 

The configuration is the same for every test app we do..when a new one is requested we have to use another public ip in our 32 block that we have reserved by our ISP..we only have 3 left as it sits now.

 

The basis of how I envisioned this is use one public that would be setup on our external gtm then cname records that would point to the vip (application) that would hold the 2 dev servers on the backend

 

What I would like ultimately unless an irule cant be used is have have irule to direct the request based on the testing entities public ip to the vip or cnames ? not sure if that makes sense or if possible.

 

Thanks

 

cnames
irule
irule logic
redirct
web servers

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 04, 2014

    If you're just trying to save public IPs, you want to simply consider a "super VIP". You can use an iRule, HTTP class, or policy to define pooling based on a host name. When you add a new test application, create a new pool for it and modify the iRule/class/policy accordingly.

    when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "aaa.test.com" { pool aaa_pool }
        "bbb.test.com" { pool bbb_pool }
        "ccc.test.com" { pool ccc_pool } 
        default { pool error_pool }
    }
}
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Sep 05, 2014

    You can do the same in HTTP classes or HTTP policy in 11.4 or later without needing an iRule.

     

    If you have to deal with SSL then you will need to decrypt it for the BIGIP to see the headers. Using either a wildcard SSL certificate if they are in the the same domain or import all the certificates & keys. Then create a client SSL profile which includes those certificates and turn on Server Name Indication (SNI). Attach the profile to your virtual and go from there.

     

    • bigipjr28_13978's avatar
      bigipjr28_13978
      Icon for Nimbostratus rankNimbostratus
      Sep 09, 2014
      Yeah the application does use an ssl cert..how would I go about creating an irule then ? how would I decrypt it? also the fqdn in the above snippet is that the virtual name of the VS ? Might seem like a silly question I have only done one irule that was attached to a single vip..if a vip already has an irule associated it include multiple irules..so basically can vip have more then one irule assoociated w/it ? Thanks again guys
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 10, 2014

    the application does use an ssl cert..how would I go about creating an irule then? how would I decrypt it? also the fqdn in the above snippet is that the virtual name of the VS?

     

    So just to level set, I'm still assuming that you want all of the websites to flow through a single VIP, a "super VIP" if you will. If that's the case, then you have two things to deal with:

     

    1. The requested host name - this is what the iRule above is looking at. The FQDN in the iRule is the HTTP Host header coming from the client - the host name that the client is trying to access. The above iRule sends traffic to different pools based on this Host header.

       

    2. SSL offload - to even be able to use the above iRule, you must terminate the client side SSL at the F5 with a client SSL profile. But because you have multiple hosts coming to a single VIP, because most server certificates are bound to only one subject (server) name, and asking for a service by another name would generate a certificate error in the client's browser, there are some options that you'd need to explore. You could opt to use a wildcard (ie. *.domain.com) cert in the client SSL profile. It's generally an expensive option, but then covers any host name under a given domain. You could opt for a "Subject Alt Name" (SAN) certificate in the client SSL profile. This is a bit less expensive usually and only contains a small list of subject names. Or you could opt for the "Server Name Indicator" (SNI) route. This relies on an extension to the TLS protocol, whereby the client sends the server name in its initial CLIENTHELLO message to start the TLS session. You can create a separate client SSL profile for each single-subject certificate, specify the server name (should be the same as the subject of the cert), and then apply all of these client SSL profiles to the VIP. The SNI process will choose the correct profile based on the user's request. It's by far the cheapest option, but requires all of your clients to support and use TLS (vs. SSLv3).

       

    if a vip already has an irule associated it include multiple irules..so basically can vip have more then one irule assoociated w/it?

     

    Absolutely. You want to take care that multiple iRules applied to a VIP don't provide contradicting information or commands, but otherwise you can definitely apply multiple iRules to a VIP.