For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Therap_Ops_1222's avatar
Therap_Ops_1222
Icon for Nimbostratus rankNimbostratus
May 04, 2015

iRule for pool selection based on HTTP::URI

Hello

We have 2 pools with different sets of application servers. Pool_1 contains few WebLogic servers and Pool_2 contains few Tomcat servers. We want to redirect clients to specific pool based on URI. We are trying to use the following iRule but it seems when a specific URI is matched the URL is being redirected to HTTP instead of HTTPS. The default pool is always being redirected to HTTPS as expected. Below is the iRule. 

when CLIENT_ACCEPTED { 
set DEFAULT_POOL [LB::server pool] 
} 

when HTTP_REQUEST { 
if { [HTTP::uri] starts_with "/states" } { 
pool states 
} else { 
pool $DEFAULT_POOL 
} 
}
application delivery
devops
iRules
LTM

6 Replies

  • Robert_Luechte2's avatar
    Robert_Luechte2
    Icon for Cirrus rankCirrus
    May 04, 2015

    How is your "states" pool set up? Is it configured to use port 80 instead of 443? If so, that is probably your issue. There is nothing in this iRule that is doing a HTTP redirect.

     

  • Therap_Ops_1222's avatar
    Therap_Ops_1222
    Icon for Nimbostratus rankNimbostratus
    May 04, 2015

    My default VS is "prod_vs" on 443 and default pool is "prod_pool" with 4 members (app{1-4}:7001). I'm doing SSL offloading on LTM. This has been working for me for years. Now I got a new requirements where I had to create a new pool "states_pool" and assign 2 members (app{4,5}:8080) under this pool. My goal is to if clients hit @ https://secure.mydomain.com then LTM would forward the request to "prod_pool" and if clients hit https://secure.mydomain.com/states/ then LTM would forward the request to "states_pool". Which is why I was trying to use the iRule.

     

    With the iRule when I hit https://secure.mydomain.com it's working as expected but when I hit https://secure.mydomain.com/states/ it's being redirected to http://secure.mydomain.com.

     

  • Therap_Ops_1222's avatar
    Therap_Ops_1222
    Icon for Nimbostratus rankNimbostratus
    May 04, 2015

    I added some logs and hit both URL and here is the log.

     

    May 4 13:00:03 ltm01-sj info tmm[11190]: Rule /Common/_forward_states : Selecting default pool as first condition failed. May 4 13:00:23 ltm01-sj info tmm[11190]: Rule /Common/_forward_states : URI matched. Selecting states pool.

     

  • Robert_Luechte2's avatar
    Robert_Luechte2
    Icon for Cirrus rankCirrus
    May 04, 2015

    Do you see the browser address bar change to http://secure.mydomain.com? If so, someone is sending an HTTP redirect, but it is not this iRule. The web servers could be doing it, or do you have an http class or something configured on this virtual server?

     

    Redirecting to the states pool via this iRule would be transparent to the user.

     

  • Therap_Ops_1222's avatar
    Therap_Ops_1222
    Icon for Nimbostratus rankNimbostratus
    May 05, 2015

    Hi

    Turned out there isn't an easy way to configure SSL offloading for Tomcat or at least I don't know any. So I updated the iRule as follows.

    when HTTP_REQUEST {
  if { [HTTP::uri] starts_with "/foo" } {
     pool foo
  } else {
     pool bar
 }
}

when HTTP_RESPONSE {
   if { [HTTP::status] contains "302" && [HTTP::header Location] contains "http://" && [HTTP::header Location] contains "/foo" }{
      HTTP::header replace Location [string map -nocase {"http://" "https://"} [HTTP::header Location]]
   }
}