Forum Discussion
NimbostratusiRule for URI / HOST based Pool redirection. (w. option to not offload SSL).
Hello,
Both new to F5 and iRules here.
Been trying to make an iRule in an F5 BIG-IP LTM 1600 for a few days.
Started of from this one ...
when HTTP_REQUEST {
switch -glob [HTTP::path] {
"/Organisation1/*" {
pool P_APP_Organisation1
}
"/Organisation2/*" {
pool P_APP_Organisation2
}
"/Organisation3/*" {
pool P_APP_Organisation3
}
default {
HTTP::redirect "
}
}
}
... that was based on " target="_blank">this article. It worked "perfectly" but i quickly realized that there was some things that i hadnt tought about so i continued my work to add the following functionality.
- "Easier" manageable list of redirection.
The list might grow to ~375 different "Organisations". ¨
Is there any better option than an array?
Part of the pool name will always reflect part of the URI or the HOST name.
- Option to not terminate SSL in the F5.
This is due to that some use smart cards for identification and signing inside application.
Common is that the "Organisation" do not have this and SSL is offloaded in the F5.
- "Redirect both with and without /"
I ran into a problem using /Organisation3* since it takes any subsequent numbers starting on 3 aswell. I then tried with /Organisation3/ and /Organisation3/* but if you do not use a trailing slash in your browser it will then fail so i want breakout the first part of the HTTP::uri and make a redirection on that (or the subdomain of the HTTP::host in the long run).
This is what i ended up with ...
when HTTP_REQUEST {
array set pools {
Organisation1 P_APP_Organisation1 Y
Organisation2 P_APP_Organisation2 N
Organisation3 P_APP_Organisation3 N
}
foreach {CustPath CustPool SmartCard} [array get pools] {
if { ([getfield [HTTP::uri] "/" 1] equals $CustPath) }{
if { ($SmartCard equals "Y") }{
SSL::disable
HTTP::disable
}
pool $CustPool
return
}
}
HTTP::respond 200 Content "This site does not exist."
}
... however it is not working ... at all. The F5 accepts it configuration wise, but i cannot connect to any of the sites any longer. It resets the connection for all of the 3 configured organisations and i have little clue as to why.
Hints and/or parts of solution is appriciated. Thanks in advance!
/ Jonas
4 Replies
I will address the option to not terminate SSL on the F5. I am assuming that the virtual server configured is setup to listen on port 443 and has an SSL profile with a valid SSL certificate? Any client that initiates the connection to this virtual server will be forced to establish an SSL connection. After the connection is established, your can redirect to a non-ssl virtual server. If you want the backend servers you have to terminate the SSL connection, you have to use the Performance Layer 4 virtual server type, but you lose most of your HTTP processing via iRules.
kunjanThe array has to be in pairs. I guess the error you are getting is from that. Instead of array you can use data groups.
If want to use array see if the following helps, using the name to get the pool name.
when HTTP_REQUEST { array set pools { Organisation1 Y Organisation2 N Organisation3 N } foreach {CustPath SmartCard} [array get pools "[getfield [HTTP::uri]/" "/" 2]] { if { ($SmartCard equals "Y") }{ SSL::disable HTTP::disable } pool P_APP_$CustPath return } HTTP::respond 200 Content "This site does not exist." }
Jonas_Isaksson_Hi Both,
Yes, we have an SSL profile with a certificate on the BIG-IP F5. However in some cases (due to the nature of the application) i cannot terminate the SSL (and switch to HTTP) in the F5 but have to pass it through to the webserver so that they can use smart cards to login, authenticate to "3rd part" connections from within the application and to sign inside the application. I thank you for your tip and will look into that next. It is actually the same certificate for the server, but there is another certificate present on the webserver for the smart cards...
Kunja, thanks for the information, solved first part of the problem with that. 🙂
This is how the code looks right now ...
when HTTP_REQUEST { array set pools { Organisation1 Y Organisation2 N Organisation3 N } foreach {CustPath SmartCard} [array get pools] { if { ([getfield [HTTP::uri] "/" 2] equals $CustPath) }{ if { ($SmartCard equals "Y") }{ SSL::disable HTTP::disable } pool P_APP_$CustPath return } } HTTP::respond 200 Content {NOTICE: Site Unavailable. If you believe you are receiving this message in error, contact your site administrator.} }The HTTP::respond isnt working atm. but that is a minor issue that is probably easy solved.
- Direct communication between the node in the pool and the client is prevented when the Virtual Server is set to "Standard". If you set it to performance level 4, the node can prompt the client directly for their PKI certificate.
