Forum Discussion
NimbostratusiRule Forward client traffic to different port by source IP addresses
I have an https server receiving client connections from the Internet. All client traffic uses default https port 443. Depending on the source IP addresses, the VIP will forward the traffic to a different port in the server. The server will listen to multiple ports. The plan is not offloading SSL with a client SSL profile if it's possible. I am thinking an iRule like the following: when CLIENT_ACCEPTED {
switch [class match [IP::client_addr]] Source-IP-Datagroup1 {
--forward to pool port 5001-- }
Source-IP-Datagroup2 {
--forward to pool port 5002-- } Source-IP-Datagroup3 {
--forward to pool port 5003-- }
default { -- drop client request-- } } First, is it possible to do that? second what's the syntax to replace --forward to pool port 5001-- ? Third, I am not planning to offloading SSL, can I still use HTTP_REQUEST? Thank you in advance. Frank.
2 Replies
No, you can't use HTTP_REQUEST if you are not offloading SSL, but you can use CLIENT_ACCEPTED and source ip to determine the pool member (or port).
You can use either the node command or the pool command to specify the serverside connection:
https://devcentral.f5.com/wiki/iRules.node.ashx https://devcentral.f5.com/wiki/iRules.pool.ashx
Frank_ZhangThank you, Josiah for the quick answer. You're right, I only have one server listening multiple ports. Is the following working? when CLIENT_ACCEPTED {
switch [class match [IP::client_addr]] Source-IP-Datagroup1 {
pool serverPool 10.10.10.100 5001 }
Source-IP-Datagroup2 {
pool serverPool 10.10.10.100 5002 } Source-IP-Datagroup3 {
pool serverPool 10.10.10.100 5003 }
default { drop } } By the way, if needed I can use SSL offloading. Because the traffic needs to be encrypt again if client SSL offloading is used, so we prefer not to do it. Thanks again.Frank.
