Forum Discussion

doug_25397's avatar
Icon for Nimbostratus rankNimbostratus
Aug 01, 2011

irule forward proxy w/ dns resolution




Currently we use our f5 for a outbound proxy to the internet. This works as I have a internal vip listening on a ip and port. traffic comes in and gets load balanced to a pool with external ips; however, we have ran into somewhat of a snag. Some of our external connections use a gtm solution that makes one datacenter active at a time. (active standby) What I would like to do is either have an irule that resolves dns on every request and updates the pool with the ip it resolves and removes the one not being used OR use an irule that resolves the dns name and points traffic to that ip. I'm currently running v9.4.8



I'm not exactly an expert on irules so any help would be appreciated. Thanks in advance.

6 Replies

  • Hi Doug,


    Are you looking to send this traffic based on HTTP Request?






  • Bhattman,




    I think that would work. upon http request it resolves said domain and then either updates the pool or just forwards traffic to it resolved ip. not sure if a pool can be done as it would need to disable or remove any members that existed before hand.
  • also, since the request comes in on a rfc 1918 space. I.E the app sends the request to the vip which is a 1918 ip. I'd want to be able to specify the domain inside the irule. As in its a static variable. In a perfect world this extracting the fqdn from the uri would probably be the way to go long term, but I'm not in a position to have the app redone to at this point. I'm okay with having multiple irules.



    Hope that makes sense.





  • Hi Doug,


    Take a look at the following forum post. Hoolio had posted up a Web Proxy iRule - which isn't a full blown proxy but it's sending traffic based on DNS resolution. This was more or less build for version 9.x. With the release of version 10 there are is room for improvement on the code.






    I hope this helps





  • bhattman



    I'm sorry to say that his irule does things quite a bit different. To start off with the uri's I get don't have a header and are not abosolute. The application is pointed to a 10.x ip and then gets passed on to the actual server. Plus the connections between the f5 and the actual server are ssl. When I say some server I mean like which we don't connect (just an example) to but the way its setup in the f5 is traffic comes to a rfc 1918 vip on http, and gets translated to the pool that has ip:443 with serverssl profile setup. I think my flaw is going to be that the irule can't negoiate an ssl connection. Any thoughts on this? there should be someway for the f5 to resolve dns on the fly and still use the vip to create an ssl connection to said ip (server side ssl)
  • Hi Doug,



    You can proxy traffic like this with a server SSL profile on the VS. You can resolve hostnames to IP's using RESOLV::lookup (or in v9 NAME::lookup). You can use the node command to set the destination address (and port).