For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fxn-f5-bot_3543's avatar
fxn-f5-bot_3543
Icon for Nimbostratus rankNimbostratus
Feb 27, 2019

iRule or policies based redirection based on HTTPS username behind a GTM

Hi, I am looking into a requirement to redirect client's traffic to a particular vip/pool based on client's username. The requirement is to have this feature for services running behind a GTM wid-ip....
application delivery
BIG-IP DNS
iRules
Andy_McGrath's avatar
Andy_McGrath
Icon for Cumulonimbus rankCumulonimbus
Feb 27, 2019

The F5 GTMs are never going to see the HTTPS request so not possible for any selection to take place on the DNS side.

Better option would be to forward to an LTM Virtual Server and use make the selection to forward to a select pool or another Virtual Server. You can do with with an iRule or a Traffic Policy.

Create a data group named 

userToPoolMappingDG
and populate with Usernames and associated Pool names (make sure they are valid Pool names and they can include full path if required e.g. 
/production/BobsPool
) and you can us the following iRule to do the pool selection:

when CLIENT_ACCEPTED {
    set default_pool [LB::server pool]
}

when HTTP_REQUEST {

    if {[HTTP::username] ne ""}{
        set pool_name [class match -value [HTTP::username] equals userToPoolMappingDG]

        if {($pool_name ne "") && ([active_members $pool_name] > 0)}{
            pool $pool_name
            return
        }
    }
    pool $default_pool
}

This iRule can be changed if needed to allow multiple matches by using the 

starts_with
, 
contains
or 
ends_with
operator in the 
class match
command.