For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jrich523_118173's avatar
jrich523_118173
Icon for Nimbostratus rankNimbostratus
Mar 31, 2014

irule pool redirect based on port and host header

I would like to setup a single virtual server with the sevice port set to 0 (all) and i'd like to make sure it only services certain ports, for now 80/443, but i could potentially build it out more. So I have a couple of questions.

1) Does the 'when HTTP_REQUEST' filter based on port or traffic type 2) Should/can i nest events - CLIENT_ACCEPTED/HTTP_REQUEST? 3) How would i add an if port is 123 go to pool_test_123, based on question 1, if this it HTTP traffic does the HTTP_REQUEST apply?

I have this iRule currently and its fine, but it doesnt take in to account any odd ball ports, so im not sure what the best way to construct this is. I saw this https://devcentral.f5.com/questions/virtual-server-multiple-service-ports and wasnt sure if i had to nest the events or handle them separately.

Here is the current iRule that only takes in to account 80/443 (i think)

when HTTP_REQUEST {
    build pool name from header,   Pool_Sub_Port

    set hostpool pool_[string tolower [getfield [HTTP::host] "." 1]]_[TCP::local_port]

    if { [catch {pool $hostpool} exc] } {
         host header doesnt match a pool, send to default http/https pool
        if{ [catch {pool pool_www_[TCP::local_port]} exc]} {
            if for some reason the port isnt 80/443 go to 80
            pool pool_www_80
        }
    }
}
application delivery
devops
iRules
LTM

1 Reply

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 31, 2014

    1) Does the 'when HTTP_REQUEST' filter based on port or traffic type

    The HTTP events and commands are enabled when you apply an HTTP profile to the virtual server. It doesn't really matter what the actual port is, as long as the HTTP "filter" can detect HTTP-specific protocol data in the TCP payload.

    2) Should/can i nest events - CLIENT_ACCEPTED/HTTP_REQUEST?

    These events generally operate at different layers of the stack, so it's absolutely useful to use them both in a single iRule. How you use them depends on what you're trying to do though.

    3) How would i add an if port is 123 go to pool_test_123, based on question 1, if this it HTTP traffic does the HTTP_REQUEST apply?

    The important thing to understand here is the notion of connection-based context. In other words, context is based on a TCP connection/session. A CLIENT_ACCEPTED event happens first and can see all of the data at layer 4 (TCP payload, IP addresses, etc.). An HTTP_REQUEST event is triggered at layer 7 and can see all of the HTTP-specific protocol data - plus all of the data collected in earlier layers. So the following would be useful:

    when HTTP_REQUEST {    
    if { [TCP::local_port] equals "123" } {        
        pool test_123_pool
    } else {        
        pool normal_pool
    }
}