Forum Discussion

aj11's avatar
aj11
Icon for Nimbostratus rankNimbostratus
Nov 20, 2017

iRule Redirect by IP?

We're decommissioning a site where the web servers are behind a VIP. What we've done so far is remove the DNS entry so it is no longer accessible by entering the URL for it. Security scans are still able to reach it, however, as entering the public IP for it still allow it to connect to the backend hosts (which currently throw back a 503 error). We have a few redirects in an iRule for that VIP since the public IP is still used for other things and CNAMES, so I want to prevent external access to those hosts. I was thinking of adding a statement using the public IP as the header, the forwarding it to "our.production.website.com" as shown below, but I'm unsure if you can use the public IP in such a statement (shown at the bottom). Can we do this? Here is what we currently have in the iRule:

when HTTP_REQUEST {
if {[HTTP::host] eq "alphasite.web.site.com"} {
    HTTP::respond 301 Location "https://test1.web.site.com[HTTP::uri]\r\nStrict-Transport-Security: max-age=31536000"
}
elseif {[HTTP::host] eq "betasite.web.site.com"} {
    HTTP::respond 301 Location "https://test2.web.site.com[HTTP::uri]\r\nStrict-Transport-Security: max-age=31536000"
}
elseif { ([HTTP::host] eq "oldproduction.website.com" || [HTTP::host] eq "backupproduction.website.com") } {
    HTTP::respond 301 Location "https://our.production.website.com[HTTP::uri]\r\nStrict-Transport-Security: max-age=31536000"
}

}

elseif {[HTTP::host] eq "20.30.30.40"} {        HTTP::respond 301 Location "https://our.production.website.com[HTTP::uri]\r\nStrict-Transport-Security: max-age=31536000"    }
1 public ip
application delivery
devops
iRules
LTM
  • Only1masterbla1's avatar
    Only1masterbla1
    Icon for Cirrus rankCirrus
    Nov 20, 2017

    Certainly you can use IP address. If non-standard port is being used (e.g. https://1.2.3.4:9999), you may need to get fields for HTTP::host where field 1 will 1.2.3.4 and field 2 would be 9999.

     

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Nov 20, 2017

    You can use [HTTP::host]. Also, assuming all the sites have specific redirects, you can also use an "else" statement to send all traffic that doesn't match alphasite or betasite to https://our.production.website.com[HTTP::uri]. In short, anything that doesn't match any previous statement will be sent to the site provided by the last else statement.

    So, this will be the last statement in your iRule:

    } else { HTTP::respond 301 Location "https://our.production.website.com[HTTP::uri]\r\nStrict-Transport-Security: max-age=31536000" }