Forum Discussion
iRule redirect with URL masking and URI rewrite
- Aug 09, 2017
Hi,
You can't achieve what you are expecting without using iframes. But I strongly discourage you to use them for security reasons.
You can instead redirect to a relative path and then forward the request to the correct backend server :
`
when HTTP_REQUEST { if { [HTTP::host] contains "buyer.abc.com" and [HTTP::path] eq "/" } { HTTP::redirect "/apm/rest/MOBILITY/authService/1.0" return } if {[HTTP::host] contains "buyer.abc.com" and [HTTP::path] eq "/apm/rest/MOBILITY/authService/1.0"} { node myserver01 9001 return } }
`
Hi,
You can't achieve what you are expecting without using iframes. But I strongly discourage you to use them for security reasons.
You can instead redirect to a relative path and then forward the request to the correct backend server :
`
when HTTP_REQUEST {
if { [HTTP::host] contains "buyer.abc.com" and [HTTP::path] eq "/" } {
HTTP::redirect "/apm/rest/MOBILITY/authService/1.0"
return
}
if {[HTTP::host] contains "buyer.abc.com" and [HTTP::path] eq "/apm/rest/MOBILITY/authService/1.0"} {
node myserver01 9001
return
}
}
`
- krmidhun_323560Aug 09, 2017Nimbostratus
Thanks Yann for the prompt response. I am a newbie to iRuling. So isn't it just possible to redirect https://buyer.abc.com to without using a pool or node in the backend and let the redirection itself take care of the traffic getting forwarded to the server.
Another thought is that can we use the pool instead of node while using the relative path method?
- Yann_Desmarest_Aug 09, 2017Nacreous
Redirecting the user mean that the browser will issue a request to the provided URL.
If the URL is absolute, the browser will issue a request to myserver01 on tcp port 9001.
If myserver01 resolve a virtual server IP, then the request will go through the Bigip.
otherwise, the request will be issued to the backend server without reaching the bigip.
You can also use the pool command instead of node.
Hope it help
- krmidhun_323560Aug 10, 2017Nimbostratus
Hi Yann,
This one worked fine and I was able to map the virtual server instead of the node. However the issue is that the subsequent URIs are not working after the first page is loaded fine. So I removed the redirection part and configured the following iRule to send the traffic directly to the virtual server.
As the initial request comes on port 443, I created a virtual server with port 443 and called the following iRule without adding any pool to it. Also configured another virtual server with port 9001 and added pool with member listening on port 9001. However this doesn't work for some reason
when HTTP_REQUEST {
if { [HTTP::host] contains "buyer.abc.com" and [HTTP::path] eq "/" } { virtual buyer_vs_9001 return }
- Yann_Desmarest_Aug 10, 2017Nacreous
You may have an SSL issue.
Can you make sure that there is no SSL Server profile on the first Virtual Server ?
What is the configuration of both VS ?
- krmidhun_323560Aug 10, 2017Nimbostratus
I removed the SSL server profile, but still no go. Here is the virtual server config
ltm rule /Common/test1 { when HTTP_REQUEST {
if { [HTTP::host] contains "buyer.abc.com" and [HTTP::path] eq "/" } { virtual buyer_vs_9001 return }
ltm virtual /Common/buyer_vs_https { destination /Common/172.28.8.180:443 ip-protocol tcp mask 255.255.255.255 profiles { /Common/CERT_Wildcard_2017 { context clientside } /Common/spsite_http { } /Common/tcp-lan-optimized { } } rules { /Common/test1 } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled
ltm virtual /Common/buyer_vs_9001 { destination /Common/172.28.8.180:9001 ip-protocol tcp mask 255.255.255.255 persist { /Common/spsite_srcip { default yes } } pool /Common/buyer_https_pool profiles { /Common/CERT_Wildcard_2017 { context clientside } /Common/serverssl { context serverside } /Common/spsite_http { } /Common/tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled
- Yann_Desmarest_Aug 10, 2017Nacreous
Ok so, you configured as follow :
Your backend is listening on port 9001 but require http or https ?
Based on this configuration and assuming that the backend is HTTPS too, you should have :
buyer_vs_https
- SSL Client Profile
- SSL Server Profile
buyer_vs_9001
- SSL Client Profile
- SSL Server Profile
The rest of the configuration looks fine.
Now you should check the request/response on the client side.
If the client is redirected back to buyer_vs_9001, it may not work in direct because you don't have SNAT enabled and Firewall rules block the connection.
- krmidhun_323560Aug 11, 2017Nimbostratus
I added both SSL client and server profiles to both virtuals and also enabled SNAT (automap), but I get http 404 status code when I hit the URL. Could this be because of the reason that the internal URL is hard coded on the server with the servername myserver01:9001?
So in this case, can we first redirect the URL to the internal one and then forward the request to the virtual and also make the internal URL not visible to the client?
- krmidhun_323560Aug 16, 2017Nimbostratus
Could someone help with this iRule please?. The URL rewrite to change the URL and also mask the internal URL so that client don't see it. Also the traffic needs to go through the virtual on port 9001 after the rewrite.
- Yann_Desmarest_Aug 16, 2017Nacreous
Hi,
You can write an irule to modify the Host header :
when HTTP_REQUEST { if { [HTTP::host] contains "buyer.abc.com" and [HTTP::path] eq "/" } { HTTP::header replace "Host" "myserver01:9001" virtual buyer_vs_9001 return } }
- krmidhun_323560Aug 16, 2017Nimbostratus
Thanks Yann for the response. I tested this, but still didn't work. So with the URL rewrite, is the client asked to access myserver01:9001, which is not resolved over Internet and that could be the cause of the issue?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com