Forum Discussion
ERLomboy_27803
Nimbostratus
NimbostratusiRule rewrite | URL hiding
Hi Guys,
Have a requirement and I'll try to provide as much details as possible to help understand.
Internet users views web page, and posts web form to: htps://www.mysite.com/help/site1/search.do?book=blah
The 1st F5 (has SSL cert) receives the traffic and sends the request ( including form data, and URL and query string) to the 2nd F5 (without SSL cert, and is managed on a different dmz location) and the 2nd F5 points to webserver: HTTP://news.bizsite.com:8080/ehelp/microsites. The webserver returns the data to Internet users but the users should still see the URL they visited (htps://www.mysite.com/help/site1/search.do?book=blah)
Notes: Different Protocol ( https vs. http) Different Hostname ( www.mysite.com vs. news.bizsite.com) Different Port : 443 vs. 8080 everything after the "/help/site1" is passed to the the target webserver. Users\Internet browser should only see "https://www.mysite.com/help/site1/..." and NOT the HTTP://news.bizsite.com:8080/ehelp/microsites
In summary: the user only ever sees the URL:
HTTPS://www.mysite/help/site1/search.do?something=somethingelse&more=moreplus Note: everything after the “/site1/” could change – and we should account for such a scenario.
But, “end user redirection” – e.g., issuance of an HTTP 300, 301, 302 to the end user browser, should never occur, because we want to shield the end user from the actual destination URL.
Thanks, Edward
nitass_89166Noctilucent
Different Protocol ( https vs. http)
this is done on the 1st f5 by assigning clientssl profile to virtual server. clientside will be https but serverside will be http.
Different Hostname ( www.mysite.com vs. news.bizsite.com)
you can change hostname using HTTP::header replace on either the 1st f5 or 2nd f5.
HTTP::header
https://devcentral.f5.com/wiki/irules.http__header.ashxDifferent Port : 443 vs. 8080
this is translated by virtual server and pool configuration.
everything after the "/help/site1" is passed to the the target webserver.
similar to hostname, uri can be changed using HTTP::uri.
HTTP::uri
https://devcentral.f5.com/wiki/irules.http__uri.ashxUsers\Internet browser should only see "https://www.mysite.com/help/site1/..." and NOT the HTTP://news.bizsite.com:8080/ehelp/microsites
address in browser won't be changed unless there is redirection.
ERLomboy_27803Hi Nitass, Thanks for the assistance. Would very much appreciate if you can provide the iRule syntax since I have a very little room for error as this will be done in Production environment. Thanks, Edward
nitassEmployee
Different Protocol ( https vs. http)
this is done on the 1st f5 by assigning clientssl profile to virtual server. clientside will be https but serverside will be http.
Different Hostname ( www.mysite.com vs. news.bizsite.com)
you can change hostname using HTTP::header replace on either the 1st f5 or 2nd f5.
HTTP::header
https://devcentral.f5.com/wiki/irules.http__header.ashxDifferent Port : 443 vs. 8080
this is translated by virtual server and pool configuration.
everything after the "/help/site1" is passed to the the target webserver.
similar to hostname, uri can be changed using HTTP::uri.
HTTP::uri
https://devcentral.f5.com/wiki/irules.http__uri.ashxUsers\Internet browser should only see "https://www.mysite.com/help/site1/..." and NOT the HTTP://news.bizsite.com:8080/ehelp/microsites
address in browser won't be changed unless there is redirection.
- ERLomboy_27803Hi Nitass, Thanks for the assistance. Would very much appreciate if you can provide the iRule syntax since I have a very little room for error as this will be done in Production environment. Thanks, Edward
- nitass
e.g.
1st f5 root@ve10(Active)(tmos) list ltm virtual firstvs ltm virtual firstvs { destination 172.28.24.9:https ip-protocol tcp mask 255.255.255.255 pool firstpool profiles { clientssl { context clientside } http { } tcp { } } rules { firstrule } snat automap } root@ve10(Active)(tmos) list ltm pool firstpool ltm pool firstpool { members { 172.28.24.10:webcache { } } } root@ve10(Active)(tmos) list ltm rule firstrule ltm rule firstrule { when HTTP_REQUEST { if { [HTTP::host] eq "www.mysite.com" and [HTTP::uri] starts_with "/help/site1/" } { HTTP::header replace Host "news.bizsite.com:8080" HTTP::uri [string map {"/help/site1/" "/ehelp/microsites/"} [HTTP::uri]] } } } 2nd f5 root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual secondvs ltm virtual secondvs { destination 172.28.24.10:8080 ip-protocol tcp mask 255.255.255.255 pool secondpool profiles { tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 5 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool secondpool ltm pool secondpool { members { 200.200.200.101:8080 { address 200.200.200.101 } } } - nitass
this is trace.
1st f5 [root@ve10:Active] config ssldump -Aed -nni 0.0 -k /config/ssl/ssl.key/default.key port 8080 or port 443 New TCP connection 1: 172.28.24.1(49569) <-> 172.28.24.9(443) 1 1 1391838514.2509 (0.0391) C>S SSLv2 compatible client hello 1 2 1391838514.2510 (0.0001) S>CV3.1(81) Handshake 1 3 1391838514.2510 (0.0000) S>CV3.1(953) Handshake 1 4 1391838514.2510 (0.0000) S>CV3.1(4) Handshake 1 5 1391838514.2538 (0.0027) C>SV3.1(262) Handshake 1 6 1391838514.2538 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 7 1391838514.2538 (0.0000) C>SV3.1(36) Handshake 1 8 1391838514.2734 (0.0195) S>CV3.1(1) ChangeCipherSpec 1 9 1391838514.2734 (0.0000) S>CV3.1(36) Handshake 1 10 1391838514.2747 (0.0013) C>SV3.1(206) application_data --------------------------------------------------------------- GET /help/site1/search.do?book=blah HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Accept: */* Host: www.mysite.com --------------------------------------------------------------- New TCP connection 2: 172.28.24.15(49569) <-> 172.28.24.10(8080) 1391838514.2808 (0.0027) C>S --------------------------------------------------------------- GET /ehelp/microsites/search.do?book=blah HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Accept: */* Host: news.bizsite.com:8080 --------------------------------------------------------------- 2nd f5 [root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 port 8080 New TCP connection 1: 172.28.24.15(49569) <-> 172.28.24.10(8080) 1391839588.3632 (0.0027) C>S --------------------------------------------------------------- GET /ehelp/microsites/search.do?book=blah HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Accept: */* Host: news.bizsite.com:8080 --------------------------------------------------------------- New TCP connection 2: 200.200.200.14(49569) <-> 200.200.200.101(8080) 1391839588.3670 (0.0037) C>S --------------------------------------------------------------- GET /ehelp/microsites/search.do?book=blah HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Accept: */* Host: news.bizsite.com:8080 --------------------------------------------------------------- - ERLomboy_27803
Hi Nitass,
I forgot to mention. We don't manage the secondary F5 and the FW above it, it's for a different business group, they just want to use our domain's SSL certificate but the webserver pool is on the secondary F5. Do we really need to do anything on the second F5 to make this work?
There are also existing virtual server using the "mysite.com" VIP and its SSL with a few iRules associated. Question: Do I create a separate Virtual server for this purpose and associate it's own iRule you provided above. However as I have mentioned, the pool is on the secondary F5 that we don't managed.
Thanks, Edward
- nitass
they just want to use our domain's SSL certificate but the webserver pool is on the secondary F5.
traffic between the first and secondary f5 is http (not https), isn't it? so, ssl certificate is not used.
Do we really need to do anything on the second F5 to make this work?
i understand we can do all stuff on the first f5.
Do I create a separate Virtual server for this purpose and associate it's own iRule you provided above.
if virtual server ip is same, you have to modify the existing virtual server.
hope this helps.
- ERLomboy_27803
when HTTP_REQUEST { if { [HTTP::host] eq "www.mysite.com" and [HTTP::uri] starts_with "/help/site1/" } { HTTP::header replace Host "news.bizsite.com:8080" HTTP::uri [string map {"/help/site1/" "/ehelp/microsites/"} [HTTP::uri]] } }
So the the iRule above states that, when the 1st F5 sees the host "www.mysite.com" with a uri starting with "/help/site1/" and anything after it. It will pass the traffic to the 2nd F5 which has "news.bizsite.com:8080", the 2nd F5 will get the data/forms, etc to the pool on the 2nd F5 and return it to to the Internet user's browser. Correct for all?
I created the iRule and associated it with the existing Virtual Server for "www.mysite.com". I'm not sure the iRule above works though. When I check the SSL dump, I didn't see the IP of "news.bizsite.com:8080".
- nitass
when the 1st F5 sees the host "www.mysite.com" with a uri starting with "/help/site1/" and anything after it. It will pass the traffic to the 2nd F5 which has "news.bizsite.com:8080", the 2nd F5 will get the data/forms, etc to the pool on the 2nd F5 and return it to to the Internet user's browser. Correct for all?
yes
I created the iRule and associated it with the existing Virtual Server for "www.mysite.com". I'm not sure the iRule above works though. When I check the SSL dump, I didn't see the IP of "news.bizsite.com:8080".
you may try to debug irule.
iRules 101 - 09 - Debugging by Joe Pruitt
https://devcentral.f5.com/articles/irules-101-09-debugging.Uvb-kLSjZQI - ERLomboy_27803
Hi Nitass,
I appreciate your intention helping me learn. but I don't know how to put the logging. I have little coding background. The F5 is giving me an error and as I've mentioned I have little room for error as this is Prod. Can you help me put the logging properly?
when HTTP_REQUEST log local0. "Request:: [HTTP::host]" { if { [HTTP::host] eq "www.mysite.com" and log local0. "Request:: [HTTP::uri]" [HTTP::uri] starts_with "/help/site1/" } { log local0. "Request:: HTTP::header" HTTP::header replace Host "news.bizsite.com:8080" log local0. "Request:: HTTP::uri" HTTP::uri [string map {"/help/site1/" "/ehelp/microsites/"} [HTTP::uri]] } }
Dumb question: Do I need to put the iRule I created on top of the Irule list associated with the virtual server in order for it to be read by F5?
- nitass
The F5 is giving me an error
can you try something like this?
e.g.
root@(ve11-8)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when HTTP_REQUEST { log local0. "BEFORE: client:[IP::client_addr]:[TCP::client_port] host:[HTTP::host] uri:[HTTP::uri]" if { [HTTP::host] eq "www.mysite.com" and [HTTP::uri] starts_with "/help/site1/" } { HTTP::header replace Host "news.bizsite.com:8080" HTTP::uri [string map {"/help/site1/" "/ehelp/microsites/"} [HTTP::uri]] log local0. "AFTER: client:[IP::client_addr]:[TCP::client_port] host:[HTTP::host] uri:[HTTP::uri]" } } }Do I need to put the iRule I created on top of the Irule list associated with the virtual server in order for it to be read by F5?
Stacking iRules: A Modular Approach by Deb Allen
https://devcentral.f5.com/articles/stacking-irules-a-modular-approach.UvcQDLSjZQIas I've mentioned I have little room for error as this is Prod.
i think it is better if you can test using trial or evaluation license before applying to production.
Trial Software Site
https://www.f5.com/trial/