Forum Discussion
Stephen_Swali_8
Nimbostratus
NimbostratusiRule to change host headers.
Hi guys,
first time on DC so apologies in advance if I'm doing something wrong.
Please can you help with an issue I have.
We have a website that is hosted externally on a server which hosts multiple websites. There is a requirement to SSL enable the communication to our website on this particular server. The web server hosting these multiple sites performs SSL but can't host a certificate for our website/domain. We're therefore changing the access model for this site so that the we perform Client SSL and Server SSL on the BIG-IP obviously hosting the cert for our domain on the BIG-IP.
However, it looks like there is an issue when the BIG-IP sends the request to the server, in that, the server sends a reset. For example, hosted site of https://www.hosted.com/aon.asp. However, we want clients to reach https://www.mybigip.com, which would (as per the name) resolve to the VIP on our BIG-IP which would in turn load-balance to the IP of the hosted dom.
I imagine we'll need to modify host headers using an iRule to when the HTTP request is made, but I'm not sure if I'll need to change the host headers on the way back in the HTTP response.
Any help greatly appreciated.
cheers,
Steve.
Stephen_Swali_8Hey Aaron.
thanks for the response.
I'm not sure I'm clear with what you're explaining in regard to the stream config.
I think I've got the request and response rules correct (but would appreciate your view on this - pls see below for rules) but I think you're suggesting I need to look at creating a stream profile too and then I think using that stream profile in the response iRule, is this correct?
request irule.
when HTTP_REQUEST {
if { [HTTP::host] equals "www.mycompany.co.uk"} {
HTTP::header replace "Host" "www.provider.com"
}
}
response irule.
when HTTP_RESPONSE {
if { [HTTP::status] starts_with "3" } {
HTTP::header replace Location [string map -nocase {www.provider.com www.mycompany.co.uk} [HTTP::header Host]]
}
}
thanks,
Steve.
trx_94323Hello Steve, I'm looking to do something similar. The jist of it is we are trying to mask a external domain name on the front end, but intercept it from the F5 and replace the internal domain name to the back-end server, and when it comes back it preserves the masking external domain.
Did you or anyone do the something similar? Sharing the code snippet is fully appreciated.
Thanks.
hooleylistCirrostratus
Hi Steve,
If the response content from the external site contained absolute references to the external domain, then you would want to rewrite these to the internal domain before sending the response back to the client. To do this, you can use the STREAM:: commands. Looking at the external host you had listed, I didn't see any embedded references (href's, img src, etc) to the external site, so I think this is unnecessary in your situation. You could double check this though.
You can combine the two rules you have listed above into a single rule. Also, you can do a case insensitive comparison for the host using string compare. Lastly, you can redirect / to /aon.asp. Here is an untested example:when RULE_INIT { Set the hostname that the client makes request to (do not include protocol) set ::external_hostname "www.mycompany.co.uk" Set the hostname that the BIG-IP will rewrite requests to set ::internal_hostname "www.provider.com" Redirect / requests to this URI set ::root_redirect_uri "/aon.asp" Log debug messages to /var/log/ltm? 1=yes, 0=no. set ::proxy_site_debug 1 } when HTTP_REQUEST { if {$::proxy_site_debug}{log local0. "Received request from [IP::client_addr] -> [HTTP::host][HTTP::uri]"} Check if request is to root document if {[HTTP::path] eq "/"}{ if {$::proxy_site_debug}{log local0. \ "Redirecting [IP::client_addr] from / -> https://$::external_hostname$::root_redirect_uri"} Redirect to internal hostname and root object HTTP::redirect "https://$::external_hostname$::root_redirect_uri" } else { if {$::proxy_site_debug}{log local0. "Rewriting [IP::client_addr]'s Host header to $::internal_hostname"} We're not redirecting so rewrite the Host header HTTP::header replace "Host" $::internal_hostname } } when HTTP_RESPONSE { Check if the status indicates a redirect if {[HTTP::is_redirect]} { if {$::proxy_site_debug}{log local0. "Rewriting [IP::client_addr]'s redirect to \ [string map -nocase $::internal_hostname $::external_hostname [HTTP::header Location]]"} Rewrite the Location header replacing the internal hostname with the external hostname HTTP::header replace Location [string map -nocase $::internal_hostname $::external_hostname [HTTP::header Location]] } }
Aaron- Stephen_Swali_8Hi Aaron,
Thanks for this.
I've tried this to no avail.
This is the edited output from /var/log/ltm.
Jan 18 13:24:22 tmm tmm[1587]: Rule rule_VS_ETS_1 : Received request from client_addr -> internal_hostname/
Jan 18 13:24:22 tmm tmm[1587]: Rule rule_VS_ETS_1 : Redirecting client_addr from / -> https://internal_hostname/aon.asp
Jan 18 13:24:22 tmm tmm[1587]: Rule rule_VS_ETS_1 : Received request from client_addr -> internal_hostname/aon.asp
Jan 18 13:24:22 tmm tmm[1587]: Rule rule_VS_ETS_1 : Rewriting client_addr's Host header to external_hostname
Jan 18 13:24:22 tmm tmm[1587]: Rule rule_VS_ETS_1 : Received request from client_addr -> internal_hostname/aon.asp
Jan 18 13:24:22 tmm tmm[1587]: Rule rule_VS_ETS_1 : Rewriting client_addr's Host header to external_hostname
The first four log entries make sense based on the content of the iRule and using HTTP watch I see a 302 but then followed immediately by an ERROR_INTERNET_CONNECTION_RESET, which I think is being sent by the server but am just wondering how I can go about capturing this in logs.
Any thoughts? - hooleylistI don't know of a way to log details on who sent a reset using an iRule.
You mentioned before that you were getting resets from the application when trying to browse through the VIP. If you make a request from the BIG-IP, using curl, do you get a reset as well? You can use this command to send an https request to the site:
curl -vk https://external_hostname/aon.asp
For comparison purposes, you can try against google as well:
curl -vk https://google.co.uk/
>'s show client requests, while <'s show server responses.
Aaron - hooleylistIt's good to hear you got it working.
Aaron - Stephen_Swali_8Hey guys,
Looks like I've got a further issue on this...
The server seems to be sending session variables back to the client (from what I can see in the URI) when they try to login at a different URI, i.e. /ent/something.asp.
But I suspect the iRule I've applied (as above) is completely replacing the Location header with the $::internal_hostname, is that correct or will it only replace the string $::external_hostname if found?
any help on this would be very much appreciated.
cheers,
Steve. - Stephen_Swali_8ok guys, think I've fixed it. I've basically changed the 'Host' right at the end of the last line of code in the above iRule to Location which seems to work sweet! I've got the developers testing other parts of the site to make sure I've not inadvertently broken something else.
cheers,
Steve.
Ashish_Ram_Tak1Hello Steve, Could you please pest the working iRule I want to try same thing in my environment but seems not working as expected. BR, Ashish Takawale
- hooleylistOops! Thanks for catching that. Sorry for any confusion.
Aaron - Stephen_Swali_8No sweat Aaron! Made me think about it which was good! Thanks for all the help.