Forum Discussion

Latchezar_Dimov's avatar
Latchezar_Dimov
Icon for Nimbostratus rankNimbostratus
Nov 28, 2018

iRule to forward https://x.x.com/backdoor to a specific node (requests ending with /backdoor only).

Hello mates,   I am literally new with the iRules in F5. I have red few similar questions and I had a look of provided iRules by that community, but honestly.. I am totally lost in codding and I a...
application delivery
iRules
LTM
crodriguez's avatar
crodriguez
Ret. Employee
Nov 28, 2018

You cannot examine the HTTP payload on encrypted traffic unless you terminate SSL on the BIG-IP system on the client-side connection. (You can re-encrypt the traffic on the server-side.) So you'll need a client SSL profile no matter what. If you need to re-encrypt on the back end (which it sounds like you do), you'll need a server SSL profile, too, along with the appropriate certs and keys installed on the BIG-IP system.

Your iRules are pretty close, with a couple of typos and suggestions. First of all, I see no difference between your requirements for options 1 and 3, and same for options 2 and 4. They cover the same thing just using IF vs SWITCH. These examples assume a single pool named "pool_test" with two members - 1.1.1.1:9002 and 1.1.1.2:9002.

For /backdoor to 1.1.1.1:9002 and all other traffic to both members:

when HTTP_REQUEST {
    if { [HTTP::uri] ends_with "/backdoor" } {
        pool pool_test member 1.1.1.1 9002
    } else {
        pool pool_test
    }
}

For /backdoor to 1.1.1.1:9002 and all others to 1.1.1.2:9002:

when HTTP_REQUEST {
    if { [HTTP::uri] ends_with "/backdoor" } {
        pool pool_test member 1.1.1.1 9002
    } else {
        pool pool_test member 1.1.1.2 9002
    }
}

Given that there are only two conditions, an IF statement will probably perform better than a SWITCH. You can also consider which request will be more common - with "/backdoor" in the URI or without. If without, then switch the conditional statement to check for "not /backdoor" first for better performance. For example, for most traffic is NOT /backdoor and should load balance to both pool members:

when HTTP_REQUEST {
    if { ![[HTTP::uri] ends_with "/backdoor"] } {
        pool pool_test
    } else {
        pool pool_test member 1.1.1.2 9002
    }
}

You can also do this with a local traffic policy but a slightly different pool configuration. You need two pools instead of just one because you cannot select a specific pool member from a local traffic policy, just a pool. So, for the /backdoor to 1.1.1.1:9002 and all other to both members, pool_test1 contains just 1.1.1.1:9002 and pool_test2 contains both pool members. The local traffic policy would be coded similar to this (using the GUI):

Policy Name: select_backdoor_pool

Strategy: Execute the first matching rule

Rule 1: select_backdoor_pool_rule

Match all of the following conditions:

    HTTP URI path ends with any of /backdoor at request time

Do the following when the traffic is matched:

    Forward traffic to pool pool_test1 at request time

Rule 2: select_all_other_traffic_pool_rule

Match all of the following conditions:

    All traffic

Do the following when the traffic is matched:

    Forward traffic to pool pool_test2 at request time

For this policy to work, it's important that you order the rule that checks for /backdoor first. To cover the other requirement where all other traffic load balances to 1.1.1.2:9002, just change pool_test2 to have that single member in it - same policy.