Forum Discussion
prabhat_73172
Nimbostratus
Nimbostratusirule to read host from HTTP request and redirect
Hello,
I have BigIP LTM 10.0.1 system that sits in front of a http proxy gateway in the call path of incoming http requests in a ISP environment.
When customer access certain websites via proxy they experience errors. I'm trying to create an irule where it reads the host field on the http header and if it contains certain words (hotmail in this example), then it will direct the traffic via pool p1 (internet router) if not then via pool p2 (proxy gateway).
When I try to implement the irule I various errors. Below is the script.
Any assistance would be greatly appreciated.
when HTTP_REQUEST {
Specify current url
set host[HTTP::host]
Specify pools
set p1 "proxy_pool"
set p2 "internet_pool"
display current url and user agent in ltm log file
log "HOST = $host"
check if host has name that has issues going through proxy
switch -glob "$host" {
"*hotmail*" -
"*weather.com*" {
log "$host GOING TO Directly to $host -- 1.2"
pool $p2
} default {
log "$host GOING Through proxy-- 1.3"
pool $p1
}
}
end of switch
11 Replies
- Chris_Miller
Altostratus
You can do this without setting any variables. That'll help performance a tiny bit.when HTTP_REQUEST { log local0. "User requested Host [HTTP::host]" switch -glob [string tolower [HTTP::host]] { "*hotmail*" - "*weather.com*" { log local0. "[HTTP::host] going directly to [HTTP::host] -- 1.2" pool internet_pool } default { log local0. "[HTTP::host] going through proxy--1.3" pool proxy_pool } } }
What errors were you originally seeing? 
prabhat_73172Thanks Chris for the quick response. That definitely didn't error out. We will run some tests to find if the traffic is being directed as intended.
One more question. So in case if the list of sites that needs be bypassed around the proxy keeps on growing it may be easier to use a Data Group List.
So if I created a Data Group List called "excluded_hosts" and tied that to this irule, how would that change the script?- Chris_MillerPosted By prabhat on 01/17/2011 12:38 PM
Thanks Chris for the quick response. That definitely didn't error out. We will run some tests to find if the traffic is being directed as intended.
One more question. So in case if the list of sites that needs be bypassed around the proxy keeps on growing it may be easier to use a Data Group List.
So if I created a Data Group List called "excluded_hosts" and tied that to this irule, how would that change the script?
What version of code is your LTM running? There are different options depending on version. - prabhat_73172Its running at 10.0.1
Also the errors I was getting earlier was "set" is out of scope.... - Chris_MillerSomething like this would work fine:
when HTTP_REQUEST { log local0. "User requested Host [HTTP::host]" if { [class match [string tolower [HTTP::host]] contains excluded_hosts] } { log local0. "[HTTP::host] going directly to [HTTP::host] -- 1.2" pool internet_pool } else { log local0. "[HTTP::host] going through proxy--1.3" pool proxy_pool } } - prabhat_73172Thanks Chris. Greatly appreciate your help on this. We will give that a try and validate all works as expected.
- prabhat_73172Now the irule is working as expected but when the traffic gets routed directly to the internet_pool, it can't connect. There is only one member in that pool which is basically the firewall.
When LTM sends traffic directly to the firewall, it appears the source IP is that of the device (laptops) and the firewall doesn't like it and drops packets after the initial handshake.
The traffic going via proxy_pool hits the proxy and gets routed back to LTM on the way to the internet since proxy nodes don't have direct access to the internet.
And in this case when LTM is passing the outgoing traffic to the firewall that it got from the proxy nodes and source IP is that of the proxy IP and the firewall allows those.
So somehow we need to use SNAT that will allow the packets that are directly going to firewall from LTM to the addresses that of the proxy IP. But we're not sure the way to achieve that. We tried several ways but none work.
Any help would be greatly appreciated - Chris_MillerSNATing it to the proxy's IP will likely cause issues when the response comes back to the firewall as the firewall will already have an arp entry for the proxy.
Does it have to be the proxy's IP or can it simply be an IP on the same subnet?
Is this your design for outbound? Where the firewall allows the proxy's IP outbound but not the Client's?
Client -> Proxy -> LTM -> Firewall -> Internet - prabhat_73172Hi Chris,
Here is the outbound when going through proxy
client->LTM->proxy->LTM->firewall->internet
Here's the outbound when the irule directs the traffic directly to the internet
client->ltm->firewall->internet. - prabhat_73172Nevermind Chris. So it appears that basically the LTM itself was not able to route the traffic to these hosts that were being sent directly to the internet.
so we resloved those hosts to ip addresses and added the following in the bigip.conf
route 201.131.100.54 {
pool internet_pool
}
route 64.4.20.184 {
pool internet_pool
}
route 173.203.112.165 {
pool internet_pool
and also added a snat-pool in the irule.
And that worked.
This not a very good work around when the traffic goes through proxy and throws a error. But this can be used to determine whether its proxy or some other element in the call path causing the error.
