Forum Discussion

DavidB's avatar
DavidB
Icon for Altostratus rankAltostratus
Jun 23, 2022

Load Balance Host Headers

I posted last week asking for assitance load balancing WebLogic apps. I received some good responses, but they didn't work. I submitted an F5 support case and was basically told they don't help build...
application delivery
weblogic
KeesvandenBos's avatar
KeesvandenBos
Icon for MVP rankMVP
Jun 24, 2022

Only one of the virtual servers that is redirecting.
Command is list ltm virtual <name of virtual server>

  • DavidB's avatar
    DavidB
    Icon for Altostratus rankAltostratus
    Jun 24, 2022

    Thanks for clarifying. I should be clear though, I am using one VS on F5 and a shared IP on IIS to support IP sharing on both devices. My VS looks like this:

    ltm virtual IDCFLB.app/IDCFLB_vs {
    app-service /Common/IDCFLB.app/IDCFLB
    creation-time 2022-06-17:09:53:43
    destination 146.142.203.68:https
    ip-protocol tcp
    last-modified-time 2022-06-24:10:25:24
    mask 255.255.255.255
    pool IDCFLB.app/IDCFLB_pool
    profiles {
    IDCFLB.app/IDCFLB_client-ssl {
    context clientside
    }
    IDCFLB.app/IDCFLB_f5-tcp-lan {
    context serverside
    }
    IDCFLB.app/IDCFLB_f5-tcp-wan {
    context clientside
    }
    IDCFLB.app/IDCFLB_http { }
    IDCFLB.app/IDCFLB_oneconnect { }
    IDCFLB.app/IDCFLB_optimized-caching { }
    IDCFLB.app/IDCFLB_wan-optimized-compression { }
    }
    rules {
    IDCF
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
    type automap
    }
    translate-address enabled
    translate-port enabled
    vlans {
    VLAN_203
    }
    vlans-enabled
    vs-index 21

     

    The iApp has all the DNS names attached to it and I have an iRule for handling the redirects to URLs that IIS will then proxy to the WebLogic.

    I did start my captures on IIS and did find that I missed some of the require SSL settings so at least some of my failed tests are my own stupidity and lack of quality control. I'm still reviewing. However, I'm now questioning this configuration and if it's something that F5 really isn't going to handle well. If I'm forced to request a bunch of new IPs and DNS entries to make this work properly I can abondon this effort and start that approach.

    • KeesvandenBos's avatar
      KeesvandenBos
      Icon for MVP rankMVP
      Jun 24, 2022

      Could you also show the irule and pool configuration?

      • DavidB's avatar
        DavidB
        Icon for Altostratus rankAltostratus
        Jun 24, 2022

        Absolutely. This is the iRule (currently)

        when HTTP_REQUEST {
        if { [HTTP::uri] equals "/" } {
        switch -glob [string tolower [HTTP::host]] {
        "idcfdars.bls.gov" { HTTP::redirect "https://idcfdars.bls.gov/ARS" }
        "cesdatad.bls.gov" { HTTP::redirect "https://cesdatad.bls.gov/CESLite" }
        "blsconfidentialitytrainingd.bls.gov" { HTTP::redirect "https://blsconfidentialitytrainingd.bls.gov/ICT" }
        "cpidatad.bls.gov" { HTTP::redirect "https://cpidatad.bls.gov/CPILite" }
        "idcfdbbs.bls.gov" { HTTP::redirect "https://idcfdbbs.bls.gov/BBS" }
        "joltsdatad.bls.gov" { HTTP::redirect "https://joltsdatad.bls.gov/JOLTS" }
        "blscompdatad.bls.gov" { HTTP::redirect "https://blscompdatad.bls.gov/NCSLite" }
        "trainingd.bls.gov" { HTTP::redirect "https://trainingd.bls.gov/LMS" }
        "respondentsd.bls.gov" { HTTP::redirect "https://respondentsd.bls.gov/upload" }
        "idcfdoews.bls.gov" { HTTP::redirect "https://idcfdoews.bls.gov/OEWSLite" }
        default { HTTP::redirect "https://idcfd.bls.gov/authentication/login" }
        }
        }
        }

        when HTTP_RESPONSE {
        foreach header {Server X-Powered-By X-AspNet-Version Cache-Control} {
        HTTP::header remove $header
        }

        HTTP::header insert Pool-Info [class search -value hosts_dg eq [IP::server_addr]]
        HTTP::header insert WL-Proxy-Client-IP [IP::client_addr]
        set cookieNames [HTTP::cookie names]
        foreach aCookie $cookieNames {
        HTTP::cookie version $aCookie 1
        HTTP::cookie secure $aCookie enable
        HTTP::cookie httponly $aCookie enable
        }
        }

        I will note that I've played with this iRule frequently and even completedsome of the testing withot the iRule in the config. That's actually tru of the VS also. I started disabling profiles to see how or if it imapcted the errors but never found these efforts to change much. (Sometimes it got worse)

        Right now the pool is actually just a single node and I changed the HTTP port to 81 to help isolate the traffic during dubugging. Yesterday when I thought a lot of the traffic never got to IIS it was based on the IIS logs showing the health traffic but not my testing traffic.

        ltm pool IDCFLB.app/IDCFLB_pool {
        app-service /Common/IDCFLB.app/IDCFLB
        members {
        dewsvweb1:81 {
        address 146.142.201.51
        app-service /Common/IDCFLB.app/IDCFLB
        session monitor-enabled
        state up
        }
        }
        monitor IDCFLB.app/IDCFLB_http_monitor
        slow-ramp-time 300
        }