Forum Discussion
AltocumulusLocal traffic policy question...
I actually have two questions. First is about creating a policy. I created a policy that has like 5 different URIs that all redirect to the same pool, then I need to create a default for all other URIs that points to an external site. So I messed around with forward to "nexthop" and just added the URL of the page I want to redirect to but couldn't get that to work. Then I added the IP of the external host and created a pool and tried to redirect to it but can't get that to work either. What would be the preferred method of doing this.
The second question is how do you keep your URL when you proxy. So if I go to joe.myhouse.com/uri-to-redirect and my pool goes to some other page, I end up with otherpage.com/uri-to-redirect. I want it to stay joe.myhouse.com/uri-to-redirect and serve the page off the other site. That make sense?
Thanks as always for your help. Joe
6 Replies
Theo_12742Cirrus
First question:Let's clarify between "forward" and "redirect". Forward will proxy the traffic to the backend pool selected under the forward action. Redirect will respond to the client where the client will initiate a new connection to whatever URL is specified in the redirect action.
To put that in context, it sounds like the 5 different URI's (can all be under the same condition) forward their traffic to a backend pool, and the default should redirect to the external site. Try using those actions to achieve the desired result.
ExampleThe example below shows the configuration file for such a policy. This can be replicated from the XUI. The rules are where you define per rule a condition indicating what to look for (whether the URI's are in the packet) and an action (what to do if the condition is true). The ordinal simply says the order to process the rules (highest first).
One other caveat is the forward will typically give you the list of pools to select, whereas the redirect requires a Fully-Qualified Domain Name and URI (http[s]://mydomain/path). It will take that exact value and reply with a HTTP redirect using that as the location.
Second question:ltm policy devcentral-joe { controls { forwarding } requires { http } rules { internal-sites { conditions { 0 { http-uri path starts-with values { /test1 /test2 /test3 /test4 /test5 } } } actions { 0 { forward select pool my_backend_pool } } ordinal 1 } default { actions { 0 { http-reply redirect location http://otherpage.com/uri-to-redirect } } ordinal 2 } } strategy first-match }If you are performing a redirect (see first Q/A) then the client initiates the new connection, and your current instance loses administrative control over the session. There are means to proxy, but the best way to do so with LTM requires the static IP address of the external site--doing so with DNS is more of a function of GTM. I won't say it can't be done with LTM--you just may have to get creative to do so.
sundogbrewTheo, thanks for the response. So I see forward when creating a rule for a policy, but how do you redirect? What does nexthop mean?
Thanks Joe- sundogbrew
Theo, Thank you for adding the example, I need to go through that and compare. Thanks Joe
- sundogbrew
So to revive this, how would I actually proxy connections to an outside URL. If I want to make it all look like I own it and it is coming from behind my LTM. Can I proxy outside sites through my LTM? Thanks Joe
- Theo_12742
DISCLAIMER: Having some security background, I always cringe when I hear phrases like "make it all look like I own it" as in most cases they don't, and that can be deceiving to the client. I'm not saying that's your intentions, but just consider what your end user will see and whether you have permission from the external site to do so.
That being said, Apache's ProxyPass feature most accurately describes what you ask, and the DevCentral CodeShare has an iRule implementation with the ProxyPass feature, appropriately named ProxyPass v10/v11. There are other implementations as well (e.g. use with APM) that can be found in the CodeShare.
- sundogbrew
Theo, thanks for the response. Perhaps a better explanation would help and alleviate the security concerns. So to better explain, www.mydomain.com which we own is for external clients. Some of the content is local, www.mydomain.com/joe is on a host that is local and I can serve that up pretty easily. But then Other groups have hosted some content externally, which redirects to a hosting company. This content is also available if you go directly to it. What I want to be able to do is put the mydomain.com cert on the F5 and based on the URI proxy the content. Because it is an external site I am having trouble doing that. It is almost like hair pinning the proxy if that makes any sense. I hope that explanation doesn't make is worse. Thanks Joe
