For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

pl123_232794's avatar
pl123_232794
Icon for Nimbostratus rankNimbostratus
Dec 11, 2015

Multiple context paths on same FQDN and real servers

Hi,

 

We are currently in the process of migrating services from Cisco ACE 4710 to F5 BIG IP appliances.

 

Could you please advise if there is any way to configure on F5s, under the same virtual IP/FQDN, something similar to the following:

 

Service A: http://foo.domain.int/servA >>> redirecting to HTTPS https://foo.domain.int/servA >>> SSL termination >>> real servers: 10.10.10.10:80 , 10.10.10.11:80 and health monitor target: /servA/monitoring

 

Service B: http://foo.domain.int/servB >>> redirecting to HTTPS https://foo.domain.int/servB >>> SSL termination >>> real servers: 10.10.10.10:80 , 10.10.10.11:80 and health monitor target: /servB/monitoring

 

Service C: http://foo.domain.int/servB >>> redirecting to HTTPS https://foo.domain.int/servB >>> SSL termination >>> real servers: 10.10.10.12:80 , 10.10.10.13:80 and health monitor target: /servB/monitoring

 

Notes: The FQDN (and the VIP address) should be the same for services A, B and C. The real servers will be accessible via SNAT (i.e. F5 operating in one-armed mode). The real servers 10.10.10.10:80 and 10.10.10.11:80 should be the same for both services A and B. If the health monitor target of any of the three services fails (e.g. service A) then the F5 to respond with a maintenance message when end-users target the URL of the failed service (e.g. http://foo.domain.int/servA) while the other two services remain functional.

 

Thanks,

 

application delivery
BIG-IP

2 Replies

  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Dec 11, 2015

    This can absolutely be achieved. First you would setup you http VIP an attach an iRule like this. There is one built in, but its a 302 redirect.

    when HTTP_REQUEST {
    HTTP::respond 301 noserver Location "https://[HTTP::host][HTTP::uri]" Connection close
}

    Then you would create three pools each with their respective monitors for you servA, servB, and servC applications with the members being on port 80. After that you would create you HTTPS vip and add you a client SSL profile to handle your SSL termination along with an HTTP profile. Then, you can use either an iRule or a local traffic policy to choose the pools. I would suggest an iRule so you can handle your maintenance message locally if you want.

    when HTTP_REQUEST {
    switch -glob [string tolower [HTTP::path]] {
        "/servA*" {
            if { [active_members servA_pool] > 0 }{
                pool servA_pool
            }
            else {
                HTTP::respond 200 content "HTML for maintenance response" noserver
            }
        }
        "/servB*" {
            if { [active_members servB_pool] > 0 }{
                pool servB_pool
            }
            else {
                HTTP::respond 200 content "HTML for maintenance response" noserver
            }
        }
        "/servC*" {
            if { [active_members servB_pool] > 0 }{
                pool servB_pool
            }
            else {
                HTTP::respond 200 content "HTML for maintenance response" noserver
            }
        }
    }
}