Multiple path and pool definitions

Hi Nathan,

Here's an example which shows how you can select a pool, specific pool member or arbitrary destination IP based on the requested HTTP path. The client will not see an HTTP redirect as the request is proxied to the destination.

when HTTP_REQUEST {

switch -glob [HTTP::path] {
"/path1*" {
 Select a pool
pool path1_pool

 Or select a pool member
pool app_pool member 1.1.1.1 80

 Or select a node not part of a pool
node 1.1.1.1 80
}
"/path2*" {
 Select a pool
pool path2_pool

 Or select a pool member
pool app_pool member 1.1.1.2 80

 Or select a node not part of a pool
node 1.1.1.2 80
}
default {
 Select a pool
pool default_pool

 Or select a pool member
pool app_pool member 1.1.1.3 80

 Or select a node not part of a pool
node 1.1.1.3 80
}
}
}

If you need to rewrite the host header based on the path, you can do that in each switch case using:

HTTP::header replace Host "newhost.example.com"

If you define each node as a pool member on whatever IP:port the service listens on, LTM will translate the destination IP and port by default. Or if you use the node command you can set the destination IP and optionally the port.

Aaron

I can't believe I didn't see your response. I've gotta setup my notifications. I went away on a trip for work right after posting this not thinking it would be responded to so quickly. I'm impressed, you definitely are a DevCentral MVP. Thank you for the quick response! I just got back into town and am going to try it now now and let you know the results. Thank you again and sorry for the delayed response!

So this works perfectly until I make the VIP HTTPS and terminate client side SSL connections. Then everything sort of either starts acting strangely or not at all. Any thoughts? Thanks!

I guess part of my confusion in trying to figure this out is not knowing how traffic is handled. So I understand the switch and when if matches, let's say, "/path1*" and then send the traffic to the specified pool or node. But where in the iRule does it state to use the /path1 I put in place in my original request, or is that just how it works? What is I wanted to put in /pathx but the destination node was looking for pathy? Would that be an additional command in the switch too? Sorry, like I mentioned earlier, I'm very new to iRules. Thank you again for all of your assistance.

e.g.

[root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   destination 172.28.19.79:443
   ip protocol 6
   rules myrule
   profiles {
      clientssl {
         clientside
      }
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   switch -glob [HTTP::uri] {
      "/path1*" {
         HTTP::header replace Host "node1.mycustomer.com:8081"
         HTTP::uri "/whateverpath"
         node 200.200.200.101 8081
      }
      default {  do something else }
   }
}
}

[root@ve1023:Active] config  ssldump -Aed -nni 0.0 port 443 or port 8081 -k /config/ssl/ssl.key/default.key
New TCP connection 1: 172.28.19.251(41320) <-> 172.28.19.79(443)
1 1  1329462893.2149 (0.0180)  C>S SSLv2 compatible client hello
1 2  1329462893.2149 (0.0000)  S>CV3.1(81)  Handshake
1 3  1329462893.2149 (0.0000)  S>CV3.1(692)  Handshake
1 4  1329462893.2149 (0.0000)  S>CV3.1(4)  Handshake
1 5  1329462893.2170 (0.0020)  C>SV3.1(134)  Handshake
1 6  1329462893.2170 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 7  1329462893.2170 (0.0000)  C>SV3.1(36)  Handshake
1 8  1329462893.2202 (0.0031)  S>CV3.1(1)  ChangeCipherSpec
1 9  1329462893.2202 (0.0000)  S>CV3.1(36)  Handshake
1 10 1329462893.2222 (0.0020)  C>SV3.1(193)  application_data
    ---------------------------------------------------------------
    GET /path1/test HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: portal.mycustomer.com
    Accept: */*

    ---------------------------------------------------------------
New TCP connection 2: 200.200.200.10(41320) <-> 200.200.200.101(8081)
1329462893.2239 (0.0015)  C>S
---------------------------------------------------------------
GET /whateverpath HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: node1.mycustomer.com:8081
Accept: */*

---------------------------------------------------------------

Thanks for the replies. So after doing some closer research last night I found that redirects from the server itself were the culprit. So my question now is what is the best way to handle this? Since the F5 is handling the SSL termination the connection the server sees is HTTP and must respond as such...or it's just because it isn't setup to handle SSL at all anyway. So, I just want to make sure I do the best and most secure practice here. Do I create a redirect or are there other options? Is a redirect the safest? Do I need to do an iRule to do a redirect or are there other ways? The reason I ask is I've read some things about having too many iRules is bad so I was wondering if there was a way to redirect without an iRule? What do the experts here think?

 

 

Thanks in advance for all the help!