need help figuring out a proxy irule

Hey Derek,

 

 

 

I recently did something very similar using the ProxyPass rule that Kirk put in the Code Share here: http://devcentral.f5.com/wiki/default.aspx/iRules/ProxyPass.html It's a fairly complex rule but does the trick. I used it to mask/copy traffic from entirely disparate second level domains with great success (i.e. a user can surf www.derp-de-derp.com just as though it were www.original-site.com). The rule will re-write the host header and links as appropriate on the pages.

 

 

 

// Ben

 

actually, I have an additional question already. It looks like the way the proxypass irule works is it affects the entire virtual server.

 

 

The server I am trying to manipulate is a generic server that hosts a few different sites. If I apply the irule to that virtual server based on what seems to be included in the setup of the datagroup, I assume that it would end up affecting the other 2 sites, which isn't what I want at all..

 

 

so as a rule of thumb, if you're going to use proxypass, should it be on a completely separate virtual server?

 

Hey Derek,

 

This is definitely possible. In fact, I did something not entirely dissimilar. Check out some of the address-related commands here: http://devcentral.f5.com/wiki/default.aspx/iRules/IP.html

 

 

 

You can do the matching in the rule for fairly small addresses, but it is probably better to use matchclass (http://devcentral.f5.com/wiki/default.aspx/iRules/matchclass.html) for this. Here's roughly what the rule I put together looked like:

 

 

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/leet/adminz/"} {

 

if { [matchclass [IP::client_addr] equals $::Allowed_Addresses] } {

 

log local0. "[IP::client_addr] matched, allowing access."

 

}

 

else {

 

log local0. "[IP::client_addr] did not match, redirecting user agent."

 

HTTP::redirect "/"

 

}

 

}

 

}

 

 

Hey Derek,

 

 

You should be able to configure this to still work, though you may need to configure the virtual hosts in the ProxyPass data group configuration. For example, siteone.com, sitetwo.com, and sitethree.com all use this virtual server and should function as normal today - passed directly to the pool and unchanged. You need to add newsite.com to use this virtual server but translate the host header to be siteone.com when it gets sent to the pool members. Do I follow correctly?

 

 

If so, I would need to double-check my memory to be positive, but I believe that the rule will only trigger when something in its data group matches - i.e. translation/replacement only occurs when you configure it to. This means that if you configured a data group for newsite.com like this:

 

 

www.newsite.com www.siteone.com/

 

or

 

new.siteone.com www.siteone.com/

 

 

Only the requests matching the first object will be processed by the rule. Requests to siteone.com and sitetwo.com will not be affected. This means that you should be able to use this on the same virtual server that all of your other traffic is processed on.

 

 

In short, yes. The rule will be applied to the entire virtual server. It does, however, require you to configure it for the traffic you wish it to match and affect.

 

 

Cheers!

 

 

// Ben

 

That's great info Ben.

 

 

I actually ended up creating a new virtual server, with a new IP because I wasn't sure if applying the proxypass irule would affect my other virtual servers. Now however, I think I'm a little confused in my thought processes... so let me recap with my proposed layout.

 

 

www.domain.com/somestring <--main webserver, separate virtualServer

 

blog1.domain.com/ <---blogVirtualserver

 

blog2.domain.com/ <---same blogVirtualserver as above

 

blog3.domain.com/ <---my new blog, now on a separate virtualserver/IP but same appserver default pool as the above 2 blogs.

 

 

My original thought was to apply the irule to the blog3.domain.com virtual server, but now... I"m not sure that would work. I think what I need to do is apply the irule to the main webserver virtualserver for www.domain.com since /somestring is the uri that I want proxying to the internal webserver.

 

 

So,

 

I'm suspecting that my datagroup I will have a single string entry that will look something like..

 

www.domain.com/somestring blog3.domain.com/

 

however, note the below comment from the irule.. does this imply that the above syntax is not correct?

 

Note that the clientside entry only ends in a / if there is no directory.

 

The server entry only ends in a slash if the client entry does.

 

 

 

Also, I assume this will only work for the main page? Links internal to the blog will still be viewed as blog3.domain.com/some/path/to/blogpost correct?

 

 

Is that where the following comment comes into play?

 

ProxyPass does not rewrite links embedded within pages by default, just

 

redirects. If you want to change this, edit the proper variable in RULE_INIT

 

and apply the generic "stream" profile to the virtual server.

 

 

I checked the profiles, and it looks like there is a stream profile there, but when I click on it, under settings it just has an empty source/target field, so I'm not sure what to put in there, or what the proper variable would be in RULE_INIT. Did you have to do any of that stuff?

 

 

The IP commands are easy enough.. those I can deal with. The proxying is what always confuses me.

 

Hey Derek,

 

 

Well, welcome to the fold! You're definitely diving in with both feet, it seems like. It sounds to me like you've got the configuration mostly settled. For reference, here is the data group that I used

 

 

"www.testsite.com" := "www.realsite.com",

 

"imgs.testsite.com" := "imgs.realsite.com pool-images",

 

 

We configured ":=" as the delimiter in the Data Group, though I can't quite recall if we had a specific reason for doing this or not. I also seem to recall that we made some modifications to allow us to make some of the specific changes that we were looking for, but I believe those specifically related to changing the host header after the WAM had inspected it.

 

 

If I understand your comments correctly, your data group will take requests for www.domain.com/somestring and send them to the blog_pool while changing the host header to blog3.domain.com. I'm not certain, but I believe that the /somestring/ path will be removed when it is sent to the blog_pool servers as blog3.domain.com - is that the expected/desired behavior?

 

 

Also, the OneConnect profile is largely to be sure that each request is processed by the iRule. With no OneConnect profile only the first request on each connection is processed. This can become a big problem with Keep-Alive connections and/or things like content delivery networks. You might want to read up on its functionality to see what else it does (though it *probably* won't break anything - especially if it's already on) before flipping it on your primary production virtual server.

 

 

You might also want to look at priorities ( http://devcentral.f5.com/wiki/default.aspx/iRules/priority.html ) to be sure that the /admin/ protect rule is processed before the ProxyPass rule - that could cut out some processing time. I don't remember the exact behavior when two rules of the same priority execute on the same event. I believe the order of processing is whatever order they are listed as in the config. (Though this could be complete nonsense - I don't really remember what happens on collision.)

 

 

// Ben

 

Do I need to have a delimiter in the data group? it didn't seem like it was a requirement from the comments in the irule.

 

 

You got my needs mostly right. I don't want to have /somestring removed. Marketing wants to ensure that /somestring remains so google will index it properly or something. So... actually in this case, i probably shouldn't have blog3.domain.com external at all if they don't want any content indexed under that domain/uri. Everything should always go through www.domain.com/somestring/* so a blogpost will end up looking like www.domain.com/somestring/2010/10/04/newposttoday whereas on the backside it would look like blog3.domain.com/2010/10/04/newposttoday

 

 

Do you know of a way to keep the /somestring part appended to the url?

Hey Derek,

 

 

I think I probably confused my words a bit in my last post. What you described is effectively what I had meant to convey - the "/somestring/" will be removed on its way to the pool members but will remain for clients.

 

 

My memory doesn't serve me too well just yet this morning, but I believe that if no delimiter is specified, then whitespace is used as the default delimiter. This could be just delusional pre-coffee ramblings, however.

 

 

// Ben

 

nope, I think you're right re: whitespace being the default delimiter. All of the examples I can find seem to have whitespace in their examples.

 

 

My last issue I think I'm going to have is switching the domains. Since I will be hitting a virtual server that doesn't contain the blogs, and proxypassing to a virtual server that does have the blog (plug contains other blogs) separated out by virtual hosts, I'm not sure how it will actually complete the transaction... unless when you say it changes the host header to blog3.domain.com that means that apache running on the box will be able to recognize that, serve the content and send it all back up to www.domain.com/somestring. I was thinking I could maybe get around any issues by adding a serveralias to the blog3.domain.com virtualhost that says serveralias www.domain.com

 

 

I actually just applied the proxy_pass irule, with a datagroup defined as, ProxyPasswww_domain_com and the string as www.domain.com/discover blog3.domain.com blog_pool_internal and it looked to have brought down the main page... scary.

 

 

Any idea what might've caused that? I thought the proxy_pass irule wasn't supposed to affect anything other than what was referenced by a data group?

well, at least now I'm getting consistency. As soon as I apply the proxy_pass irule to my main web virtual server in staging, I get a "The connection was reset" error when accessing any page.

 

 

All I have is the default proxypass irule associated with it, and a single datagroup called ProxyPasswwwstg. Contained within that is exactly as follows. wwwstg.domain.com/discover blog3.domain.com

 

 

no delimiters... no pools defined (because I'm on a test load balancer so I can't actually get to the real blog pool), but I'm really perplexed as to why applying the irule takes down the entire virtual host. I even tried changing the syntax of the data group to be "wwwstg.domain.com/discover" := "blog3.domain.com"

 

 

Firebug reports that the status is "aborted". Any thoughts?