Forum Discussion
NimbostratusNeed help getting ProxyPass to work
Below is ideally how I want this to work. A user goes to http://external.company.com and gets redirected to https://external.company.com. Once they login, they will automatically go to https://external.company.com/Directory/Path (which is the actual URI of the internal server as well).
External Servername:
- external.company.com
Internal Servername (HTTP):
- internal.company.com/Directory/Path
I'm using the ProxyPass APM iRule v10.9 from 11/30/2012
Here's how I'm set up. I'm on 11.3 HF1 by the way.
String Datagroup:
- String: external.company.com/
- Value: internal.company.com/Directory/Path
- So... external.company.com/ := internal.company.com/Directory/Path
I also have a stream profile set up as follows:
@internal.company.com@https://external.company.com@
And within the PP iRule, the RULE_INIT has the set static::RewriteResponsePayload 1 (I've also tried 2).
I've tried a few different variations for the datagroup as well as the stream profile to no avail. But the above is where I'm at right now. The traffic is sent to the default pool. After successful authentication my HTTP capture shows a 'ERROR_HTTP_INVALID_SERVER_RESPONSE'. The backend sharepoint server does not know anything about the 'external.company.com' hostname. So everything must be rewritten (HTTP Location, HTTP redirects etc...)
I have limited experience with data groups and this is my 1st time using PP, so I'm hoping this is a simple misunderstanding on my part. Thanks in advance.
3 Replies
- Kevin_Stewart
Employee
When you say "gets redirected to https://external.company.com", I'm assuming you mean physically redirected (via 302) to the new URL? If so, are you using a separate port 80 VIP with a redirect iRule applied?
Otherwise I don't believe you need the stream profile. ProxyPass rewrites the host header. I'd apply a generic (empty) stream profile to the VIP instead and turn on debugging to see where else it's having issues. 
gh0std0g_79292Thanks for the reply Kevin. This was built with an iApp, so when I say redirected, I'm merely talking about the standard system HTTP -> HTTPS 302 redirect, and yes they are using the same VIP. I understand that I need the stream profile in order to rewrite embedded links.
I'm having two issues. First, I'm just trying to get PP to work with just the host header rewrites and URI manipulation. I need anyone who goes to HTTP(s)://external.company.com to have a URI appended of /Directory/Path; when the request goes to the serverside, it should be HTTP://internal.company.com/Directory/Path. Can you or anyone tell me if my datagroup is the correct logic?
I do have debug turned on for the PP iRule and this is the error I'm currently getting (excuse the formatting):
err tmm[12573]: 01220001:3: TCL error: /Common/approvequotestest-e-apm-proxypass - Illegal argument. Can't execute in the current context. (line 1) invoked from within "HTTP::uri $path_serverside[substr $orig_uri [string length $path_clientside]]"invalid peer expression (line 3) invoked from within "clientside { Rewrite the URI HTTP::uri $path_serverside[substr $orig_uri [string length $path_clientside]] Rewrite the Host header ..."- Kevin_StewartYour datagroup looks correct.
You DO need a stream profile, but that profile should be empty (as in use the parent [empty] stream profile). The ProxpPass iRule manages the context and replacement values of the stream dynamically. I can't say that this is causing your issue, but it's a "low hanging fruit" nonetheless.
