F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Rafi1's avatar
Rafi1
Icon for Cirrus rankCirrus
Nov 13, 2022

Need to rewrite with LTM

Hi, I have an internal server with two "applicatins" and I need to give access to one of the application from Internet, The fqdn "globalserver.mydomain.com" point to my F5 vip, and I need that ever...
security
Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP
Nov 13, 2022

Hi Rafi1 , 
I have simulated this scenario on my lab , try this irule : 

when HTTP_REQUEST {
if { ([string tolower [HTTP::host]] equals "globalserver.mydomain.com") }{
 HTTP::header replace Host "internalserver.com"
 HTTP::path "/portsluser/main#page/"
}
}

 

Find the below snap shots from my LAB : 
irule : 

My results : 

Do you see , as a client I wrote " shopping.asm.f5" , and the request shown in F5 ASM event logs with a changed header and added new path which did not appear to client neither new hostname nor added path. 
Try it and give me your feedback. 

Regards.

Rafi1's avatar
Rafi1
Icon for Cirrus rankCirrus
Nov 13, 2022

Hi Mohamed_Ahmed_Kansoh 

Thank you very for yourת

unfortunately the Irule didnt work for me,

I must mention another thing (forgot sorry)  the originagl url that the client browse to as i mention  is "globalserver.mydomain.com" I need that the LTM will change it to "internalserver.xxx.mydomain.com/portsluser/main#page/" its sub domain for "mydomain.com" in the virtual server certificate in "ssl profile client" the certificate is *.mydomain.com  do I need also *.xxx.mydomain.com ?

 

I  configured regular virtual server with: type=standard, service port=443,  pool=internalserver.xxx.mydomain.com, without your Irule the LTM forword me to the server "internalserver.xxx.mydomain.com" I hoped that with your Irule he will forword me to "internalserver.xxx.mydomain.com/portsluser/main#page/", but unfortunately with the Irule I got blank page (no service)

I also noticed that in your lab you are using security profile (ASM), basically I dont need ASM all I need is forward the client request to  another web service.

 

Any idea ?

Regards

  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Nov 14, 2022

    Hi Rafi1 ,   
      As per CA_Valli’s iRule and mine , both of them should work with you. 
    > I want to add there is a problem with your certificate , you have wildcard to "*.mydomain.com" it will not be compatible with "*.xxx.mydomain.com" , or remover " . that before xxx" I mean the hostname should be "internalserver-xxx.mydomain.com" and do not use "dot ." in your hostnames. 
    > After that make sure that 
    "globalserver.mydomain.com " and " internalserver-xxx.mydomain.com" 
    have the same dns resolution or at least configure this

    " internalserver-xxx.mydomain.com" to be mapped to " ip of virtual server on F5 " 

    > but in your Case there is an issue with certificate , you must use "-" not "." 
    and try. 

    > I used ASM loging to see the requests contents only as a monitoring , not to do any actions. 

    > I will Take a Pcap from my Lab to see the Flow of traffic and changes as well. 

    Regards.

    • Rafi1's avatar
      Rafi1
      Icon for Cirrus rankCirrus
      Nov 14, 2022

      Hi Mohamed_Ahmed_Kansoh 

      The " internalserver-xxx.mydomain.com"  the "xxx" is sub domain so I must use "dot."

      What if in the server ssl profile (in the virtual server ) I will attached the the real server certificate *.xxx.mydomain.com ?

      Regards

      • Mohamed_Ahmed_Kansoh's avatar
        Mohamed_Ahmed_Kansoh
        Icon for MVP rankMVP
        Nov 14, 2022

        yes , you need to create a new certificate for " *.xxx.mydomain.com" 
        I stucked in this issue before and resolved it by "-" symbol not "."

        let me take a tcpdumb on my lab environment , it will show to us more about redirections.