Forum Discussion

andrew_C1's avatar
andrew_C1
Icon for Nimbostratus rankNimbostratus
Mar 03, 2011

nested virtuals with APM

Hi guys,

 

 

hoping someone can help me here.

 

 

i have a scenario that consists of the following:

 

 

there is an LTM balanced web site, call it www.example.com this website doesn't have authentication enforced by APM (call the virtual server www)

 

we wish to deploy several applications/sites to

 

 

www.example.com/uri1/*

 

www.example.com/uri2/*

 

etc

 

 

these will need to have authentication enforced by APM. each site/application might have a different authentication process so different APM access polices will be needed.

 

 

the solution i came up with was to deploy a virtual server per application(call the virtuals uri1 and ur2) and deploy an Irule on the virtual server www to forward to either virtual uri1 or uri2 based on the uri.

 

 

irule looks something like:

 

 

when HTTP_REQUEST{

 

if {[HTTP::uri] contains "/uri1/" } {

 

virtual uri1

 

}

 

if {[HTTP::uri] contains "/uri2/" } {

 

virtual uri2

 

}

 

}

 

 

now without APM this works fine, I can go to www.example.com/uri1/ and i will get forwarded to virtual uri1 (then back to its pool) and all is good. When i apply APM access policy to the virtual uri1. it stops working when i go to www.example.com/uri1/ if i go to http://*virutal server uri1 ip address*/uri1 then APM works fine.

 

 

When it doesn't work the web browser displays in the url bar www.example.com/my.policy and the content of the page is a 404 error from one of the web servers. So it looks like the APM logon page doesn't like traversing the multiple vips.

 

 

does anyone know how to fix this or a better way to do it?

 

 

cheers

 

  • I recently did something similar to this.

     

     

    The way i did this was branching in the APM policy itself instead.

     

     

    landingURI1 -success- authentication - resource assignment - Allow

     

    -|_fallback_ landingURI2-success-authentication-resource assignment - Allow

     

    ----------------------------|_fallback - DENY

     

     

    of course you should be able to set the fallback to allow instead granting access to the main site without authentication and requiring auth in the matched uri's..