Forum Discussion
NimbostratusProblems with redirections
Hello,
This is my first post here, so welcome everybody 🙂
I need some help with redirecting from http back to https We have few services which we setup on LTM. For some of them the requirement is to redirect traffic to a pool based on URI content. To accomplish this I have setup the following iRules (different pools for different clients):
when HTTP_REQUEST {
if { ( [string trim [HTTP::uri]] contains "Client_name_a" ) } {
set uri [HTTP::uri [string map {"/Client_name/" "/"} [HTTP::uri]]]
pool ab.example.com_Pool_a
}
}
when HTTP_REQUEST {
if { ( [string trim [HTTP::uri]] contains "Client_name_b" ) } {
set uri [HTTP::uri [string map {"/Client_name/" "/"} [HTTP::uri]]]
pool ab.example.com_Pool_b
}
}
Unfortunately server doesn't accept client names so we have to remove it from the URI. On top of that I have removed default pool from the related VIP. This work perfectly for most of our services, except for one, where there is a redirection back to http. To fixed this I have setup http rewrite profile, but it didn't work. Works fine if I enable rewrite + my iRule + a default pool to go to pool "a", but it doesn't work for pool "b".
I hope this make sense. Any ideas how to resolve this issue will be much appreciated.
Regards Mariusz
9 Replies
Yann_DesmarestCirrus
Hello,
Firstly, you should set only one HTTP_REQUEST event per irule :
when HTTP_REQUEST { if { ( [string trim [HTTP::uri]] contains "Client_name_a" ) } { set uri [HTTP::uri [string map {"/Client_name/" "/"} [HTTP::uri]]] pool ab.example.com_Pool_a } if { ( [string trim [HTTP::uri]] contains "Client_name_b" ) } { set uri [HTTP::uri [string map {"/Client_name/" "/"} [HTTP::uri]]] pool ab.example.com_Pool_b } }- nitass
Employee
Works fine if I enable rewrite + my iRule + a default pool to go to pool "a", but it doesn't work for pool "b".
do you mean you still get http redirection when accessing pool b uri?
can you post the rewrite profile?
tmsh list ltm profile rewrite (name)by the way, you do not need "set uri" unless you want to use it (uri variable) later.
HTTP::uri [string map {"/Client_name/" "/"} [HTTP::uri]] 
Mariusz_BThank you for answers.
@Yann: These are two separate iRules. Never setup iRules before so I was not sure how to create multiple "if" statements in one iRule. I guess it doesn't make a difference in terms of performance if I have two iRules, with one condition each, or one iRule with multiple conditions? Anyway one iRule per VIP is always more tidy :)
@Nitass: I'll try to be more clear. I need two things in the iRule: 1. Recognise which client has sent a request and forward it into either pool_A or pool_B. 2. Dynamically remove client name from URI for example: https://aa.example.com/client_name/ServiceName needs to be sent to server as http://aa.example.com/ServiceName but if there is dynamically change link, I want to keep it and remove the name again, as in example below: https://aa.example.com/client_name/ServiceName/a/b/c should be http://aa.example.com/ServiceName/a/b/c I have setup same iRule for few different services and they worked fine.
With the problematic one I get back http://aa.example.com/ServiceName to the browser so it tries to use port 80, hence created rewrite profile. With the successful one, the link stays unchanged from the browser point of view.
Now what's happening with pool B, while pool A is chosen as default for VIP, the first request goes to Pool B as it should (iRule is triggered), but because of the changed link (which is visible on the browser) there is no client name in the URI anymore, so rest of the request is sent to the default pool A.
Probably for this particular service I have to use two-way URI modification.
Rewrite profile: { app-service none bypass-list none client-caching-type cach-css-js java-ca-file ca-bundle.crt java-sign-key default.key java-singer default.crt rewrite-list none split-tunneling false }
Andrew_HuskingWhat persistence profile type are you using?
We have a similar scenario where we have a single VIP pointing to multiple backend servers.
We modified the below article to work for us in 11.x, and also set persistence to cookie to make it stick
https://devcentral.f5.com/wiki/irules.Select_pool_member_based_on_HTTP_query_string_parameter.ashx
Cheers
- Mariusz_B
Hi Andrew,
Thank you very much for the link. I'll go through this tomorrow.
In the meantime I have done a wget test, and this is what my problem is:
wget --no-check-certificate https://1.1.1.1/Service_name --2014-09-08 17:52:57-- https://1.1.1.1/Service_name Connecting to 1.1.1.1:443... connected. WARNING: certificate common name `ab.example.com' doesn't match requested host name `1.1.1.1'. HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://1.1.1.1/Service_name/ [following] --2014-09-08 17:52:57-- https://1.1.1.1/Service_name/ Connecting to 1.1.1.1:443... connected.Looks like I need an iRule which will not only modify request URI, but it will also modify response URI (if possible). Something like: example.com/client/service_name to example.com/service_name and then back to example.com/client/service_name when responding back to browser.
- Andrew_HuskingOnce it's set to the right pool, is there any reason why you need it to change the uri back to client?
- Mariusz_BWhen the URI is not changed, only first request goes to the right pool. All the others go to the default one. This is because a client name is removed from URI the iRule doesn't match anymore. When I disable the default pool, nothing is working which make sense since the the first request is forwarded, and all the rest doesn't match iRule again. Is it possible to modify URI on the response back? I was trying to do that, but get some errors.
- Mariusz_B
Update. What is happening at the moment (after playing with response profiles) is the first request goes to correct pool and is loaded, but there are stuff like "/Service_name/styles/default/style.jsp?" fail to load (as there is no client name and I have disabled the default pool), resulting only text to be loaded with no layout, pictures, etc. Seeing this I was thinking to configure pool persistence. Once the correct pool is chosen by the iRule, LTM should continue forwarding requests to the same pool. Can't find anything useful, so any suggestions about how to do it will be much appreciated.
- Mariusz_B
I have found solution which works fine, but I would like to combine two iRules into one, using switch -globe option.
iRule 1:
when HTTP_REQUEST { if { ( [string trim [HTTP::uri]] contains "Client1" ) or [HTTP::cookie exists "BIGipServerab.example.com_Pool_1"]} { set uri [HTTP::uri [string map {"/Client1/" "/"} [HTTP::uri]]] pool ab.example.com_Pool_1 } }iRule 2:
when HTTP_REQUEST { if { ( [string trim [HTTP::uri]] contains "Client2" ) or [HTTP::cookie exists "BIGipServerab.example.com_Pool_2"]} { set uri [HTTP::uri [string map {"/Client2/" "/"} [HTTP::uri]]] pool ab.example.com_Pool_2 } }I need to be able to add more clients, but I have to route them to either pool 1 or 2 only. If this is not possible I'll create 2 iRules with switch -globe, and place clients inside them respectively. It would be nice however to have only one iRule per VIP which does everything. Tried this, but LTM is complaining about the syntax:
when HTTP_REQUEST { set client_name [string tolower [URI::path [HTTP::uri] 1 1]] switch -glob [string trim [HTTP::uri]] { "*Client1*" "*Client3*" "*Client5*" switch -glob [HTTP::cookie] { "BIGipServerab.example.com_Pool1" { set uri [HTTP::uri [string map {"/$client_name/" "/"} [HTTP::uri]]] pool ab.example.com_Pool1} } } "*Client2*" "*Client4*" "*Client6*" switch -glob [HTTP::cookie] { "BIGipServerab.example.com_Pool2" { set uri [HTTP::uri [string map {"/$client_name/" "/"} [HTTP::uri]]] pool ab.example.com_Pool2 } } } }Any suggestions?
