Forum Discussion

larry_p_134874's avatar
larry_p_134874
Icon for Nimbostratus rankNimbostratus
Mar 04, 2014

ProxyPass iRule Question

Should this not work, as far as the ProxyPass iRule is concerned?

class ProxyPassservername-vs {
   {
      "/test/aaa" { "/test/bbb" }
   }
}
pool servername-pool {
   members 10.0.0.63:http {}
}
virtual servername-vs {
   pool servername-pool
   destination 10.0.0.252:http
   ip protocol tcp
   rules proxypass
   profiles {
      http {}
      oneconnect {}
      stream {}
      tcp {}
   }
}

seems like the simplest configuration, but doesn't seem to work; that is, the browsing to 10.0.0.252:80 gets a time out. Tcpdump on servername shows packets, but none contain HTTP, as opposed to connecting to 10.0.0.63 which does show GET, etc.

Am I missing something obvious?

BTW here's the relevant lines from /var/log/ltm:

Mar  4 13:27:48 local/tmm info tmm[5428]: Rule proxypass : servername-vs: 10.0.0.184:60512 -> 10.0.0.252:80
Mar  4 13:27:48 local/tmm info tmm[5428]: Rule proxypass : VS=servername-vs, Host=10.0.0.252, URI=/test/aaa: Found Rule, Client Host=10.0.0.252, Client Path=/test/aaa, Server Host=10.0.0.252, Server Path=/test/bbb
Mar  4 13:27:48 local/tmm info tmm[5428]: Rule proxypass : VS=servername-vs, Host=10.0.0.252, URI=/test/aaa: Redirecting to http://10.0.0.252/test/aaa/
Mar  4 13:27:48 local/tmm info tmm[5428]: Rule proxypass : VS=servername-vs, Host=10.0.0.252, URI=/test/aaa/: Found Rule, Client Host=10.0.0.252, Client Path=/test/aaa, Server Host=10.0.0.252, Server Path=/test/bbb
Mar  4 13:27:48 local/tmm info tmm[5428]: Rule proxypass : VS=servername-vs, Host=10.0.0.252, URI=/test/aaa/: Using default pool servername-pool
application delivery
devops
iRules
LTM
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 04, 2014

    Just a hunch here, but since the client, server, and VIP are on the same network, you probably also need a SNAT profile.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 05, 2014

    The existence of these log lines suggests that HTTP is being processed on the client side of the VIP. I would therefore do the following to provide a baseline test of functionality:

     

    1. Remove the ProxyPass iRule and tcpdump on both sides of the VIP. We're fairly certain that requests are getting to the VIP, but do you see traffic leaving the LTM for the server, and the server responding to the client back through the VIP? In this test we don't care about the HTTP response, just that packets are properly traversing the proxy.

       

    2. If the above succeeds and you see good two-way traffic, re-apply the ProxyPass iRule and perform an HTTP client side capture. What we're looking for here are the responses and if the ProxyPass iRule is sufficiently masking the server side URI path.