For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mohammed_Banaja's avatar
Mohammed_Banaja
Icon for Nimbostratus rankNimbostratus
Nov 05, 2014

ProxyPass port from 9.x to 11.4.0, data group not processed properly

Hi,

 

we recently moved our web services from a ver 9.x box to a ver 11.4.0 box. we have data groups defined (also from ver 9.X for a specific subdomain where traffic for that subdomain is forwarded to different back end host than the VS's assigned pool:

 

ltm data-group internal /Common/ProxyPassvs_www-suncor-com_https { -----> v 11.4.0 records {

 

    / {
        data suncor-prod/
    }
    apps.suncor.com/aquarius {
        data "10.8.35.18/aquarius pool_web-c1p_http automap"
    }
    apps.suncor.com/mrms {
        data "10.8.35.18/mrms pool_web-c1p_http automap"
    }
    forthills.suncor.com/ {
        data forthills-prod/
    }
    sustainability.suncor.com/ {
        data sustainability-prod/
    }
}
type string

}

 

now for some reason after testing we discovered that the "automap" portion of the data group is not being processed. we figured that the ProxyPass iRule we're using for ver 11.4.0 maybe have been misconfigured when adapting it to 11.4.0. Below are the snippets from 9.x

 

Store each entry in the data group line into a local variable

 

set clientside [getfield $ppass " " 1]

 

set serverside [getfield $ppass " " 2]

 

set newpool [getfield $ppass " " 3]

 

set snataddr [getfield $ppass " " 4]

 

. . . . Take care of pool selection and SNAT settings

 

     if {$newpool eq ""} {

        pool $default_pool

        if { $::ProxyPassDebug > 1 } {

           log local0. "$log_prefix: Using default pool $default_pool"
        }

     } else {

        pool $newpool

        if { $::ProxyPassDebug > 0 } {

           log local0. "$log_prefix: Using parsed pool $newpool"

        }

     }
     if {$snataddr != ""} {

        snat $snataddr

        if { $::ProxyPassDebug > 0 } {

           log local0. "$log_prefix: Using SNAT address $snataddr"

        }
        HTTP::header insert "X-Forwarded-For" "[IP::remote_addr]"

     }

  }

}

 

and here is ver 11.4.0

 

 Store each entry in the data group line into a local variable
set clientside [getfield $ppass " " 1]
set serverside [string trimleft [getfield $ppass " " 2 ] "{" ]
set newpool [string trimright [getfield $ppass " " 3 ] "}" ]

 If serverside is in the form =match=replace=, apply regex
if {$serverside starts_with "="} {
    set regex [getfield $serverside "=" 2]
    set rewrite [getfield $serverside "=" 3]
    if {[regexp -nocase $regex "$orig_host$orig_uri" 0 1 2 3 4 5 6 7 8 9]}{
         The clientside becomes the matched string and the serverside the substitution
        set clientside $0
        set serverside [eval set X $rewrite]
    } else {
        pool $default_pool
        return
    }
}
The following code will look up SNAT addresses from 
 the data group "ProxyPassSNATs" and apply them. 
 
 The format of the entries in this list is as follows: 
 
   
 
 All entries are separated by spaces, and both items 
 are required. 
set class_exists_cmd "class exists ProxyPassSNATs"
if {! [eval $class_exists_cmd]} {
    return
}

set snat [findclass $newpool ProxyPassSNATs " "]

if {$snat eq ""} { 
     No snat found, skip rest of this event
    return 
}

if { $static::ProxyPassDebug > 0 } { 
    log local0. "$log_prefix: SNAT address $snat assigned for pool $newpool"  
} 

snat $snat

}

 

you'll notice that "snataddr" is not defined in the ver 11.4.0 iRule. how can I port that portion of the config to the 11.4.0 iRule and will that address this issue?

 

any help would be appreciated.

 

thanks

 

application delivery
design
devops
iRules
LTM
No RepliesBe the first to reply