Forum Discussion
GavinW_29074
Nimbostratus
NimbostratusProxyPass V10 iRule issues...
Hi there,
I'm trying to set-up the ProxyPass v10 iRule from here (http://devcentral.f5.com/wiki/iRules.ProxyPassV10.ashx), and I'm hitting a few issues with Firefox...
It's probably worth noting that I've made a couple of tweaks to the rule to fit with how we intend to use it...
Top section of the rule looks like this now:
when RULE_INIT {
Enable to debug ProxyPass translations via log messages in /var/log/ltm
(2 = verbose, 1 = essential, 0 = none)
set static::ProxyPassDebug 02
Enable to rewrite page content (try a setting of 1 first)
(2 = attempt to rewrite host/path and just /path, 1 = attempt to rewrite host/path)
set static::RewriteResponsePayload 0
}
when CLIENT_ACCEPTED {
Get the default pool name. This is used later to explicitly select
the default pool for requests which don't have a pool specified in
the class.
set default_pool [LB::server pool]
if { $static::ProxyPassDebug > 1 } {
log local0. "[virtual name]: [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"[IP::local_addr]:[TCP::local_port] DefaultPool: $default_pool"
}
}
when HTTP_REQUEST {
"bypass" tracks whether or not we made any changes inbound so we
can skip changes on the outbound traffic for greater efficiency.
set bypass 1
The name of the Data Group (aka class) we are going to use
set vname [getfield [virtual name] / 4]
set cname [substr $vname 0 .]
set clname "ProxyPass[virtual name]""ProxyPass_$cname"
Initialize other local variables used in this rule
set orig_uri "[HTTP::uri]"
set orig_host "[HTTP::host]"
set log_prefix "VS=[virtual name], Host=$orig_host, URI=$orig_uri"
set clientside ""
set serverside ""
set newpool ""
set ppass ""
if {! [class exists $clname]} {
log local0. "$log_prefix: Data Group $clname not found."
pool $default_pool
return
} else {
log local0. "$log_prefix: Data Group $clname found."
set ppass [class match -element "$orig_host$orig_uri" starts_with $clname]
if {$ppass eq ""} {
Did not find with hostname, look for just path
set ppass [class match -element "$orig_uri" starts_with $clname]
}
if {$ppass eq ""} {
No entries found
if { $static::ProxyPassDebug > 0 } {
log local0. "$log_prefix: No rule found"
}
Get default redirect value.
set rurl [class match -value $cname equals Root_Redirect]
if { $static::ProxyPassDebug > 0 } {
log local0. "$log_prefix: redirect found. Redirecting to $rurl"
}
HTTP::redirect "https://[HTTP::host]$rurl"
pool $default_pool
return
}
}
Basically, I've changed the name format of the datagroup that it's looking for, and added a 'Default redirect' which is used to catch either the root directory or an invalid application URL.
This code works fine in IE, however I'm consistently getting the following error in FF:Corrupted Content Error
The page you are trying to view cannot be shown because an error in the data transmission was detected.
Any ideas where this issue could come from? 
GavinW_29074Opher
Are your mods based on the copy of the rule I've posted above, or the stock ProxyPass v10.4 rule?Edit: I've just realised that I havent posted my version of the rule to this topic... But i've made a lot of same mods that you've made...
A copy of my edit on the rule is attached...
Cheers
Gavin
Opher_Shachar_6Hi Gavin,
My mods are based on the iRule available here: http://devcentral.f5.com/wiki/defau...ssV10.html
which has your ':' fix already incorporated.Cheers.
- GavinW_29074Opher,
See my edit above... Realised that the above rule has been further tweak in other topics on here...
I've attached a copy of my edit to the previous reply.
Cheers
Gav - Opher_Shachar_6
Hi Gavin,
After a first review I have some comments:> What is the purpose or intent of the additional if on line 266 ?
> On line 136 you changed an error level log to debug level. Why?
> You look for the data-group in the /Common/ partition (and path) irrespective of the path of the VS.
> I do find that your method of determining the correct protocol -- http / https -- is more exact. I just checked whether a SSL-client-profile was attached to the VS.Cheers,
- GavinW_29074Posted By Opher Shachar on 02/03/2012 03:10 PM
Hi Gavin,
After a first review I have some comments:> What is the purpose or intent of the additional if on line 266 ?
> On line 136 you changed an error level log to debug level. Why?
> You look for the data-group in the /Common/ partition (and path) irrespective of the path of the VS.
> I do find that your method of determining the correct protocol -- http / https -- is more exact. I just checked whether a SSL-client-profile was attached to the VS.Cheers,
OpherLine 266 was discussed a bit more here (http://devcentral.f5.com/Community/...fault.aspx). Basically, I spotted that the Stream profiles were being enabled even when the Client and Server side paths were identical...
I think the change on 136 was purely to make it match the log entry at 140... However agree that it may make more sense to have this logging at an error level.
Agreed, currently we're only using the /Common/ partition... However can see why it makes sense to make the rule as future proof as possible...
Thanks for comments on connection protocol...
I guess it's also worth pointing out the 'Default' redirect functionality I've added on lines 151-153. This works off of a separate DataGroup which provides a 'if you dont match something, try this.'
Will work your changes into my rule and see what it comes out like :)
Cheers
Gavin
- Opher_Shachar_6About those 'maintenance_window' and 'default redirect' ...
This module 'ProxyPass' was intended to simulate the Apache ProxyPass and ProxyPassReverse directive.
As such, and for good measure, the iRule should confine itself to what it was designed for.
Obviously when you maintain a private copy you are free to do whatever suites you but,
for a module that is to be generally useful, it cannot incorporate the aforementioned features.
Same is true for your added 'if' on line 266: it breaks the intended use of rewriting host and/or uri.
Cheers,
Opher. - GavinW_29074Posted By Opher Shachar on 02/06/2012 01:05 AM
About those 'maintenance_window' and 'default redirect' ...
This module 'ProxyPass' was intended to simulate the Apache ProxyPass and ProxyPassReverse directive.
As such, and for good measure, the iRule should confine itself to what it was designed for.
Obviously when you maintain a private copy you are free to do whatever suites you but,
for a module that is to be generally useful, it cannot incorporate the aforementioned features.
Same is true for your added 'if' on line 266: it breaks the intended use of rewriting host and/or uri.
Cheers,
Opher.
Opher,
Agreed with regards Maintenance_Window... Meant to strip that out as it's very specific to our set-up...
As regards 'Default redirect', whilst I agree it's not strictly a ProxyPass function, the ability to redirect a user hitting the root of the VIP to a valid application URL is a fundamental Apache function that I, and I suspect a lot of other people used in conjunction with ProxyPass, either using mod_rewrite or a HTML redirect page... However am happy to conform to whatever the wider consensus is.
As regards line 266, as discussed in the linked topic, I found that the rule wasn't behaving as I'd expect it to when there were no host elements being re-written.
However as per the other topic I haven't confirmed as to whether it has any wider impact...
Will however try it with the amendments you've made to see if it changes things...
Regards
Gavin - GavinW_29074All
One further update I've just made to our local copy of the ProxyPass rule is around the Cookie rewriting...
It may be specific to our set-up, but I was finding that the 'Path' value in the Set-Cookie HTTP::Header wasn't been re-written correctly when the client_path doesn't equal the server_path.
I tracked the issue to a trailing '/' on the Server_path.
Attached is a patch generated from our local copy.
Let me know your comments.
Cheers
Gavin - GavinW_29074Looks like there's a typo in the rule.
has got an additional closing bracket which isn't needed...[virtual name]]
Gav - GavinW_29074Looks like there's a typo in the rule.
has got an additional closing bracket which isn't needed...[virtual name]]
Gav