Forum Discussion

Dimesio_91168's avatar
Dimesio_91168
Icon for Nimbostratus rankNimbostratus
Sep 05, 2012

redirecting from one VS to another

Hello,

 

 

I have searched the forums and found little relating to this, as I am sure this is a bit of a unique situation.

 

I have two sites to be hosted behind our F5, each needing a different virtual server configuration to work properly. I have two URLs that connect to the same IP(scmdev.xx.xx.xx and scmssodev.xx.xx.xx) and the way the current configuration is we have TMG doing the redirect depending on the URL requested.

 

 

Being that I need to have two drastically different VS's on the F5 to make the sites work, I am wondering how to creat a central VS to redirect to the correct VS depending on the URL requested. I am trying to use the following iRule:

 

when HTTP_REQUEST {

 

switch [HTTP::HOST] {

 

scmdev.xxx.xxx.xx { virtual NAME_OF_VSERVER1 }

 

scmssodev.xxx.xxx.xx { virtual NAME_OF_VSERVER2 }

 

default {reject}

 

}

 

}

 

 

I know that this rule works when I use pool NAME_OF_POOL instead of virtual,so I am stumped as to why it cant do this to a another local VS? I have the central server setup for proxy on both SSL profiles, but when I try to connect it just shows me that the page doesnt exist, basically like it has nowhere to go. Any help on this would be greatly appreciated.

 

application delivery
dev
devops
iRules
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 05, 2012
    Can you access the internal virtual servers directly to test?

     

     

    Do you have SNAT enabled for the internal virtual servers?
  • Dimesio_91168's avatar
    Dimesio_91168
    Icon for Nimbostratus rankNimbostratus
    Sep 05, 2012
    Yes, when connecting to the virtual servers individually I am able to use them to get to my websites. SNAT is also enabled for the internal VS's

     

  • Dimesio_91168's avatar
    Dimesio_91168
    Icon for Nimbostratus rankNimbostratus
    Sep 05, 2012
    Yes, when connecting to the virtual servers individually I am able to use them to get to my websites. SNAT is also enabled for the internal VS's

     

  • Dimesio_91168's avatar
    Dimesio_91168
    Icon for Nimbostratus rankNimbostratus
    Sep 05, 2012
    Yes, when connecting to the virtual servers individually I am able to use them to get to my websites. SNAT is also enabled for the internal VS's

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 05, 2012
    Are the internal virtual servers HTTPS?

     

     

    If so you'll need a server SSL profile on the external VIP.

     

  • Dimesio_91168's avatar
    Dimesio_91168
    Icon for Nimbostratus rankNimbostratus
    Sep 05, 2012
    I have SSL profiles for the external VS on both client and server side, and set up the profiles to "Proxy SSL" in the advanced settings, from what I understand this basically does a pass-through of SSL session variables to the server I'm forwarding to, unless that is only for actuall nodes not on the F5 itself?
  • Dimesio_91168's avatar
    Dimesio_91168
    Icon for Nimbostratus rankNimbostratus
    Sep 05, 2012
    I have SSL profiles for the external VS on both client and server side, and set up the profiles to "Proxy SSL" in the advanced settings, from what I understand this basically does a pass-through of SSL session variables to the server I'm forwarding to, unless that is only for actuall nodes not on the F5 itself?
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 05, 2012
    Ahh. ProxySSL allows a client and back end server to communicate directly, exchanging keys, while the BIG-IP transparently negotiates the same keys. If your back end server is also SSL, this method won't work because a) the internal virtual server is essentially in the way, and b) I don't believe you can "stack" ProxySSL configs.

     

     

    Unless you specifically have a requirement for end-to-end SSL, you should terminate the traffic on the external VIP and re-encrypt (if necessary) on the internal VIPs and skip ProxySSL.
  • Dimesio_91168's avatar
    Dimesio_91168
    Icon for Nimbostratus rankNimbostratus
    Sep 06, 2012
    I dont think I understand what you mean by terminating the traffic...

     

     

    I have to use Proxy SSL for one of my VS's to access the website its related to. Thats actually the big difference between the two VS's for the two websites, one uses normal SSL settings and the other uses proxy SSL. And unfortunately it is mandated that all traffic be encrypted from client to server...so I guess I'll have to figure out another way about it.
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 06, 2012
    ProxySSL is a mechanism that allows the BIG-IP to "man-in-the-middle" the SSL key negotiation between the client and server. As such that negotiation has to be able to happen without any interference. I haven't verified this, but i'm also assuming you can't "stack" ProxySSL profiles in a VIP-targeting scenario. ie:

     

     

    client -> external VIP with ProxySSL -> internal VIP with ProxySSL -> server

     

     

    If you have to do ProxySSL because of an end-to-end SSL requirement, you'll only be able to do it on one of the VIPs (external or internal), and in no case, unless you terminate the SSL, will you be able to make a switching decision based on HTTP data like the host name. Also when I say "end-to-end" I'm specifically talking about SSL negotiations directly between the client and server, as if the BIG-IP wasn't there. That's mainly used in environments where the server needs the client's certificate in the SSL stream for authentication. If you just need SSL all the way to the server, then just decrypt at the BIG-IP and re-encrypt to the server. Then you have access to all of the HTTP data, you can forego the ProxySSL complexity, and actually have a better chance of persisting the connections with something other than source IP.