For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Matt_70198's avatar
Matt_70198
Icon for Nimbostratus rankNimbostratus
Sep 26, 2013

redirecting to different port based on URL

Hello,   Did a bit of searching on this before-hand to come up with what I've got, wanted to run it by you to see if it will hold water.   There are a large number of URLs, around 80, which sha...
application delivery
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 26, 2013

That should technically work. So for example, if the user requested "http://aaa.com/foo", your iRule would redirect them to "http://aaa.com:8010/foo" - presumably another VIP.

You could get around the whole non-standard port thing by simply sending to different pools based on the host. I'd also use a data group for such a large set of services:

Data group (ex. my_host_dg)

aaa.com := aaa_pool
bbb.com := bbb_pool
ccc.com := ccc_pool

And then an iRule that looks like this:

when HTTP_REQUEST {
    if { [class match [string tolower [HTTP::host]] equals my_host_dg] } {
        pool [class match -value [string tolower [HTTP::host]] equals my_host_dg]
    }
}

You'd need one VIP for port 80 traffic, one pool for each application (listening on the appropriate port), and one data group entry to map the host to the pool.

As for SSL traffic, you could the same with a few additional options:

  1. Create a single SSL profile that contains a "Subject Alt Name" (SAN) certificate - a cert that contains all of the server names.

  2. If you're on a v11 F5 box and don't have to worry about clients that can't do TLS (WinXP and below), you can use Server Name Indicator (SNI), create separate client SSL profiles for each server certificate/key, and apply all of those client SSL profiles to the port 443 VIP. The VIP will choose the correct client SSL profile based on the client's request.