Reverse proxy for login page

i might be lost. what i understand is now user accesses www.thirdparty.com which is hosted by another company externally. to get control of traffic, i understand we have to map www.mycompany.com to virtual server on bigip. so, i think we may have to rewrite host header when sending traffic to www.thirdparty.com.

 

 

maybe i am totally lost. ;)

@nitass - actually yes (I was wrong), not for the image (I was right) but for all other requests related to the login page the host header WILL have to be changed as you stated.

As others have stated, if DNS points users to another site, www.thirdparty.com, for login and that site IS NOT behind your BIG-IP, then you have no way of controlling the properties of the objects on the page. You would necessarily have to capture any redirects to www.thirdparty.com from inside your application, rewrite the Location header, and proxy the external site.

 

 

ie. www.mycompany.com/thirdparty

 

 

So the big question becomes: do users go to www.thirdparty.com FIRST, or to your application FIRST?

 

 

but for all other requests related to the login page the host header WILL have to be changed as you stated.

i am not sure how the login page works but yes, i agree that this will make all request passing through bigip which is not what CS wants.

 

 

i was thinking to use wildcard virtual server (in case user is behind bigip) and respond company logo file (i.e. using ifile) instead of third party logo file when seeing the request to the third party logo file. anyway, i thought it might confuse user if they get different logo when accessing the login page from home (via Internet).

 

 

just my 2 cents.

 

@Kevin Stewart : I agree with your code but there is one part missing. This code replaces the logo, that's fine, but remember I don't have any pool defined behind. I need to fetch / proxify the rest of the THIRDPARTY login page in the irule.

 

 

@What Lies Beneath : I don't want a server to host an image, that's the purpose of iFiles AFAIK. I'll get HA of my BigIP cluster with iFiles.

 

 

@Brian : the request is going to hit my bigip because my customers will use www.mycompany.com login page when they connect to the application for the first time.

 

 

@all: users connect to my application (BigIP) FIRST. All the other requests after the login page will hit the THIRDPARTY websites.

 

 

Sorry if my explanation wasn't clear.

 

 

The workflow would be as follows:

 

1) customer hits www.company.com (note I say www.company.com to simplify. It can be myapplogin.company.com or whatever else)

 

2) bigips return my logo and the rest of the remote page ("reverse proxified")

 

3) customers enters login/pass and click submit.

 

4) the form is posted to the remote site (not going through my bigips anymore)

 

5) application is used as before

 

 

Maybe the best way is to forget the remote login page and create my own with iFiles. Create a login/password form, with my logo, and post what user enters to the remote form.

 

PS: I don't want to use APM, license is really too expansive.

 

Thanks all!

 

There are probably a lot of different ways to achieve the goal and your last idea might well be best. but why would your original iRule snippet not work, provided you add a pool containing the remote server as member? Pass everything to the remote server, with SNAT set to automap for example, except for the IMG request which we answer directly.

 

 

If the remote server dislikes the Host header, you could fix that too.

 

 

I finally did my own login page, and posted to the thirdparty form URL. It works as expected. The only problem is that when I enter a wrong password, the error page is shown by third party and I can't do much about this because the HTTP_RESPONSE doesn't go through the BigIPs.