Forum Discussion
Nimbostratusreverse proxy
NacreousOk well it seems you don't quite understand the guide. Let me summarise for you.
Rewrite profile = URI Translation
HTML profile = Tag Removal (optional)
Local Traffic Policy (LTP) = pool selection
The URI translation modifies the data however it does not choose a destination for you. The load balancing method on your pool does that. But in this case we want to override that with LTP. You can instruct LTP to select an individual pool member but multiple pools is a better approach. Separate your servers into pools, use LTP to select the pool you need based on the URI.
So why does it work this way? The rewrite engine is designed to reformat data and that's it. LTP on the other hand is designed to to a whole lot of things including choosing a destination based on that data. Pools are better because if you decide to add another server to support capacity then you just add one more to the relevant pool. Also persistence methods such as cookie persistence are often linked to the pool. In the case you want persistence to work across pools as you might here, their is a tick box for it.
pedinopa_170325I split out the pool into 3 seperate pools. I created single policy with 3 different rules (one for each pool). I modified my HTTP VS to use no default pool and to use my policy (is that correct)? In addition I assigned a client SSL profile to the HTTP VS (required to assign my policy). Do I need an HTTPS VS since the nodes are using ssl?
in the LTP rules should the HTTP-host be what the host the client will see or the address of the pool member (I think it would be what the client will see not the node).
- Kevin_Davies_40
No default pool is fine just use the LTP policy to add an extra rule at the bottom to catch anything that does not match and log it.
You will need a clientssl and serverssl profile if your nodes are SSL
The HTTP host is what the client is requesting. They don't see the backend at all. From the client's perspective the F5 is the server. From the server perspective the F5 is the client. They don't know about each other at all.
Because I don't have enough data I need to make a few assumptions. Are you routing using URI or host ? If host then separate your servers into pools based on hostname so if two server look after the same hostname they should be in the same pool. If URI then separate your servers into pools of servers who look after the same URI match.
Then for host matching your LTP would look like...
Rule 1. HTTP host equals app1.mydomain.com forward to pool app1-pool Rule 2. HTTP host equals app2.mydomain.com forward to pool app2-pool Rule 3. HTTP host equals app3.mydomain.com forward to pool app3-poolor for URI matching it would look like...
Rule 1. HTTP path starts_with /site1 forward to pool app1-pool Rule 2. HTTP path starts_with /site2 forward to pool app2-pool Rule 3. HTTP path starts_with /site3 forward to pool app3-poolYou should have a catch all rule at the end to pickup anything that's not matching
Rule 4. Match any traffic, Log tcl:UNMATCHED URI [HTTP::uri]Then when you are testing you can goto System, Logs, Local Traffic and search for UNMATCHED to see if any traffic is not matching your rules.
- pedinopa_170325
I am using URI matching. so in my rewrite policy I have.
Rule 1. HTTP host equals Rule 2. HTTP path starts_with /site1 forward to pool app1-pool Rule 3. HTTP path starts_with /site2 forward to pool app2-pool Rule 4. HTTP path starts_with /site3 forward to pool app3-pool
What should my rewrite profile look like? Currently I have
URI Translation settings Client: /APP1/ Server: /app1 Client: /APP2/ Server: /app2 Client: /APP3/ Server: /app3
also tried Client: http://host.domain.com/APP1/ Server: /app1 Client: http://host.domain.com/APP2/ Server: /app2 Client: http://host.domain.com/APP3/ Server: /app3
Finally your mention of logging unmatched traffic. where does that log? If I want to point it at an HSL server what would the rule look like?
- Kevin_Davies_40
Sorry I cant make sense of this. First the rewrite policy looks more like a local traffic policy. What is rule 1. for? why does it have no action? Did you mean if HTTP::host notequal too host.domain.com action Ignore. What is your matching strategy for the policy?
In the rewrite profile, their is no need to specify the IP and port. The pool selection in your local traffic policy takes care of that. The pool members should be added on the correct IP and ports the application is listening on.
- pedinopa_170325
let me try to clean this up. First of all I thought in my policy I had to have a HTTP HOST statement (I followed the configuration https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-4-0/21.html) so it looked like (I did all this using the configuration utility.
HTTP-HOST equals
I have since removed that.
then in my policy I have 3 http-uri rules
CONDITIONS rule 1. HTTP-URI REQUEST ALL STARTS_WITH /APP1 rule 2. HTTP-URI REQUEST ALL STARTS_WITH /APP2 rule 3. HTTP-URI REQUEST ALL STARTS_WITH /APP3
ACTIONS rule 1. forward request select pool1 rule 3. forward request select pool2 rule 3. forward request select pool3
as for the rewrite profile should I just have CLIENT SETTING: /APP1/ SERVER SETTING: /APP1/? Do I need the rewrite profile? it sounds like the LTP is what I really need.
- Kevin_Davies_40
You are right, I dont think you need the rewrite.
As for the policy that looks perfect. Just make sure they are three seperate rules in the one policy.
Rule 1. HTTP-URI REQUEST ALL STARTS_WITH /APP1 THEN forward request select pool1 Rule 2. and so on...
If you need to restrict these rules to a incoming host eg.. http://myhost.mydomain.com/whatever then you can add a new rule at the top.
HTTP Host notequals myhost.mydomain.com and do not specify an action!In an unconfigured rule the default action is Ignore. This means do nothing (Ignore) for this policy. What does this mean? If it does not match the host you want, it will match this rule. Since the rule was matched and your matching strategy is first match, then this will prevent the following URI rules from being executed. It does not stop any traffic from being passed, it just stops further rules in that policy from being processed.
- pedinopa_170325
I simplified my setup since I cant get it to work. I have 1 rule
CONDITIONS HTTP-URI REQUEST ALL STARTS_WITH /APP1/
ACTIONS FORWARD REQUEST SELECT POOL1
I removed my Rewrite policy
I created 1 VIP, an HTTP. Under reasources I selected my policy . There is no default pool. I get a 404 error when I hit the page and there is an icon for red hat on the tab so I think its making connection to the server but cant get back (the servers use an odd port does that matter). the node and pool are green so the F5 does connect to them.
I want to send logs of all traffic to my HSL remote logging server. Both client requests and server responses. how can I do that.
- Kevin_Davies_40
When the incoming request is /app1 what is the URI meant to be on the backend server? Is it meant to be / or /app1?
- pedinopa_170325
so this is what is suppose to happen. I want to type host.domain.com/APP1 it resolves to x.x.x.x:9090/APP1. I have my node and pool created using port 9090. I have my DNS host file resolving x.x.x.x to my VIP. the VIP listens on port 80 and through the policy it forwards to the pool using port 9090. Is the problem the port? Do I need to adjust my virtual server?
- pedinopa_170325
on the backend it should be x.x.x.x/APP1/ (I mistyped it before)
