Forum Discussion
JimT
Nimbostratus
NimbostratusRewrite and forward to specific pool
Hi,
I have a question about rewrite and forward to specific pool based on URL accessed.
Setup:
One HTTPS VS, called VS1 with client SSL profile using certificate for .
Two pools, called Pool1 and Pool2 with one member in each pool.
In Pool1, the member is configured with port 80 and in Pool2, the member is configured with port 8443
I have used rewrite profile and policies, which are attached to the VS1
External URLs:
ExURL1: https://www.abc.com
ExURL2: https://www.abc.com/test
Internal URLs:
IntURL1: http://internal.abc.com/site1
IntURL2: https://internal.abc.com:8443/site2
Scenario:
Client connects to ExURL1, BIG-IP rewrites url to IntURL1 and forwards to Pool1. Then the client connects to ExURL2, BIG-IP rewrites url to IntURL2 and forwards to Pool2.
Question:
How can this be achieved, since IntURL2 are using SSL and there is not attached any server SSL profile to the VS.
Hope someone can point me in the right direction.
- nitass
Employee
irule sample
// config root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 profiles { clientssl { context clientside } http { } serverssl-insecure-compatible { context serverside } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 19 } root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool ltm pool pool1 { members { 200.200.200.101:80 { address 200.200.200.101 } } } ltm pool pool2 { members { 200.200.200.111:8443 { address 200.200.200.111 } } } root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when RULE_INIT { set static::internalhost "internal.abc.com" } when HTTP_REQUEST { switch -glob [HTTP::uri] { "/" { HTTP::uri "/site1" SSL::disable serverside pool pool1 } "/test/*" { HTTP::uri [string map {/test/ /site2/} [HTTP::uri]] pool pool2 } default { do something } } } when HTTP_REQUEST_RELEASE { HTTP::host "${static::internalhost}:[LB::server port]" } } // test1 [root@ve13a:Active:In Sync] config ssldump -Aed -nni 0.0 port 80 or port 443 or port 8443 -k /config/ssl/ssl.key/default.key New TCP connection 1: 172.28.24.1(33808) <-> 172.28.24.10(443) ...snipped... 1 10 1515902215.1724 (0.0035) C>SV3.3(128) application_data --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: www.abc.com --------------------------------------------------------------- New TCP connection 2: 200.200.200.14(24713) <-> 200.200.200.101(80) 1515902215.1743 (0.0015) C>S --------------------------------------------------------------- HEAD /site1 HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: internal.abc.com:80 --------------------------------------------------------------- // test2 [root@ve13a:Active:In Sync] config ssldump -Aed -nnr /var/tmp/test2.cap -k /config/ssl/ssl.key/default.key New TCP connection 1: 172.28.24.1(33824) <-> 172.28.24.10(443) ...snipped... 1 10 1515902715.2350 (0.0007) C>SV3.3(128) application_data --------------------------------------------------------------- HEAD /test/hello HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: www.abc.com --------------------------------------------------------------- [root@ve13a:Active:In Sync] config ssldump -Aed -nnr /var/tmp/test2.cap -k /var/tmp/localhost.key New TCP connection 2: 200.200.200.14(43637) <-> 200.200.200.111(8443) ...snipped... 2 10 1515902715.2410 (0.0006) C>SV3.1(128) application_data --------------------------------------------------------------- HEAD /site2/hello HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: internal.abc.com:8443 --------------------------------------------------------------- 
nitass_89166Noctilucent
here is local traffic policy (cpm) sample. by the way, i did not use rewrite profile.
// config root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 policies { testpolicy1 { } } profiles { clientssl { context clientside } http { } serverssl-insecure-compatible { context serverside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 19 } root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool ltm pool pool1 { members { 200.200.200.101:80 { address 200.200.200.101 } } } ltm pool pool2 { members { 200.200.200.111:8443 { address 200.200.200.111 } } } root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm policy testpolicy1 ltm policy testpolicy1 { controls { forwarding server-ssl } last-modified 2018-01-14:12:24:45 requires { http } rules { testsite1 { actions { 0 { server-ssl disable } 1 { http-uri replace value /site1 } 2 { http-host replace value internal.abc.com } 3 { forward select pool pool1 } } conditions { 0 { http-uri values { / } } } } testsite2 { actions { 0 { http-host replace value internal.abc.com:8443 } 1 { http-uri replace value "tcl:[string map {/test/ /site2/} [HTTP::uri]]" } 2 { forward select pool pool2 } } conditions { 0 { http-uri starts-with values { /test/ } } } ordinal 1 } } status published strategy first-match } // test1 [root@ve13a:Active:In Sync] config ssldump -Aed -nni 0.0 port 80 or port 443 -k /config/ssl/ssl.key/default.key New TCP connection 2: 172.28.24.1(33842) <-> 172.28.24.10(443) ...snipped... 2 10 1515904001.6202 (0.0006) C>SV3.3(128) application_data --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: www.abc.com --------------------------------------------------------------- New TCP connection 3: 200.200.200.14(3637) <-> 200.200.200.101(80) 1515904001.6211 (0.0005) C>S --------------------------------------------------------------- HEAD /site1 HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: internal.abc.com --------------------------------------------------------------- // test2 [root@ve13a:Active:In Sync] config ssldump -Aed -nnr /var/tmp/cpm2.cap -k /config/ssl/ssl.key/default.key New TCP connection 2: 172.28.24.1(33844) <-> 172.28.24.10(443) ...snipped... 2 10 1515904108.0480 (0.0008) C>SV3.3(128) application_data --------------------------------------------------------------- HEAD /test/hello HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: www.abc.com --------------------------------------------------------------- [root@ve13a:Active:In Sync] config ssldump -Aed -nnr /var/tmp/cpm2.cap -k /var/tmp/localhost.key New TCP connection 3: 200.200.200.14(43617) <-> 200.200.200.111(8443) ...snipped... 3 10 1515904108.0549 (0.0004) C>SV3.1(128) application_data --------------------------------------------------------------- HEAD /site2/hello HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: internal.abc.com:8443 ---------------------------------------------------------------
JimTThanks a lot nitass. I will try both of your answers.
- nitass
here is local traffic policy (cpm) sample. by the way, i did not use rewrite profile.
// config root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 policies { testpolicy1 { } } profiles { clientssl { context clientside } http { } serverssl-insecure-compatible { context serverside } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } translate-address enabled translate-port enabled vs-index 19 } root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool ltm pool pool1 { members { 200.200.200.101:80 { address 200.200.200.101 } } } ltm pool pool2 { members { 200.200.200.111:8443 { address 200.200.200.111 } } } root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm policy testpolicy1 ltm policy testpolicy1 { controls { forwarding server-ssl } last-modified 2018-01-14:12:24:45 requires { http } rules { testsite1 { actions { 0 { server-ssl disable } 1 { http-uri replace value /site1 } 2 { http-host replace value internal.abc.com } 3 { forward select pool pool1 } } conditions { 0 { http-uri values { / } } } } testsite2 { actions { 0 { http-host replace value internal.abc.com:8443 } 1 { http-uri replace value "tcl:[string map {/test/ /site2/} [HTTP::uri]]" } 2 { forward select pool pool2 } } conditions { 0 { http-uri starts-with values { /test/ } } } ordinal 1 } } status published strategy first-match } // test1 [root@ve13a:Active:In Sync] config ssldump -Aed -nni 0.0 port 80 or port 443 -k /config/ssl/ssl.key/default.key New TCP connection 2: 172.28.24.1(33842) <-> 172.28.24.10(443) ...snipped... 2 10 1515904001.6202 (0.0006) C>SV3.3(128) application_data --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: www.abc.com --------------------------------------------------------------- New TCP connection 3: 200.200.200.14(3637) <-> 200.200.200.101(80) 1515904001.6211 (0.0005) C>S --------------------------------------------------------------- HEAD /site1 HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: internal.abc.com --------------------------------------------------------------- // test2 [root@ve13a:Active:In Sync] config ssldump -Aed -nnr /var/tmp/cpm2.cap -k /config/ssl/ssl.key/default.key New TCP connection 2: 172.28.24.1(33844) <-> 172.28.24.10(443) ...snipped... 2 10 1515904108.0480 (0.0008) C>SV3.3(128) application_data --------------------------------------------------------------- HEAD /test/hello HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: www.abc.com --------------------------------------------------------------- [root@ve13a:Active:In Sync] config ssldump -Aed -nnr /var/tmp/cpm2.cap -k /var/tmp/localhost.key New TCP connection 3: 200.200.200.14(43617) <-> 200.200.200.111(8443) ...snipped... 3 10 1515904108.0549 (0.0004) C>SV3.1(128) application_data --------------------------------------------------------------- HEAD /site2/hello HTTP/1.1 User-Agent: curl/7.29.0 Accept: */* Host: internal.abc.com:8443 ---------------------------------------------------------------- JimT
Thanks a lot nitass. I will try both of your answers.
