Forum Discussion
Vishal_96707
Nimbostratus
NimbostratusSelective HTTPS redirection
I am having following requirement in which the servers in the pool should talk to the virtual server using HTTP only while all other users should redirect to HTTPS.
The requirement for servers talking to the VS was fulfilled using the following iRule
when CLIENT_ACCEPTED {
checks to see if client_addr = any in the class
fmw_nodes class has servers in the pool
if { [matchclass [IP::client_addr] equals $::fmw_nodes]} {
snat 192.168.253.250
} else {
pool fwm-uat.bmc.com
}
}The HTTP -> HTTPS redirection is configured using following iRule
when HTTP_REQUEST {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}How does the iRule evaluation takes place when you have more than one iRules?
I would appreciate any help in this regards. I am new to Big IP LTM
Thanks in advance
Nicolas_MenantEmployee
Hi,
iRules are processed in the order they have been set in the VS configuration.
So if each iRule use the same variable, ensure you got the order correctly.
Usually it's recommended if possible to merge several iRules in one. It's easier to troubleshoot and you can look at the code in one shot.
If you are talking about the order of processing of your two iRules you configured above it will be:
CLIENT_ACCEPTED then HTTP_REQUEST
CLIENT_ACCEPTED is triggered after the TCP connection is established.
HTTP_REQUEST will be triggered each time the client sends a request to the server.
HTH
N.
Vishal_96707If you see the code i have used for SNAT it sends the traffic pool if the client ip doesnt match using the matchclass. If that is the case and assume i have 2 rules 1. SNAT 2. HTTP_Request, will it go to the second rule? Is it necessary to use "else" after "if"- Nicolas_MenantHi,
Yes it will go to the HTTP_REQUEST anyway.
What happens is:
Your CLIENT_ACCEPTED event will say: when you'll forward the request hide the Source IP with this one.
Then your HTTP_REQUEST will be trigger and it will redirect the user to HTTPS. In this case you didn't forward anything since you just send a redirect to the user so the snat request won't be effective and used.
With both iRules, anyone talking through HTTP should be redirected through HTTPS.
If you want not to redirect the servers you should merge everything in the HTTP_REQUEST to obtain something like this :
when HTTP_REQUEST {
if { [matchclass [IP::client_addr] equals $::fmw_nodes]} {
snat 192.168.253.250
} else {
if{ [TCP::local_port] == 80} } {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
}
}
N. - Vishal_96707when HTTP_REQUEST {
if { [matchclass [IP::client_addr] equals $::fmw_nodes]} {
snat 192.168.253.250
} else
In the first part it should snat and send the traffic to pool also. Do i need to mention the pool statement or it will use the pool configured in Virtual Server? - Nicolas_Menantif you don't use any pool command, it will use the default pool configured in the VS
- Vishal_96707What is recommended method for SNAT? using SNAT configuration option via web or iRule?
- Nicolas_Menantif you need to apply SNAT to only specific client the best method is to use an iRule. Same thing if you need to use different SNAT configuration depending on the clients
If you need to do SNAT for all connection, use the GUI it will be easier to maintain. - Vishal_96707Thanks for all your help. I will try and let you know.
- Nicolas_MenantCan you post your iRule ?
Otherwise what you can do to troubleshoot is to use the log command to print information during the processing of your iRule.
It may help you to see what's happening.
The logging will appear in /var/log/ltm - Vishal_96707
when HTTP_REQUEST
{
if{[matchclass[IP::client_addr] equals $::fmw_nodes]}
{
snat 192.168.253.250
}
else
{
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
}
Here is what i have found in the logs
TCL error: Rule fmw-test - invalid command name "matchclass192.168.253.250" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"
Mar 3 09:31:09 tmm tmm[1089]: 01220001:3: TCL error: Rule fmw-test - invalid command name "matchclass192.168.253.250" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"
Mar 3 09:31:19 tmm tmm[1089]: 01220001:3: TCL error: Rule fmw-test - invalid command name "matchclass192.168.253.250" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"
Mar 3 09:31:19 tmm tmm[1089]: 01220001:3: TCL error: Rule fmw-test - invalid command name "matchclass192.168.253.250" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"
Mar 3 09:31:29 tmm tmm[1089]: 01220001:3: TCL error: Rule fmw-test - invalid command name "matchclass192.168.253.250" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"
Mar 3 09:31:29 tmm tmm[1089]: 01220001:3: TCL error: Rule fmw-test - invalid command name "matchclass192.168.253.250" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"
Mar 3 09:31:31 tmm tmm[1089]: 01220001:3: TCL error: Rule fmw-test - invalid command name "matchclass137.72.254.231" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"
Mar 3 09:31:39 tmm tmm[1089]: 01220001:3: TCL error: Rule fmw-test - invalid command name "matchclass192.168.253.250" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"
Mar 3 09:31:39 tmm tmm[1089]: 01220001:3: TCL error: Rule fmw-test - invalid command name "matchclass192.168.253.250" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"
Mar 3 09:31:42 tmm tmm[1089]: 01220001:3: TCL error: Rule fmw-test - invalid command name "matchclass137.72.254.231" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"
Mar 3 09:31:49 tmm tmm[1089]: 01220001:3: TCL error: Rule fmw-test - invalid command name "matchclass192.168.253.250" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"
Mar 3 09:31:49 tmm tmm[1089]: 01220001:3: TCL error: Rule fmw-test - invalid command name "matchclass192.168.253.250" while executing "matchclass[IP::client_addr] equals $::fmw_nodes"