Forum Discussion
GavinW_29074
Nimbostratus
NimbostratusSelective Proxying ala ProxyPass
Hi there,
We're currently evaluating migrating from our existing Apache web-farm to a F5 device, and our initial tinkering is throwing up some questions that I'd like to get some input on...
Initially, the question is around how we control which URI's can be hit...
Currently, Apache's ProxyPass allows us ultimate control around which bits of the application the user can hit.
To give you an example:
User A hits x.y.com.
This then redirects them to x.y.com/ApplicationA/login
As part of this application, they also require a set of image resources, which are hosted on x.y.com/ApplicationAResources
User B hits z.y.com
This currently redirects them to z.y.com/ApplicationB
This request doesn't need anything else, other than the above end-point.
Using ProxyPass rules, we can easily define the above... How would we achieve the same using iRules? Or is there a better way other than iRules?
Cheers
Gavin
10 Replies
Brian_69413You can easily catch incoming URI's and redirect to different ones, but I don't think you have to rely fully on the F5 for this, the Apache web server should be able to give default content based on a virtual host...that should cover most of your requirements, then you can just use a switch statement within an iRule to decide where to redirect traffic.
GavinW_29074Brian
Cheers for the response.
However possibly I wasn't clear enough in the above example...
The Apache ProxyPass rules are actually being used to proxy these requests onto the Back-end Java application server...
So the idea is to eliminate Apache completely and use the F5 to serve the applications from the Java app server...
Cheers
Gav- Brian_69413Are the java servers running a webserver? or was the ProxyPass serving up the content?
- GavinW_29074Brian
The Java app servers are running Glassfish... The Apache webservers are used as an SSL front-end, with the relevant bits being proxied onto the App server as required...
An example ProxyPass ruleset is:
ProxyPass /ApplicationA http://appserver:8080/ApplicationA
ProxyPassReverse /ApplicationA http://appserver:8080/ApplicationA
Basically, I'm trying to make sure that the user cant try and hit anything else on the app server apart from what we're explicitly allowing...
Cheers
Gavin
Cheers
Gavin - Brian_69413Example iRule to only allow certain paths:
when HTTP_REQUEST { if { ([HTTP::uri] eq "/allowed") }{ HTTP::redirect "New path" else { reject } } - GavinW_29074Brian
Cheers for the pointer...
In the end, i've set it up using the 'class match' and a iRule Data list of allowed URLs.
It also allows me to redirect to the application for any requests to a non-valid URL, rather than just rejecting the users request...
FYI, the code is:when HTTP_REQUEST { if { [HTTP::path] eq "/" || [HTTP::path] eq "" } { HTTP::redirect "https://[HTTP::host]/ApplicationA/logon" } elseif { not [class match [HTTP::path] starts_with ApplicationA_AllowedURLs] }{ HTTP::redirect "https://[HTTP::host]/ApplicationA" } }
Regards
Gavin - You should actually use the Proxy_Pass_v10 iRule. It was written expressly for this purpose.
http://devcentral.f5.com/wiki/iRules.ProxyPassV10.ashx - GavinW_29074Patrick
That's a big rule... What would be the benefits of that rule over and above what I've done?
Cheers
Gav - The Rule has been vetted and debugged. Cut and paste the Rule as is. In order to add/change entries, you only have to edit the data group, not the Rule.
- GavinW_29074Ok...
Seems nice and easy in principle... However we've got a requirement to use a VIP per service, as we enforce client certificates on most of our sites...
Does the principle still apply???
I.e. apply this rule to multiple VIP's, and then just create the relevant Datagroups as required?
Cheers
Gav
