Forum Discussion

GavinW_29074's avatar
GavinW_29074
Icon for Nimbostratus rankNimbostratus
Sep 23, 2011

Selective Proxying ala ProxyPass

Hi there,

 

 

We're currently evaluating migrating from our existing Apache web-farm to a F5 device, and our initial tinkering is throwing up some questions that I'd like to get some input on...

 

 

Initially, the question is around how we control which URI's can be hit...

 

Currently, Apache's ProxyPass allows us ultimate control around which bits of the application the user can hit.

 

 

To give you an example:

 

User A hits x.y.com.

 

This then redirects them to x.y.com/ApplicationA/login

 

As part of this application, they also require a set of image resources, which are hosted on x.y.com/ApplicationAResources

 

 

User B hits z.y.com

 

This currently redirects them to z.y.com/ApplicationB

 

This request doesn't need anything else, other than the above end-point.

 

 

Using ProxyPass rules, we can easily define the above... How would we achieve the same using iRules? Or is there a better way other than iRules?

 

 

Cheers

 

Gavin

 

  • You can easily catch incoming URI's and redirect to different ones, but I don't think you have to rely fully on the F5 for this, the Apache web server should be able to give default content based on a virtual host...that should cover most of your requirements, then you can just use a switch statement within an iRule to decide where to redirect traffic.
  • Brian

     

     

    Cheers for the response.

     

     

    However possibly I wasn't clear enough in the above example...

     

     

    The Apache ProxyPass rules are actually being used to proxy these requests onto the Back-end Java application server...

     

     

    So the idea is to eliminate Apache completely and use the F5 to serve the applications from the Java app server...

     

     

    Cheers

     

    Gav
  • Are the java servers running a webserver? or was the ProxyPass serving up the content?
  • Brian

     

     

    The Java app servers are running Glassfish... The Apache webservers are used as an SSL front-end, with the relevant bits being proxied onto the App server as required...

     

     

    An example ProxyPass ruleset is:

     

    ProxyPass /ApplicationA http://appserver:8080/ApplicationA

     

    ProxyPassReverse /ApplicationA http://appserver:8080/ApplicationA

     

     

    Basically, I'm trying to make sure that the user cant try and hit anything else on the app server apart from what we're explicitly allowing...

     

     

    Cheers

     

    Gavin

     

     

    Cheers

     

    Gavin
  • Example iRule to only allow certain paths:

    
    when HTTP_REQUEST {
        if { ([HTTP::uri] eq "/allowed") }{
            HTTP::redirect "New path"
        else {
            reject
        }
    }
    
  • Brian

     

     

    Cheers for the pointer...

     

     

    In the end, i've set it up using the 'class match' and a iRule Data list of allowed URLs.

     

    It also allows me to redirect to the application for any requests to a non-valid URL, rather than just rejecting the users request...

     

     

    FYI, the code is:

     

    
    when HTTP_REQUEST {
        if { [HTTP::path] eq "/" || [HTTP::path] eq "" } {
            HTTP::redirect "https://[HTTP::host]/ApplicationA/logon"
        } elseif { not [class match [HTTP::path] starts_with ApplicationA_AllowedURLs] }{
            HTTP::redirect "https://[HTTP::host]/ApplicationA"
        } 
    }

     

     

    Regards

     

    Gavin

     

  • Patrick_Chang_7's avatar
    Patrick_Chang_7
    Historic F5 Account
    You should actually use the Proxy_Pass_v10 iRule. It was written expressly for this purpose.

     

    http://devcentral.f5.com/wiki/iRules.ProxyPassV10.ashx
  • Patrick

     

     

    That's a big rule... What would be the benefits of that rule over and above what I've done?

     

     

    Cheers

     

    Gav

     

  • Patrick_Chang_7's avatar
    Patrick_Chang_7
    Historic F5 Account
    The Rule has been vetted and debugged. Cut and paste the Rule as is. In order to add/change entries, you only have to edit the data group, not the Rule.
  • Ok...

     

     

    Seems nice and easy in principle... However we've got a requirement to use a VIP per service, as we enforce client certificates on most of our sites...

     

     

    Does the principle still apply???

     

    I.e. apply this rule to multiple VIP's, and then just create the relevant Datagroups as required?

     

     

    Cheers

     

    Gav