Forum Discussion
NimbostratusSpecify Access Policy in LTM iRule
We have more domain names than external IP's, so I've created a general VS and do a switch on the hostname and route to the correct backend pools for those services.
What I'm running into is that on some of these hosts I need to have a specific access policy triggered when a certain hostname is hit. The flow needs to go VS -> iRule -> Access Policy Specification -> Pool/Resource Assignment, not VS -> Access policy -> iRule -> pool/resource assignment.
pseudo code example:
when HTTP_REQUEST{
switch (get hostname) {
"host1.company.local" {
pool host1_pool
}
"host2.company.local" {
pool host2_pool
}
"host3.company.local" {
ACCESS:enable /Common/host3_apm (the crux of it all)
}
}
I've tried the example for the ACCESS::poliyc evaluate, but that always fails the evaluation. The access policy I'm using is a logon page with basic RADIUS auth. I can't find anything in any documentation on how to accomplish this.
Reasons I'm doing it this way:
There are 30+ hosts in this iRule and VS, I can't put an access policy on the VS without breaking a lot of things.
Don't want to burn an external IP for an app that .01% of company will use.
Things I've considered:
Setup Access policy on VS anyway, first part of policy would be to evaluate the irule referenced above and do nothing unless it's this one host specific hostname.
Setup a new VS, then set it up with the access policy and then make a pool of that new VS and go from there. It would flow like ExistingVS -> iRule -> pool -> NewVS_with_AccessPolicy -> AccessPolicy -> ResourceAssignment_to_Actual_Webserver. This one leaves me with a bad taste though.
Did you consider to use the ‘virtual’ command? See: https://clouddocs.f5.com/api/irules/virtual.html
This way you can forward the traffic to another virtual server that has the access policy enabled.
Stanislas_Piro2Cumulonimbus
Look at this article..
https://community.f5.com/t5/technical-articles/sni-routing-with-big-ip/ta-p/282018
