URL Rewrite without Redirect

Hey Aaron,

 

 

thanks again for you detailed support. I've tried this solution again, and the advise with httpfox is brilliant.

 

 

So even with this iRule, it just won't work. I keep on getting these empty pages. The httpfox just entires one row:

 

 

 

00:00:08.2510.39040119GET200text/plainhttp://webservice.xxx.xx/WebService

 

 

Thats all...

 

 

We've checked the external firewall, and the ports 80 443 are open, so this shouldn't be an issue.

 

 

Now, there comes the crazy part:

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] equals "/WebService/" } {

 

HTTP::redirect "http://ihstestweb.xxx.xx:1234[HTTP::uri]"

 

}

 

}

 

 

works perfectly, but has the bad sideeffect, that a redirect is happening (which I don't want, the url bar shoudl be untouched).

 

 

I've haven't mentioned before, but maybe this is important:

 

ihstestweb is also a virtual host on the same loadbalancer, which is simply forwarding * ouside to * inside. On the inside interface, are two webservers, with an common vhost entry which is listening the name ihstestweb. I don't think, that this is could be an issue, but I wanted just to mention it.

 

 

 

 

Hey RG,

 

 

thx again for the support!

 

 

But here comes a third problem. We're going to have many apps/portals. So I would need a official ip for every entry... we wouldn't have enough of them for this kind of solution, but the idea is great! Poorly, this won't work here...

 

 

Posted By rglaue on 02/19/2009 6:21 AM

 

 

...But this won't work I think, because the Client would "see" the change... there is an reconnect happening, or am I wrong? ....

 

 

 

This is similar to how we do it.

 

The client does not see the change.

 

The client types in https://www.mysite.com

 

The BigIP answers with an SSL Certificate and SSL Connection

 

The iRule sees the Host header as "www.mysite.com"

 

The iRule issues the command "pool mysite.com_pool"

 

In the "mysite.com_pool" is a set of nodes:

 

server1.mysite.com:55011

 

server1.mysite.com:55012

 

server2.mysite.com:23543

 

server3.mysite.com:4002

 

the "pool" command causes the request to get forwarded to one of the 4 nodes in the mysite.com_pool

 

The chosen node receives the request, processes it, and sends it back to the BigIP.

 

The BigIP forwards the request back to the original user.

 

Also in this scenerio, the web server sees the request as coming from the original web user, and not from the BigIP. In other words, the Access logs show the web user's IP address for the request (not the BigIP IP address).

 

-RG

 

 

Some additional information (equal to the httpfox reply):

 

 

[123@456 ~] curl webservice.xxx.xx/webservice

 

curl: (52) Empty reply from server

 

 

 

I know you mentioned you don't want redirect, and replace should work.

 

where do you apply the irule? common or on the vs?

Just on the webservice.xxx.xx vhost.

 

 

Posted By lmwf1 on 02/19/2009 9:31 AM

 

I know you mentioned you don't want redirect, and replace should work.

 

where do you apply the irule? common or on the vs?

 

 

What rule are you testing now? When you get no response from the VIP, do you see a TCL error logged in /var/log/ltm?

 

 

Aaron

Okay, well perhaps I don't have enough information, because from what I understand what you are doing my suggestion will work.

 

 

I have used Apache ProxyPass before, and the solution I suggest on the BigIP produces the same results for me.

 

 

We use private IPs for the physical backend machines.

 

We assign every one of our 129 (I just counted them) Projects Sites a different (unique) port number. Each project has 1 to 5 webapps. And they are duplicated across 5 physical machines in our web farm.

 

 

So this ends up being 129 x 5 = 640 application instances, each with up to 5 webapps.

 

 

So we have one VIP answering on one real IP number for all Non-SSL domains. And based on the domain format, URL and whatever criteria, we forward (ProxyPass) the request to the appropriate physical machine and port number to get processed and answered.

 

 

The answered request gets sent back to the BigIP (just like Apache ProxyPass), the event HTTP_RESPONSE is executed in the iRules, and the result is sent back to the web user.

 

 

As far as the web user knows, they hit one single web server to be served their requests.

 

 

-RG

 

 

 

Posted By delvinadm on 02/19/2009 9:09 AM

 

Hey RG,

 

thx again for the support!

 

But here comes a third problem. We're going to have many apps/portals. So I would need a official ip for every entry... we wouldn't have enough of them for this kind of solution, but the idea is great! Poorly, this won't work here...

 

Posted By rglaue on 02/19/2009 6:21 AM

 

 

...But this won't work I think, because the Client would "see" the change... there is an reconnect happening, or am I wrong? ....

 

 

 

This is similar to how we do it.

 

The client does not see the change.

 

The client types in https://www.mysite.com

 

The BigIP answers with an SSL Certificate and SSL Connection

 

The iRule sees the Host header as "www.mysite.com"

 

The iRule issues the command "pool mysite.com_pool"

 

In the "mysite.com_pool" is a set of nodes:

 

server1.mysite.com:55011

 

server1.mysite.com:55012

 

server2.mysite.com:23543

 

server3.mysite.com:4002

 

the "pool" command causes the request to get forwarded to one of the 4 nodes in the mysite.com_pool

 

The chosen node receives the request, processes it, and sends it back to the BigIP.

 

The BigIP forwards the request back to the original user.

 

Also in this scenerio, the web server sees the request as coming from the original web user, and not from the BigIP. In other words, the Access logs show the web user's IP address for the request (not the BigIP IP address).

 

-RG

 

 

 

 

Hey Aaron,

 

 

I'm now working on these iRules you posted. They are very similar to the other user suggestions... but now I think there must be a general problem. Why does this whole connect stop after the /GET.

 

The tcl and ltm logs are just empty with zero bytes... how can that be?

 

 

Posted By hoolio on 02/19/2009 10:10 AM

 

What rule are you testing now? When you get no response from the VIP, do you see a TCL error logged in /var/log/ltm?

 

Aaron

 

 

Hy RG,

 

 

wow, that's huge on you side!

 

So the functionality is exactly, as we used it before. But I don't get it from your iRule, how you do the URI switch. Only in this example, the URI was the same on both sides...

 

 

I've tried out using your iRule, but there seems to be something wrong:

 

 

01070151:3: Rule [loadBalancingiRule] error:

 

line 1: [undefined procedure: rule] [rule loadBalancingiRule {

 

when HTTP_REQUEST {

 

set http_host [string trim [getfield [HTTP::host] ":" 1]]

 

set http_host [string tolower $http_host]

 

if { $http_host equals "webservice.xxx.xx" } {

 

pool ihstestweb

 

return

 

} else {

 

HTTP::respond 404 content {

 

 

 

 

Not Found

 

 

 

 

}

 

}

 

}

 

}]

 

 

 

 

 

But thank you so far for your support!

 

 

 

 

 

Posted By rglaue on 02/19/2009 11:57 AM

 

Okay, well perhaps I don't have enough information, because from what I understand what you are doing my suggestion will work.

 

I have used Apache ProxyPass before, and the solution I suggest on the BigIP produces the same results for me.

 

We use private IPs for the physical backend machines.

 

We assign every one of our 129 (I just counted them) Projects Sites a different (unique) port number. Each project has 1 to 5 webapps. And they are duplicated across 5 physical machines in our web farm.

 

So this ends up being 129 x 5 = 640 application instances, each with up to 5 webapps.

 

So we have one VIP answering on one real IP number for all Non-SSL domains. And based on the domain format, URL and whatever criteria, we forward (ProxyPass) the request to the appropriate physical machine and port number to get processed and answered.

 

The answered request gets sent back to the BigIP (just like Apache ProxyPass), the event HTTP_RESPONSE is executed in the iRules, and the result is sent back to the web user.

 

As far as the web user knows, they hit one single web server to be served their requests.

 

-RG

 

Posted By delvinadm on 02/19/2009 9:09 AM

 

Hey RG,

 

thx again for the support!

 

But here comes a third problem. We're going to have many apps/portals. So I would need a official ip for every entry... we wouldn't have enough of them for this kind of solution, but the idea is great! Poorly, this won't work here...

 

Posted By rglaue on 02/19/2009 6:21 AM

 

 

...But this won't work I think, because the Client would "see" the change... there is an reconnect happening, or am I wrong? ....

 

 

 

This is similar to how we do it.

 

The client does not see the change.

 

The client types in https://www.mysite.com

 

The BigIP answers with an SSL Certificate and SSL Connection

 

The iRule sees the Host header as "www.mysite.com"

 

The iRule issues the command "pool mysite.com_pool"

 

In the "mysite.com_pool" is a set of nodes:

 

server1.mysite.com:55011

 

server1.mysite.com:55012

 

server2.mysite.com:23543

 

server3.mysite.com:4002

 

the "pool" command causes the request to get forwarded to one of the 4 nodes in the mysite.com_pool

 

The chosen node receives the request, processes it, and sends it back to the BigIP.

 

The BigIP forwards the request back to the original user.

 

Also in this scenerio, the web server sees the request as coming from the original web user, and not from the BigIP. In other words, the Access logs show the web user's IP address for the request (not the BigIP IP address).

 

-RG

 

 

 

 

 

 

I updated the examples in this post (Click here) to fix a typo and add some debug logging. Can you update the rule you're testing and see if you see any log output in /var/log/ltm?

 

 

Also, if you're adding a rule via the GUI, you need to remove the rule definition lines as the GUI adds this for you. So remove the first line:

 

 

rule loadBalancingiRule {

 

 

And the last matching curly brace } at the end.

 

 

Aaron