Forum Discussion
epaalx
Cirrus
CirrusWishing to use F5 LTM as HTTP NAT
I have a requirement to bypass normal security measures for servers seeking license and/or updates.
Below is the simplified version of network.
As per security requirements, Router R1 will only forward traffic to destinations matching predefined F5's Virtual Server address space - all other traffic will be dropped.
My idea is to ask Server owners to insert a cookie into HTTP Request specifying real destination IP but send traffic to VS on Border F5. Ideally, Border F5 VS's iRule would then retrieve that cookie, overwriting HTTP/1.1's HOST header and forward packets to that real destination.
My issue is - as far as I know, VS's iRule can only select from existing pools composed of static members which I can't possibly know before the HTTP Requests arrives - I can't create a pool dynamically (although, I am nor sure how
LB::selectAny ideas?
4 Replies
MITUSER_21710Nimbostratus
Why dont you add the forwarding virtual server rather than a load balancing virtual server and match the irule. Forwarding virtual server will forward the packet based on the routing table and will send to the default gw.
epaalxThanks... The issue is with the Router R1 - as I wrote, it will only forward traffic to destinations matching predefined (Border) F5's Virtual Server address space - all other traffic will be dropped.- nitass
Employee
My issue is - as far as I know, VS's iRule can only select from existing pools composed of static members which I can't possibly know before the HTTP Requests arrives - I can't create a pool dynamically (although, I am nor sure how LB::select actually works).
u may use RESOLV::lookup to do name resolution on-the-fly and use node command to send traffic to the destination.
RESOLV::lookup
http://devcentral.f5.com/wiki/iRules.resolv__lookup.ashx
cheer! - epaalx> use node command
That's what I was looking for... Thanks!
