Forum Discussion
Altostratusxforwading rule
I have a vip setup , and enabled automap as the DGW of the servers is not F5 have fastl4 profile configured.
trying to get both http and https traffic pass through the vip.
when HTTP_REQUEST { if { [HTTP::method] eq "CONNECT" } {
HTTP::disable
} }
need assistance to add xforwading in the above irule. HTTP::header insert "X-Forwarded-For" [IP::client_addr]
when HTTP_REQUEST { if { [HTTP::method] eq "CONNECT" } { HTTP::disable } else { if { [HTTP::header insert "X-Forwarded-For" [IP::client_addr] ] } } }
below is the error i am getting 6: error: [missing a script after "if"][]
9 Replies
kunjanNimbostratus
Try this
when HTTP_REQUEST { if { [HTTP::method] eq "CONNECT"} { HTTP::disable } else { HTTP::header insert "X-Forwarded-For" [IP::client_addr] } }
sandiksk_35282Kunja thanks for your response . But when I changed my proxy VIP from fastl4 profile to http profile and added this irule. now when i change my proxy to point to the vip on port 8080 .
I am getting secure connection failed
- kunjan
If it's an SSL request, you have to do add "SSL Profile (Client)" and also the "SSL Profile (Server)"
- sandiksk_35282
it is all internet traffic ,so it might be http or https. ssl offload is not performed on the F5 ,and also backend pool members have is very limited for https traffic
- sandiksk_35282
I created VIP type as performance(layer4) Protocol All protocols Protocol Profile (Client) : fastl4 Sourec Address Translation : Automap Persistence : source address vlan and tunnel traffic : ALL Vlans
In order for me to add irule ,i need to change the profile type to either http or fasthttp but it is breaking the connections.
Please let me know your inputs
- THi
If you are not doing ssl offload, you cannot use L7 iRules for the ssl traffic - like the one above.
Are you intending to use the same virtual server for both unencrypted and encrypted traffic? That would make the virtual server iRule a bit complicated as you have to detect ssl handshake to distinguish between those two traffic types. Anyway, if you want to do anything on Layer 7 (like the XFF insertion) for the ssl traffic, you must terminate SSL on the BIG-IP, so open up the encryption. You can then re-encrypt towards the backend servers.
Is it possible to use two virtual servers, same IP, different ports, one for unencrypted and the other for encrypted traffic? Keep in mind that the virtual server is a combination of IP and port, typically port 80 for plain text http and 443 for ssl. You can tie the same iRule to both.
Or are you intending to use BIG_IP as a proxy server (as you are looking for the CONNECT method)? So converting the traffic to tunnel the ssl through?
- sandiksk_35282
If i create 2virtual servers same IP different ports ,
then for http traffic i can use type as : standard
Protocol tcp Protocol Profile : http (enable xforwading) Sourec Address Translation : Automap Persistence : source address vlan and tunnel traffic : ALL Vlanswhen i changed back my setting to the above ,all my http connection through proxy also broke.
