For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

ProxyPass Lite

Problem this snippet solves:

This iRule implements a limited subset of the full ProxyPassV10 iRule:

  1. Rewrites the host header in requests to an internal hostname
  2. Rewrites response redirects from the internal hostname to the external hostname
  3. Rewrites instances of the internal hostname in response payloads to the external hostname

It does not:

  1. Rewrite cookie domains, any other response headers, etc

Code :

# ProxyPass Lite:
#
# This iRule implements a limited subset of the full ProxyPassV0 iRule:
# - Rewrites the host header in requests to an internal hostname
# - Rewrites response redirects from the internal hostname to the external hostname
# - Rewrites instances of the internal hostname in response payloads to the external hostname
#
# It does not:
# - Rewrite cookie domains, any other response headers, etc
#
# LTM configuration object requirements:
#
# - The virtual server must have an HTTP profile configured with response chunking set to rechunk
# - The virtual server must have a blank STREAM profile configured
# - The virtual server must have a default pool configured
#
# iRule configuration requirements:
#
# - Debug can be enabled/disabled in the RULE_INIT event by setting static::rewrite_debug to 1 or 0 respectively.
# - Outside the RULE_INIT section, no other changes should need to be made.

when RULE_INIT {

   # Log debug messages to /var/log/ltm? 1=yes, 0=no
   set static::rewrite_debug 1

   # External hostname for the web application
   set static::external "www.external.com"

   # Internal hostname for the web application
   set static::internal "myinternal.app.local"
}
when HTTP_REQUEST {

   if {$static::rewrite_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP request to [HTTP::host][HTTP::uri]"}

   # Prevent the server from sending compressed responses as LTM does not decompress them
   HTTP::header remove "Accept-Encoding"
   if {$static::rewrite_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Removing Accept-Encoding request header"}

   # Replace host header with the internal name
   HTTP::header replace Host $static::internal

   # Disable the stream filter for non-text responses
   STREAM::disable
}
when HTTP_RESPONSE {

   # Rewrite Location header value in HTTP redirects if it contains the $static::internal string
   if {[HTTP::is_redirect] && [string tolower [HTTP::header "Location"]] contains $static::internal}{

      # Replace $static::internal with $static::external in Location header value
      HTTP::header replace Location [string map "$static::internal $static::external" [HTTP::header Location]]

      if {$static::rewrite_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Updated location from [HTTP::header Location]\
         to [string map "$static::internal $static::external" [HTTP::header Location]]"}
   }

   # Rewrite the response body if the response type is text
   if { [HTTP::header "Content-Type"] starts_with "text/" } {

      # Configure the find/replace strings
      STREAM::expression "@$static::internal@$static::external@"

      # Enable the stream filter
      STREAM::enable

      if {$static::rewrite_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Enabled stream filter for $static::internal -> $static::external"}
   }
}
Published Mar 18, 2015
Version 1.0
devops
iRules
No CommentsBe the first to comment