ProxyPass v10/v11

Problem this snippet solves: iRule to replace the functionality of Apache Webserver ProxyPass and ProxyPassReverse functions. Allows you to do hostname and path name modifications as HTTP traffic pa...
Published Mar 18, 2015
Version 1.0
application delivery
devops
iRules
proxy
Ross_Johnson_12's avatar
Ross_Johnson_12
Icon for Nimbostratus rankNimbostratus
Feb 05, 2016

Hi,

 

I've just started using this iRule to move a number of Apache mod_proxy reverse proxies to our F5 HA pair. The first site moved was a simple HTTP clientside to HTTP serverside with no payload rewriting and it worked perfectly as documented. Then I started to see things that could be improved and a few things that didn't work and could be fixed.

 

  1. The static::ProxyPassDebug and static::RewriteResponsePayload are inconvenient when the iRule is used by multiple virtual servers, so I've localised these for each virtual server in a new Data Group "ProxyPassOptionsVIRTUAL".

     

  2. We offload SSL to some of our proxies so I found the request header and referer rewriting wasn't rewriting the protocol, resulting in the browser getting connection errors at least, I think, unless the virtual server accepts both HTTP and HTTPS in which case the iRule appears to trap the unchanged protocol in the new request and rewrites and redirects it back to itself. I have fixed this by inferring the serverside protocol for each pool from the ProxyPassSSLProfile information if it exists. There are a couple of assumptions/requirements supporting this method:

     

a. If any pool, default or alternative, requires SSL it must have a server profile entry in this data group.

 

b. The clientside protocol is detected via the CLIENTSSL_HANDSHAKE event.

 

  1. Payload rewriting doesn't rewrite the protocol. I have fixed this also following from (2).

     

  2. I think payload rewriting is incomplete if it only rewrites matching the current request URL components. That is, currently for a request rewrite e.g. "; to ";, the response payload will reverse only this URL. If the payload includes other absolute URLs e.g. ";, this will be missed. So the iRule needs to be modified to rewrite just the "protocol://host_serverside" part for all URLs starting with that string, but it also needs to rewrite any path components that start with any path component in "ProxyPassVIRTUAL" that match the serverside host. For example, given the following "ProxyPathVIRTUAL":

     

"; := "backend.internal/other/path" "; := "backend.internal/yet/another/path"

 

Given a request ";, all of the following rewrites need to occur if found in the response payload:

 

"; -> "; "; -> "; "; -> "; "/other/path" -> "/some/path" "/yet/another/path" -> "/some/other/path"

 

I haven't implemented (4) yet but I'm happy to provide the modified iRule code when I have if someone can tell me how I can upload it. I don't have any dev points to upload it directly and I tried posting mods (1), (2) and (3) to the iRules forum but exceeded the word count and was rejected.

 

Regards.