Check code for ordering of events and accuracy
Hi Everyone,
Can someone please check the code below to ensure we are doing the correct things for accuracy...
Objective: Since all internal users egress out via a FW and through a CDN and back in for site access, we need to check the source egress address of the firewall via the XFF header...So if it does not match this address, we consider the client as "non-internal" users and their traffic needs to be sent to a different pool then the default one tied to the VS.
So the question here is, do we put this matching at the very beginning of this iRule or at the end...We need the other events below to still work for both external and internal users...It's just seperating out what web servers they connect to...External users goes to pool: EXTERNAL-POOL and internal users goes to the pool tied to this VS.
DG-INTERNAL-USERS-XFF = FW external IP since they egress out and back in...we use this to know if the client is internal.
So in this statement, if you are NOT (!) in this group, then your traffic is sent to the "EXTERNAL-POOL" containing
servers designated for external users...But if you match the FW IP defined in the "DG-INTERNAL-USERS-XFF" you get sent to the default pool (pool with different web servers than for external users) tied to this VIP...we want all the URI matching events below to still work regardless if you are internal or external.
Thanks everyone!
when HTTP_REQUEST {
set CHECK_IP [lindex [lsearch -all -inline -not -exact [split [HTTP::header values X-Forwarded-For] "\{\} ,"] {}] 0]
log local0. "the X-Forwarded-For header value is $CHECK_IP"
if { !([class match $CHECK_IP eq DG-INTERNAL-USERS-XFF]) } {
pool EXTERNAL-POOL
if { !([class match $CHECK_IP eq DG-INTERNAL-USERS-XFF]) } {
if { [class match [HTTP::uri] eq DG-URI-LIST] } {
reject }
}
switch -glob [HTTP::uri] {
"*/app1/abc/portal/Tracker*" -
"*/app2/cde/Tracker*" -
"*/app3/wps/portal/CaseTracker*" {
if { ([class match $CHECK_IP eq DG-INTERNAL-USERS-XFF]) } {
if { [HTTP::uri] contains "/app2/Tracker" } {
HTTP::redirect "https://[HTTP::host]/new-app2/Tracker"
} else {
HTTP::redirect "https://[HTTP::host]/app1/old/portal/Tracker/"
}
}
}
}
}
}