cancel
Showing results for 
Search instead for 
Did you mean: 

How to Forward traffic via F5

RAQS
Cirrus
Cirrus

Hi Team,

I need to forwrad tha traffic based on URI  from one domain to another and this should not visible in browser.

For ex:- When user hit "https://api-q.abc.com:443/lontools-java" then F5 should forward the traffic to " https://cp.api.us01a.xyz.com/qiontools-java" and user should not able to see this change in URL in browser. For user it will remain same as "https://api-q.abc.com:443/lontools-java".

Regards,
RAQS

1 ACCEPTED SOLUTION

Hello RAQS,

Sorry for the late response, but I'm on holiday.

Taking into account your backend server is outside of your network (in Cloud), these are your chances:

1. Using redirection.

----------                                                    |--------|
| Client |---------- GET https://api-q.abc.com... ----------->|   F5   |
|        |<-- 302 Redirect (https://cp.api.us01a.xyz.com...)--|        |
----------                                                    |--------|
|--------|                                                    |--------|
| Client |------- GET https://cp.api.us01a.xyz.com... ------->| Cloud  |
|        |<---------------------- 200 OK ---------------------| Server |
|--------|                                                    |--------|

The redirection will occur transparently for the client, but the URL in the browser will change. 

2. Using rewrite profile ( + policy for selecting a different pool)

----------                                                    |--------|
| Client |---------- GET https://api-q.abc.com... ----------->|   F5   |
|        |<---------------------- 200 OK ---------------------|        |
----------                                                    |--------|
|--------|                                                    |--------|
| F5     |------- GET https://cp.api.us01a.xyz.com... ------->| Cloud  |
|        |<---------------------- 200 OK ---------------------| Server |
|--------|                                                    |--------|

The F5 will receive the query from the client and will replace the host header and URI. This implies that F5 has to reach the cloud server in order to serve the service.

If this resource requires to use of a different backend server different than the default one, you can configure a policy to change the pool (to your Cloud Server) when the URL matches "https://api-q.abc.com:443/lontools-java".

3. Using iRules (not so efficient as point 2, but also feasible)

when HTTP_REQUEST {
	if { [HTTP::host] eq "api-q.abc.com"}{
		if { [HTTP::uri] contains "lontools-java"} {
			HTTP::header replace Host "cp.api.us01a.xyz.com"
			HTTP::uri "/qiontools-java"
			pool test_pool
		}
	}
}

Using the previous iRule, the host header, the URI, and the pool will change when the condition matches.

This is simple to configure and test, but take into account that only the request packet will be replaced, if you need to modify some of the content of the cloud server, you will need to use a rewrite profile (or dig into the payload using iRules).

If this was helpful, please, don't forget to rate my answer as resolved or gimme some upvotes.

 

Regards,
Dario.

View solution in original post

13 REPLIES 13

Hello RAQS,

You can get this using a rewrite profile
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-12-1-0/17.h...

 

Regards,
Dario.

Hi Dario,

Thanks for replying. Is it tested solution or do i need to test it ?

Regards,

RAQS

Hi Dario,

I tried this but its not working. Can you please help me to get the solution.

 

Regards,

RAQS

RAQS
Cirrus
Cirrus

Hi Dario/All,

Do we have anything as HTTP :: Forward in F5 instaed of redirect.

If so what will be the difference between forward and redirect of a URL.

Please help me in acheiving this.

 

Regards,

RAQS

Hello RAQS.

There are many examples of dealing with reverse proxy solutions in DC.
For example, with iRule you can do something like this:
https://community.f5.com/t5/technical-forum/simple-reverse-proxy-with-irules/m-p/226860

But take into account that, depending on your application, you could need to replace the hostname in the REQUEST and the RESPONSE (location header). That's the reason I prefer to use a rewrite profile instead.

 

Regards,
Dario.

Thanks for your time and Parience Dario. So i applied http rewrite policy, but when i apply it site goes down.

There are some dynamic values in URI. Is that making any differences ?

 

Regards,

Raqs

Hello RAQS. 

It's hard to know what is failing because each website is completely different.

Your chance is to use iRules to troubleshoot what is being rewritten and what not.

Capturing traffic with tcpdump + decrypting ssl (https://support.f5.com/csp/article/K12783074) is always a great deal.

 

Regards,
Dario.

Hi Dario,

Really appreciate your time and patience with me. Thanks for all your effort. I took capture and what i oserved that F5 is rewriting host but it is communicating to backend member instead of redirecting. 

WIth Irule it is not communicating with backend member. 

Note :- Rediected URL is not hosted in F5. Its in AWS.

Do i need to do some modifucation in rewrite policy or this can not be possible with F5 ?

Hello RAQS. 

I think you are mixing concepts. 

  • Redirecting (302 response) - it points the client to a new website, this access is not masked, the client will see the new URL in him/her browser. 
  • Rewriting (200 response) - the F5 manage both flows of the connection and the access is completely masked.

 

Regards,
Dario.

Hi Dario,

 

Yeah i understand the difference between two concepts. May be i am not able to express my query in narritive way. let me give another try. 

user hit "https://api-q.abc.com:443/lontools-java" then F5 should forward the traffic to " https://cp.api.us01a.xyz.com/qiontools-java" and user should not able to see this change in URL in browser. For user it will remain same as "https://api-q.abc.com:443/lontools-java".

with "rewrite" option it seems cp.api.us01a.xyz.com need to be on default pool of LB VIP. But here the situtaion is that this URL is hosted on Cloud. So i am using below iRule to get this done.

when HTTP_REQUEST {
if { [HTTP::host] eq"api-q.abc.com"}{
if { [HTTP::uri] contains "lontools-java/"} {
HTTP::header replace Host "cp.api.us01a.xyz.com[HTTP::uri]"
pool test_pool
}

}
}
In test_pool, i have defined the IP of URL "cp.api.us01a.xyz.com" and made the connectivity between self ip and IP of new URL (cp.api.us01a.xyz.com). Do you think will this work ? I am yet to test as need couple of approval to allow F5 to communicate with Cloud , tough it doesnt seems to best pratice to me.

 

Regards,

RAQS

Hi Dario,

Did you get chance to look above explanation. It will be very helpful for me to get this done. I really appreacite your time and dedication so far.

Regards,

RAQS

Hi Dario/Team,

Can you please help me and correct if my suggested solution is correct or not.

Regards,

RAQS

Hello RAQS,

Sorry for the late response, but I'm on holiday.

Taking into account your backend server is outside of your network (in Cloud), these are your chances:

1. Using redirection.

----------                                                    |--------|
| Client |---------- GET https://api-q.abc.com... ----------->|   F5   |
|        |<-- 302 Redirect (https://cp.api.us01a.xyz.com...)--|        |
----------                                                    |--------|
|--------|                                                    |--------|
| Client |------- GET https://cp.api.us01a.xyz.com... ------->| Cloud  |
|        |<---------------------- 200 OK ---------------------| Server |
|--------|                                                    |--------|

The redirection will occur transparently for the client, but the URL in the browser will change. 

2. Using rewrite profile ( + policy for selecting a different pool)

----------                                                    |--------|
| Client |---------- GET https://api-q.abc.com... ----------->|   F5   |
|        |<---------------------- 200 OK ---------------------|        |
----------                                                    |--------|
|--------|                                                    |--------|
| F5     |------- GET https://cp.api.us01a.xyz.com... ------->| Cloud  |
|        |<---------------------- 200 OK ---------------------| Server |
|--------|                                                    |--------|

The F5 will receive the query from the client and will replace the host header and URI. This implies that F5 has to reach the cloud server in order to serve the service.

If this resource requires to use of a different backend server different than the default one, you can configure a policy to change the pool (to your Cloud Server) when the URL matches "https://api-q.abc.com:443/lontools-java".

3. Using iRules (not so efficient as point 2, but also feasible)

when HTTP_REQUEST {
	if { [HTTP::host] eq "api-q.abc.com"}{
		if { [HTTP::uri] contains "lontools-java"} {
			HTTP::header replace Host "cp.api.us01a.xyz.com"
			HTTP::uri "/qiontools-java"
			pool test_pool
		}
	}
}

Using the previous iRule, the host header, the URI, and the pool will change when the condition matches.

This is simple to configure and test, but take into account that only the request packet will be replaced, if you need to modify some of the content of the cloud server, you will need to use a rewrite profile (or dig into the payload using iRules).

If this was helpful, please, don't forget to rate my answer as resolved or gimme some upvotes.

 

Regards,
Dario.