Irule direct traffic to external site

JohnMoody · ‎28-Mar-2022

Traffic arrives at an existing VIP www.mycompany.com/pay1

When the URI is pay1, I have to send a connection to an external web site

"*pay1" {
set dest_host [RESOLV::lookup @8.8.8.8 "www.externalsite.com"]
}
HTTP::uri "/merchant.jsp"

}

HTTP::header replace host $dest_host
node $dest_host 443

External site recently changed their process to no longer allow IP address connections, the issue
is that I cannot figure out how to forward the required traffic to the external site via the irule.

I think that this is how the F5 is sending the external traffic, and this gives me an error.

curl --header 'Host: www.externalsite.com' https://192.168.1.1/merchant.jsp

THis works as expected via curl

curl -kv https://www.externalsite.com/merchant.jsp

Any bright ideas how to modify the irule to allow the connection as per the bottom section?

Tried this and it didn't work

HTTP::header replace host www.externalsite.com
node $dest_host 443

do not want to hardcode the IP's in the irule.

MaximP · ‎30-Mar-2022

I think that this is how the F5 is sending the external traffic, and this gives me an error.
curl --header 'Host: www.externalsite.com' https://192.168.1.1/merchant.jsp

What kind of error do you receive?

I guess you have to provide hostname not only in host header but in TLS SNI field too. SNI extention allows server to show proper certificate depends on target hostname.

Here you can find the IRULE to inject SNI into server-side connection https://support.f5.com/csp/article/K41600007

DevCentral

Irule direct traffic to external site

Khoros Kudos Award 2022