Forum Discussion

Mark_Vogel's avatar
Mark_Vogel
Icon for Altostratus rankAltostratus
Aug 07, 2020

iRule to have different client-side URIs use different server side tcp ports

We've got a pair of web servers with identical configs that will be hosting several (same) websites, and each site on the web server uses a different port (82-86). What the web admins would like is for a user to enter https://mysite.company.com in their browser and on the server side that needs to hit the web server as https://mysite.company.com:82 (but the client is NOT to see the :82). Then https://mysite.company.com/Food (client side) needs to hit the web server as https://mysite.company.com:83/Food.

 

It seems to be that a redirect is not what's wanted here because we don't want to redirect the client to the :8x URL. We want to rewrite in some way. I'm not sure how to accomplish this. Any suggestions are greatly appreciated!

3 Replies

  • I think, this is something which can be achive using LTM policy as well iRules. But i would recommend you to use LTM policy here. As per your requirement, you can match the host/URI and route traffic to the specific pool.

    Now as you have backend servers listening on different services, create separate pools for each service. Map it properly to the desired pool under action tab. Below snap will give some idea about the LTM policy statements. Accordingly you can write multiple condition and route the traffic.

    Also if you want to use iRule, your irule will be like given below. I have just given one example here. You can write similar statements as required using if and else-if statements.

     

    when HTTP_REQUEST {
    if {([HTTP::uri] contains "Food")} {
        # code
        pool Food_Pool
    }

     

    Coming to the point, where client should not be able to see internal application port e.g. 82,83. So here you need to have virtual server listening on http and/https services. Once client request will hit virtual server on http/https VS, it will be forwarded to backend mapped pool member which is pointed to application port. So In this case, client wont be able to see actual application port/service. Client will see only application URL like https://mysite.company.com/Food

    Hope it helps!

    Mayur

  • Hi Mayur. This sounds like exactly what I want but the LTM policy doesn't seem to work. I built it out like you described but when I try the page in chrome I just get "This site can't be reached", "The connection was reset." IE gives the good old "Can't reach this page." I can see that it's hitting the F5 VIP in the stats but it's not actually maintaining an active connection.

     

    When I first applied the policy above, the F5 forced me to set the HTTP profile to an explicit HTTP profile, and that profile had to have a "DNS Resolver" specified, which I just created. I'm not fully clear on what that's for.

     

    Note that I'm terminating the VS itself on 443 and it should be presenting one of our certs. When playing around with a slew of iRules last week I actually got it to the point where it actually seemed like the connection was going through to the server but the content of the page was severely messed up.

     

    I tried the iRule you have above and again, it seems to get through to the server but I get a runtime error this time which looks like its from the webserver. I think it's because the web server is actually trying to redirect and switch up the URI upon first connection. I'm going to dig in with the web developer some on this part.

     

    If you have any further suggestions on getting the policies to work, I'd love to make that function. Seems the cleanest to understand.

  • Hi Mark, you need to have http profile on the virtual server as it is going to process http traffic and with this F5 actually acts as a proxy here. You can use default http profile.

     

    One more point to verify. What is the default gateway of your web-server? If its not F5, please make sure SNAT settings on V-Server is enabled.

     

    Mayur