cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

iRule to mask hostname in browser and send to a different hostname

Mark_Vogel
Nimbostratus
Nimbostratus

My challenge: All our internal users need to hit a public website (final.destination.org) from the same public IP. No issue here, been doing it for years using an internal VIP that "final.destination.org" resolves to via internal DNS and then SNATs them all to a single public IP that the website uses to identify that it's us, and directs our users to the proper data container in the site (there's no login on their site; they ID and permit based on the incoming public IP).

 

The new development is one of our divisions is breaking out there data on that web platform in to a different container at final.destination.org so they need their own custom URL to differentiate from the other users that are using this tried and tested solution. The public site identifies our users by the public IP they see us coming from so I need to get this group of users hitting that website from a different public than the one we've been using. I'm trying to use custom.destination.org for this group of users, which will simply use internal DNS to connect them to a 2nd internal VIP on the F5, which will SNAT those users to a different public IP on our side that the destination in the internet can use to identify these folks, and auto direct them to their custom portal on their site. The kicker is that every web request that hits the final.destination.org website must have final.destination.org in the web request or it won't work. So with this new setup the users are entering custom.destination.org and that's what is showing up at the final web server so it's not being accepted.

 

So basically I have the internal DNS set up for custom.destination.org and that resolves to the new internal VIP, which SNATs the session outbound to a new public IP. However, I need the client's browser to use custom.destination.org and write an iRule that makes the 2nd leg of the connection between the F5 and the destination convert to final.destination.org (while maintaining all URIs of course).

3 REPLIES 3

Simon_Blakely
F5 Employee
F5 Employee

You can do this with Local Traffic Policies - you just need a policy rule to change the Host header:

 

AskF5 | Manual Chapter: Introducing Local Traffic Policies

Mark_Vogel
Nimbostratus
Nimbostratus

Thank you. I'm trying this but doesn't appear to be functioning. Another challenge I have is the ultimate destination is HTTPS so I'm trying to figure out how to handle the certificate side of this. I may make custom.destination.org (internal leg) actually custom.ourdomain.com so I can use our wildcard for the initial client SSL termination, then keep trying to figure out how to make the 2nd leg connect with the host header change.

On the server-side SSL profile, you can specify the Server Name option, which sets the SNI header.