10-Jun-2021 10:05
I have a scenario where I want to split traffic to a server from our vpn tunnel by fronting it with a vip that has an ip address that will stay public.
A simple iRule to replace the vanity hostname with the actual hostname seems to work fine:
when HTTP_REQUEST {
HTTP::header replace "Host" "actual.host.name"
}
when HTTP_RESPONSE {
HTTP::header replace Location [ string map -nocase { "actual.host.name" "vanity.host.name" } [HTTP::header Location] ]
}
The pool is actual.ip.address:8445
The problem is there are redirects happening on the server that go to port 8444 for authentication then back to port 8445. So when I enter my credentials the traffic goes into a black hole. Any suggestions on the best way to handle this? Is it even possible? This is currently set up with just a vanity url that does a simple redirect. The actual hostname has a private ip address which is why the vpn is required. There are other services running on this server so I just can't make it public. Any and all help would be greatly appreciated.
13-Jun-2021 16:13
Create a second virtual on port 8444 for authentication and use the same irule to translate the hostname in requests/responses.
14-Jun-2021 05:38
No luck Simon. I was thinking of capturing the port and sending it to the appropriate pool. I'm just not sure what port variable I'm supposed to check.
14-Jun-2021 06:11
After digging into the source, I believe the problem might be embedded code with the host name hardcoded. So your method may still work if I can replace the value in the code as well.
14-Jun-2021 06:56
I was able to replace the hardcoded values using STREAM but it appears there is some backend java script that is throwing a security error. I'm not sure where to go from here. I appreciate your help! Thank you!
14-Jun-2021 14:33
That's where you need to start conversing with the Application Team, and getting them to include the public fqdn in the security headers/security controls.