23-Jun-2022 13:56
I posted last week asking for assitance load balancing WebLogic apps. I received some good responses, but they didn't work. I submitted an F5 support case and was basically told they don't help build new configurations, only fix "broken" ones and I should use professional services. I found some third party WebLogic admin books that suggest load balancers should NOT replace proxies, but be used with them.
So my current isue. I had an existing IIS server using host headers to accept the incoming requests, handle SSL requirements and proxy (forward) HTTP requests to some WebLogic nodes.
I changed DNS and put F5 in front of this (still using a single VIP entry point) to route to the same IIS box then proxy to WebLogic. With this setup I have a few sites (4 out of 11) that seem ok. The rest show infinite loops on the redirects. I've rechecked the IIS config multiple times to make sure the SSL redirects were removed and sites are now HTTP only. The IIS logs seem to show that the traffic actually never gets to the IIS server. I can't seem to figure out how I introduced this redirect. I'm wondering if I need to remove the idea of "host headers" on IIS or F5 or both to get this stable and working.
23-Jun-2022 16:38
I think @KeesvandenBos was trying to help you on the last thread - thought I'd tag him here so he can see your update.
23-Jun-2022 17:20
Are you able to post the configuration of one of your looping virtual servers?
Maybe I can find the issue.
24-Jun-2022 04:54
Hi, Are you asking for the iApp or VS on the F5 or the IIS? I suppose I could figure out how to export the full configuration and share it for review. When I was debugging the new setup yesterday I wasn't actually seeing any evidence that the traffic got past the F5. I think my redirect loop might be occurring there. I'm going to try a wireshark capture this morning on the IIS server to see if I can confirm this.
24-Jun-2022 05:36
Only one of the virtual servers that is redirecting.
Command is list ltm virtual <name of virtual server>
24-Jun-2022 07:49
Thanks for clarifying. I should be clear though, I am using one VS on F5 and a shared IP on IIS to support IP sharing on both devices. My VS looks like this:
ltm virtual IDCFLB.app/IDCFLB_vs {
app-service /Common/IDCFLB.app/IDCFLB
creation-time 2022-06-17:09:53:43
destination 146.142.203.68:https
ip-protocol tcp
last-modified-time 2022-06-24:10:25:24
mask 255.255.255.255
pool IDCFLB.app/IDCFLB_pool
profiles {
IDCFLB.app/IDCFLB_client-ssl {
context clientside
}
IDCFLB.app/IDCFLB_f5-tcp-lan {
context serverside
}
IDCFLB.app/IDCFLB_f5-tcp-wan {
context clientside
}
IDCFLB.app/IDCFLB_http { }
IDCFLB.app/IDCFLB_oneconnect { }
IDCFLB.app/IDCFLB_optimized-caching { }
IDCFLB.app/IDCFLB_wan-optimized-compression { }
}
rules {
IDCF
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vlans {
VLAN_203
}
vlans-enabled
vs-index 21
The iApp has all the DNS names attached to it and I have an iRule for handling the redirects to URLs that IIS will then proxy to the WebLogic.
I did start my captures on IIS and did find that I missed some of the require SSL settings so at least some of my failed tests are my own stupidity and lack of quality control. I'm still reviewing. However, I'm now questioning this configuration and if it's something that F5 really isn't going to handle well. If I'm forced to request a bunch of new IPs and DNS entries to make this work properly I can abondon this effort and start that approach.
24-Jun-2022 07:51
Could you also show the irule and pool configuration?
24-Jun-2022 08:01
Absolutely. This is the iRule (currently)
when HTTP_REQUEST {
if { [HTTP::uri] equals "/" } {
switch -glob [string tolower [HTTP::host]] {
"idcfdars.bls.gov" { HTTP::redirect "https://idcfdars.bls.gov/ARS" }
"cesdatad.bls.gov" { HTTP::redirect "https://cesdatad.bls.gov/CESLite" }
"blsconfidentialitytrainingd.bls.gov" { HTTP::redirect "https://blsconfidentialitytrainingd.bls.gov/ICT" }
"cpidatad.bls.gov" { HTTP::redirect "https://cpidatad.bls.gov/CPILite" }
"idcfdbbs.bls.gov" { HTTP::redirect "https://idcfdbbs.bls.gov/BBS" }
"joltsdatad.bls.gov" { HTTP::redirect "https://joltsdatad.bls.gov/JOLTS" }
"blscompdatad.bls.gov" { HTTP::redirect "https://blscompdatad.bls.gov/NCSLite" }
"trainingd.bls.gov" { HTTP::redirect "https://trainingd.bls.gov/LMS" }
"respondentsd.bls.gov" { HTTP::redirect "https://respondentsd.bls.gov/upload" }
"idcfdoews.bls.gov" { HTTP::redirect "https://idcfdoews.bls.gov/OEWSLite" }
default { HTTP::redirect "https://idcfd.bls.gov/authentication/login" }
}
}
}
when HTTP_RESPONSE {
foreach header {Server X-Powered-By X-AspNet-Version Cache-Control} {
HTTP::header remove $header
}
HTTP::header insert Pool-Info [class search -value hosts_dg eq [IP::server_addr]]
HTTP::header insert WL-Proxy-Client-IP [IP::client_addr]
set cookieNames [HTTP::cookie names]
foreach aCookie $cookieNames {
HTTP::cookie version $aCookie 1
HTTP::cookie secure $aCookie enable
HTTP::cookie httponly $aCookie enable
}
}
I will note that I've played with this iRule frequently and even completedsome of the testing withot the iRule in the config. That's actually tru of the VS also. I started disabling profiles to see how or if it imapcted the errors but never found these efforts to change much. (Sometimes it got worse)
Right now the pool is actually just a single node and I changed the HTTP port to 81 to help isolate the traffic during dubugging. Yesterday when I thought a lot of the traffic never got to IIS it was based on the IIS logs showing the health traffic but not my testing traffic.
ltm pool IDCFLB.app/IDCFLB_pool {
app-service /Common/IDCFLB.app/IDCFLB
members {
dewsvweb1:81 {
address 146.142.201.51
app-service /Common/IDCFLB.app/IDCFLB
session monitor-enabled
state up
}
}
monitor IDCFLB.app/IDCFLB_http_monitor
slow-ramp-time 300
}
24-Jun-2022 09:37
Another follow up on my self imposed quality control problem. I only found 1 site where that was the issue. Still have some sites that show the too many redirect errors, but it is inconsistent. A couple sites showed this error then a few seconds later loaded. Right this moment I have more sites loading the home page than not (haven't started deeper regression testing yet), but the incosistencies definitely curb my enthusiasm that I actually fixed anything.