Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Need to rewrite with LTM

Rafi1
Cirrus
Cirrus

‎13-Nov-2022 05:30

Hi,

I have an internal server with two "applicatins" and I need to give access to one of the application from Internet,

The fqdn "globalserver.mydomain.com" point to my F5 vip, and I need that every time client try to go to globalserver.mydomain.com the F5 will send the client to "internalserver.com/portsluser/main#page/"

I can accomplish this with redirect policy but then the client will see in his browser the redirection url which is nternalserver.com/portsluser/main#page/

Regards

Rafi

 

Labels:
0 Kudos
11 REPLIES 11

Mohamed_Ahmed_Kansoh
MVP
MVP

‎13-Nov-2022 07:38

Hi @Rafi1 , 
  > may I understood in first part , if you want your to get internet access for your nodes you need to configure Forwarding virtual server on F5 to take the initiated traffic from your nodes to your internet path. 
follow this article , to configure Forwarding virtual server : 
https://support.f5.com/csp/article/K7595

> For FQDN hostname redirection , I think your clients can see the redirection on their browsers if you use " Redirect Action in LTM policy or HTTP::redirect by iRules ". 
As an adminstrator on F5 , if you want to be the only person who see this change of FQDNs , you need to " replace old FQDN to new FQDN  " by using HTTP::header not performing a redirection on FQDN hostnames level. 
By replacing the http header , you will find the new host name added in the entire http packet , but the Client will still see the old FQDN hostname in their browser. 
Follow this iRule to change hostname header on http packets : 

when HTTP_REQUEST {
if { ([string tolower [HTTP::host]] equals "globalserver.mydomain.com") }{
 HTTP::header replace Host "internalserver.com"
}
}

Tell me first if this meets your needs or not , if not clarify your request exactly , if yes " for changing host header instead of redirection " we can add more conditions for the rest of uri paths that you want to add. 

I will wait your Feedback 

Thanks 

_______________________
Regards
Mohamed Kansoh
0 Kudos

Rafi1
Cirrus
Cirrus
In response to Mohamed_Ahmed_Kansoh

‎13-Nov-2022 08:36

Hi,

Thank you for your replay,

I think it will better to describe what i'm trying to achieve

1. I configured virtual server, (Type standart)

   every client that want to get to the internal service need to go to "globalserver.mydomain.com" whice by dns  A record point this traffic to the virtual server I creatd'

Then I want that F5 will take this request and point it to "internalserver.com/portsluser/main#page/"

And the client in his browser still see his original request which is "globalserver.mydomain.com"

 

Regards

 

0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to Rafi1

‎13-Nov-2022 09:28

Hi @Rafi1 , 
I have simulated this scenario on my lab , try this irule : 

when HTTP_REQUEST {
if { ([string tolower [HTTP::host]] equals "globalserver.mydomain.com") }{
 HTTP::header replace Host "internalserver.com"
 HTTP::path "/portsluser/main#page/"
}
}

 

Find the below snap shots from my LAB : 
irule : 
My_iRule.PNG

My results : 
Result.PNGResult2.PNG

Do you see , as a client I wrote " shopping.asm.f5" , and the request shown in F5 ASM event logs with a changed header and added new path which did not appear to client neither new hostname nor added path. 
Try it and give me your feedback. 

Regards.

_______________________
Regards
Mohamed Kansoh
0 Kudos

Rafi1
Cirrus
Cirrus
In response to Mohamed_Ahmed_Kansoh

‎13-Nov-2022 21:50

Hi @Mohamed_Ahmed_Kansoh 

Thank you very for yourת

unfortunately the Irule didnt work for me,

I must mention another thing (forgot sorry)  the originagl url that the client browse to as i mention  is "globalserver.mydomain.com" I need that the LTM will change it to "internalserver.xxx.mydomain.com/portsluser/main#page/" its sub domain for "mydomain.com" in the virtual server certificate in "ssl profile client" the certificate is *.mydomain.com  do I need also *.xxx.mydomain.com ?

 

I  configured regular virtual server with: type=standard, service port=443,  pool=internalserver.xxx.mydomain.com, without your Irule the LTM forword me to the server "internalserver.xxx.mydomain.com" I hoped that with your Irule he will forword me to "internalserver.xxx.mydomain.com/portsluser/main#page/", but unfortunately with the Irule I got blank page (no service)

I also noticed that in your lab you are using security profile (ASM), basically I dont need ASM all I need is forward the client request to  another web service.

 

Any idea ?

Regards

0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to Rafi1

‎14-Nov-2022 01:12

Hi @Rafi1 ,   
  As per @CA_Valli’s iRule and mine , both of them should work with you. 
> I want to add there is a problem with your certificate , you have wildcard to "*.mydomain.com" it will not be compatible with "*.xxx.mydomain.com" , or remover " . that before xxx" I mean the hostname should be "internalserver-xxx.mydomain.com" and do not use "dot ." in your hostnames. 
> After that make sure that 
"globalserver.mydomain.com " and " internalserver-xxx.mydomain.com" 
have the same dns resolution or at least configure this

" internalserver-xxx.mydomain.com" to be mapped to " ip of virtual server on F5 " 

> but in your Case there is an issue with certificate , you must use "-" not "." 
and try. 

> I used ASM loging to see the requests contents only as a monitoring , not to do any actions. 

> I will Take a Pcap from my Lab to see the Flow of traffic and changes as well. 

Regards.

_______________________
Regards
Mohamed Kansoh
0 Kudos

Rafi1
Cirrus
Cirrus
In response to Mohamed_Ahmed_Kansoh

‎14-Nov-2022 01:22

Hi @Mohamed_Ahmed_Kansoh 

The " internalserver-xxx.mydomain.com"  the "xxx" is sub domain so I must use "dot."

What if in the server ssl profile (in the virtual server ) I will attached the the real server certificate *.xxx.mydomain.com ?

Regards

0 Kudos

Mohamed_Ahmed_Kansoh
MVP
MVP
In response to Rafi1

‎14-Nov-2022 01:25

yes , you need to create a new certificate for " *.xxx.mydomain.com" 
I stucked in this issue before and resolved it by "-" symbol not "."

let me take a tcpdumb on my lab environment , it will show to us more about redirections. 

_______________________
Regards
Mohamed Kansoh
0 Kudos

CA_Valli
MVP
MVP

‎14-Nov-2022 00:26

Hello Rafi, if I'm not mistaken you're having the same issue as this post here. 

- globalserver.mydomain.com should resolve to your VS IP 
- if SSL is in place, you need a clientSSL profile with a certificate that matches "globalserver" SNI (or wildcard for *.mydomain.com) 
- you need HTTP profile on the vitual server to parse request elements 
- if backend server speaks SSL, you also need a serverSSL profile

iRule should be pretty simple, this code will rewrite client request before sending it to server -- meaning it will be transparent to client. 

when HTTP_REQUEST {
  if {[string tolower [HTTP::host]] eq "globalserver.mydomain.com" }{
    HTTP::header replace Host "internalserver.com"
    HTTP::uri "/portsluser/main#page/"
  }
}

My only concern would be that you have hash "#" character in URI, which is a reserved character that is usually only interpreted by client browser (usually not passed to server) to identify a fragment. 

0 Kudos

Rafi1
Cirrus
Cirrus
In response to CA_Valli

‎14-Nov-2022 01:01

Hi,

All the previous conditions are defined, but still with the Irule I see blank page

I actually able to make progress with rewrite profile, I wrote rewrite profile and it works as accepted, when I'm browse to "internalserver.com" the profile rewrite it to "internalserver.com/portsluser/" and the client still see in his browser "internalserver.com", but now the problem is when I'm trying to login I'm getting error 500 from the web site

Any idea ?

Regards

0 Kudos

CA_Valli
MVP
MVP
In response to Rafi1

‎14-Nov-2022 01:20 - edited ‎14-Nov-2022 01:24

Hello Rafi,
can you define blank page better? 

If server responds to "GET /portsluser/ Host: internalserver.com" request with a 200-content that returns a blank page, problem is on the server. 
If you have a timeout issue, there might be a problem on the network instead - maybe you might need to fix NAT or routing. 

If you run curl -vk -H "internalserver.com" https://<internalserver.com node IP>/portsluser/ from F5 command line, what's the output? 

If you run curl -vk -H "globalserver.mydomain.com" https://<virtual server IP>/ from F5 command line, what's the output? 

0 Kudos

Rafi1
Cirrus
Cirrus
In response to CA_Valli

‎14-Nov-2022 23:23

Heloo @CA_Valli 

See attached command output for: curl -vk -H "globalserver.mydomain.com" https://<virtual server IP>

It seems that the irule rewrite the me, but still i get Error 404

rewriteIrule.zip
0 Kudos
Copyright © 2023 Khoros, LLC