Forum Discussion

HY_37629's avatar
HY_37629
Icon for Nimbostratus rankNimbostratus
Jul 23, 2009

Pool Selection base on HTTPS Request

Hello,

 

Newbie here...

 

 

Have a virtual server setup setup with client and server SSL.

 

 

Is it possible to direct httpS://www.x.com/a to pool a_pool and http://www.x.com/b to pool b_pool and default to x_pool

 

 

Thanks for your help

10 Replies

  • Interesting question.

     

     

    In theory you should be able to do this via iRULE as long as you are terminating the SSL traffic on the F5.

     

     

    Do you have a separate Virtual server for https and http or are talking about sharing a single wildcard virtual server?

     

     

    Thanks,

     

    CB

     

     

     

  • goyogi's avatar
    goyogi
    Icon for Nimbostratus rankNimbostratus
    Here's a similar request which should have the same answer...

     

     

    I have separate irules for my http and https VIPs doing identical pool selection but the only difference is that the http irule has some http -> https redireects.

     

     

    For ease of management I would like to create a single irule for both http and https.

     

     

    What trigger do I use to say if the http_request is http do the redirect to https but skip it if it's not.
  • goyogi's avatar
    goyogi
    Icon for Nimbostratus rankNimbostratus
    hyang...

     

     

    I think something like this should work for you. And I may have answered my own question. =)

     

     

    when HTTP_REQUEST {

     

    set my_uri [string tolower [HTTP::uri]]

     

    if { [URI::port [HTTP::uri]] == 443 } {

     

    if { $my_uri starts_with "/a"} {

     

    pool a_pool

     

    }

     

    }

     

    elseif { [URI::port [HTTP::uri]] == 80 } {

     

    if { $my_uri starts_with "/b"} {

     

    pool b_pool

     

    }

     

    }

     

    else {

     

    pool x_pool

     

    }

     

    }
  • goyogi's avatar
    goyogi
    Icon for Nimbostratus rankNimbostratus
    Sorry for the formatting. Cut and paste killed it. But it's small enough you should be able to decipher.
  • You can use TCP::local_port to get the true requested port. I think URI::port and URI::host are intended to be used to parse absolute URIs (typically used when making requests to an HTTP proxy. You could use something like this to check the requested port, disable the client SSL profile if it's not needed and select the pool based on the requested URI:

     
     when CLIENT_ACCEPTED { 
      
         Check the requested port 
        switch [TCP::local_port] { 
           "80" { 
               Disable the client SSL profile 
              SSL::disable 
           } 
           "443" { 
               Leave the client SSL profile enabled 
           } 
           default { 
               Take some action for other ports? For example, send a TCP reset 
              reject 
           } 
      
        } 
     } 
     when HTTP_REQUEST { 
      
         Check the requested URI 
        switch -glob [HTTP::uri] { 
           "/a*" { 
               Check if requested port is 443 
              if {[TCP::local_port]==443}{ 
      
                  Select a_pool and stop processing this event in this iRule 
         pool a_pool 
                 return 
              } 
           } 
           "/b*" { 
               Check if requested port is 80 
              if {[TCP::local_port]==80}{ 
      
                  Select b_pool and stop processing this event in this iRule 
         pool b_pool 
                 return 
              } 
           } 
           default { 
               Send to default pool.  This must be defined on port 0, 
         with the pool members configured on the same HTTP HTTPS ports as the virtual server 
              pool x_pool 
              return 
           } 
        } 
         If we made it here, the request was to /a and not via port 443 or to /b and not via port 80, so take some default action? 
        HTTP::respond 403 Content {Unauthorized request} 
     } 
     

    Aaron
  • Aaron,

     

    Thanks for your post. Another question - can irule examine the uri if both client and server SSL profile are enable for the vs?

     

  • If there is a client SSL and HTTP profile, you can use an iRule to inspect and modify the HTTP content including the URI using the HTTP:: commands. Adding a server SSL profile makes no difference for this.

     

     

    Aaron
  • So if client sends a httpS://www.x.com/a request, HTTP:: commands will work as long as the SSL profile is check?
  • That's correct. You'll need to import the server certificate and key in PEM format, configure them in a client SSL profile and add the profile to the HTTPS virtual server. You'd then be able to use the iRule above or any another HTTP:: commands on the HTTPS virtual server.

     

     

    Aaron