Forum Discussion

ngockq's avatar
ngockq
Icon for Altostratus rankAltostratus
May 26, 2023

Use VS Port difference Member port for https traffic

Dear all,

I have a case: create VS wiht port 9080 and load balacing to pool wih 2 member: 1 member with port 9445 and 1 member with port 9447. VS type standard/ LB method round robin. And I have policy on firewall allow Client IP connect IP VS with only port 9080

When clien connect: https://IP_VS:9080  on browser, client receiv reponse with port member (9445 or 9447) such as: https://IP_VS:9445/web/login.. and brower can not load page web.

I think  F5 need to respone with same port 9080.

Do I need config some opions to fix this issue.

Thanks

7 Replies

  • Can you please share your VS config?

    Also, make sure the return traffic from the pool members goes through the F5 device. (either uses SNAT or use routing in your infrastructure)

    it should look like this:

    Client <->Firewall<->F5 LTM<->pool members.

    • ngockq's avatar
      ngockq
      Icon for Altostratus rankAltostratus

      Yes, I used automap. Flow traffic: Client <->Firewall<->F5 LTM<->pool members.

  • ngockq Based on the response that the client is receiving most likely the server is issuing the redirect with the port defined as 9445 for the HTTPS connection. If this is the case then you will need to create an iRule to replace the 9445 with 9080 in the HTTP Response so that the client maintains the connection on port 9080 or just disable the redirect from the server if it's not required.

    • ngockq's avatar
      ngockq
      Icon for Altostratus rankAltostratus

      Should I need to use irule or policy for this VS ? Which one is better for performane?

      In other wise, I think Server backend (pool member server- application layer) should respone with correct port 9080 to F5 --> client. So F5 don't need rewrite.

       

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP

        ngockq I don't use ltm policies often so I'm not sure how to configure them for this particular situation but I would imagine it can be done and it is probably the better performing between iRules and ltm policies because it's built in rather than an iRule which you can come up with almost whatever TCL code you would like with a few limitations.

        If it were me I would opt to go to the web admins and have them correct the issue on the server side rather than doing this on the F5 because the less you have the F5 do the better in most situations. I'm almost certain that the server is performing a redirect with an explicit path rather than using relative path so that the user can decide where they connect to on the host port side of the connection. If the web admins cannot fix this issue then try and resolve it using the F5. My guess here is that even if you perform the rewrite on the F5 using LTM policy or iRule it will still cause an issue because the server is issuing a redirect with the port but only one way to find out.

  • Issue is technically on the origin server. It returns references to content on that particular port. So, you may have to rewrite the HTTP response from the server. Stream profile is one way (https://my.f5.com/manage/s/article/K39394712) but you want to use an iRule to perform the replacement on the http response method for http content returned by the origin server.

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

  • HI ngockq , 

    First > there is a redirection returned to you from the origin server/pool member in response body , this is a know issue called Mixed Content , So I believe the best practices is to adjust this redirection from the server Code itself not to solve it by bigip , but as a last resort Bigip can solve it. 

    > Take a Pcap from bigip and capture both client and server sides.
    > Take HAR file from your browser : https://my.f5.com/manage/s/article/K10370211

    > Download HAR file and open it in HAR file Analyser : https://toolbox.googleapps.com/apps/har_analyzer/
    > identify your requests and server responses and look deeply on server responses body to see where is the mixed content happen , I mean kook at the response that you recieve prior to sending this request" https://IP_VS:9445/web/login.. and brower can not load page web. "

    When you get it send the sample response body to the Server developer first to adjust it , if this not available you can use an iRule to replace " https://IP_VS:9445/ " by what you need to send in the following request , you can use string map function in the irule I think , please have a look to this Article to know how to construct the irule : https://community.f5.com/t5/technical-forum/irule-to-modify-http-response/td-p/134276

    make sure to Sync the changes with the server developer.

    I hope this insightful !