Working without trailing slash in LTM rewrite profile URI rules
Hi, I am trying to implement simple reverse proxy with load balancing based on URI path. Here is the example: F5 VIP 1 listening to main.example.com:80 - default HTTP to HTTPS redirect iRule is applied F5 VIP 2 listening to main.example.com:443 App server 1 listening to foo.example.com:443 App server 2 listening to bar.example.com:443 App server 3 listening to portal.example.com:443 Rewriting rules and load balancing rules examples: https://main.example.com -> https://portal.example.com/src/portal/ (App server 3) https://main.example.com/aa/ -> https://foo.example.com/aa/ (App server 1) https://main.example.com/bb/cc/ -> https://foo.example.com/bb/cc/ (App server 1) https://main.example.com/dd/ -> https://bar.example.com/dd/ (App server 2) https://main.example.com/dd -> https://bar.example.com/dd/ (App server 2) So basically there are 3 different back end app servers, each listening on different virtual host, and client requests should be redirected to these servers based on the URI path, while the host part of the URL must also be rewritten in all headers and whole HTML content. End user must always see only main.example.com in their browser's address field. In prior TMOS versions there was the ProxyPass iRule used for such functionality. But since my case is not too complicated and I am running 11.6, there is a way to supplement ProxyPass functionality with build in features: LTM Rewrite profile and LTM policy. I do the necessary URI rewrite in rewrite profile via URI rules and request forward in LTM policy rules. Everything works just fine, except one small annoying thing. Users want to have the option to ignore the trailing slash in URI path when calling a default resource within a directory. So for example, they want to be able to call main.example.com/dd and get the default resource from the /dd/ directory. My problem is that LTM rewrite profile does not allow me to specify URI rules without a slash at the end of URI. And without it, the whole concept does not work. Because when the user calls main.example.com/dd, F5 does not match this request to any URI rewrite rules, hence the host part stays "main" instead of being rewritten to "bar". The LTM policy actually forwards the request to correct app server because in the LTM policy I am able to declare a condition "if URI path begins with /dd". But the app server 2 does not accept request for virtual host 'main'. So I get an error. And I cannot do the URL rewrite in LTM policy. I need to rewrite all links in headers, cookies and content, so I need to use LTM rewrite profile to accomplish all that. Also something like 'main.example.com/zz' can be a legitimate request for a file called 'zz' inside the root directory of app server. So the F5 needs to be able to rewrite also requests without trailing slash and catch the HTTP redirects, rewrite them accordingly also in HTTP responses. Blindly inserting '/' at the end of each request is hence not possible. Any idea would be much appreciated! Thanks.
Local Traffic Policy and selective URI access - missing trailing / issue
Hi, Trying to figure out how in the simplest and most effective way (avoiding iRule) achieve result like below: VS receiving traffic for multiple FQDNs Each FQDN should be directed to separate Pool Only specified FQDNs should be allowed to be passed to backend For selected FQDNs only specified URIs should be allowed 403 response instead of TCP reset should be send back to client when traffic blocked More or less I did achieve above but it is quite complicated considering number of LTPs or rules inside LTPs. Especially painful is handling URIs without trailing / So I have two setups: One LTP with all matching strategy and four rules (just handling one FQDN for a start): Host header rewrite when there is match on Host header in request Block all request when Host header is not (list of allowed FQDNs). This rule sets variable used in iRule sending 403 responses and closing connection Block all request when URI is not (list of allowed URIs). This his rule sets variable used in iRule sending 403 responses and closing connection Redirect when allowed URI (listed in previous rule) has not trailing slash. This rule sets variable used in iRule in a way that is not triggering HTTP::respond 403 Four separate policies with one rule each and first matching This is quite a lot of work, plenty of places to make mistake or typo so I wonder if there is any better way to configure LTPs? Or I should gave up and use iRule? I am quite puzzled as well what is difference between having one LTP with multiple rules vs multiple LTPs with one rule. From my test I can't see difference in performed actions but... What is strange for me is what is order of executing actions on matched rules. Three rules are setting same variable with different values. But what dictates order - in other words which rule will set final value? In all matching scenario and multiple rules for some reason rule responsible for Redirect (missing slash) sets this value last, even if during one LTP execution there is match on three rules: Host header blocking - var set to 403 Allowed URI hit - (here only full URIs are listed, like /test/) so /test triggers this, variable set to 403-1 Redirect hit (here URIs like /test are listed), var is set to 200 (so not HTTP::response 403 triggers in iRule) Every time var final value is 200 (so as set by Redirect rule) - I can see sequence of var value changes in log. Even if all match mode is used I tried to change order of rules in LTP - no change in behavior. Same happens when I have separate LTPs with single rule attached to VS. Again last rule setting var is Redirect. I wonder if this is king of coincidence or there is some reason for such behavior? Piotr