I have a virtual server that needs to have two different web servers behind it, so that I can present it via the internet. The reasoning for this is server1, redirects to server2 two for authentication, then after authenticating it redirects back to server1, where it stays for all other functions. I tried using this irule below, but it does not seem to be working. It is forwarded to the other site, but using the internal name of the site, so it times out as it is not available under that name on the internet. when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "server1.domain.com" { pool server1_test_pool } "server2.domain.com" { pool server2_test2_pool } } }

Is your web server expecting soemthing different than server2.domain.com? Is it expecting server1.domain.com as well to access the website?

No, it is not. The process is as follows: Server1 receives initial web request, upon this request it forwards to server2 for authentication, then forwards back to Server1, where the rest of the web traffic will be taken place. I am stuck at where server1 directs to server2, it is using an internal address, which externally is not resolvable, so I get a server cannot be found error. I need all this address translation to happen behind the virtual server, not a redirect to a server2 which is not accessible via the internet with it's name.

Why not just use two Virtual Servers. Change DNS so server1. and server2. resolve to different IPs (and thus different Virtual Servers) and configure your F5 as appropriate. If you want to stick to the iRule I would suggest you also turn on OneConnect. You could use a stream profile to rewrite the internal name as required but I'd say it would be better to fix this at the server.

I wish using two virtual servers would work, but they have hard set in the web program to redirect to the internal name, so it's not possible, and the internal domain is not something we own, so not route-able outsie of our LAN.

Understood, not unusual. So, you'll need a Stream Profile and iRule to rewrite the responses and replace any instance of the internal name with a suitable external one. See here for a simple example: https://devcentral.f5.com/wiki/iRules.STREAM__enable.ashx and further details.

Virtual server with two different web servers

15 Replies

Keith_Fox_15580
Nimbostratus
Jan 16, 2015
This is the log that I got to the log local, I changed the server names, but it should give you a general idea... really frustrated with this site, and trying to get it to work. Thanks for all the help!

Jan 16 15:20:40 bigip info tmm[15713]: Rule /Common/Log_rule : Request URL: publicname.domain.com Jan 16 15:20:40 bigip info tmm[15713]: Rule /Common/Log_rule : Response: Status=302 | Location=http://SERVER2.domain.com:80/sso/SSOServlet?_action=LOGINASSERT&_ssoOrigUrl=http%3A%2F%2SERVER1.domain.com%3A9080%2Fefs&_TKM=TODO-UI&_serviceName=LBIDSP&_ssoTenant=DEFAULT&_ssoAuthUrl=http%3A%2F%2SERVER1.domain.com%3A9080%2Fsso%2FSSOServlet&_ssovaltoken=yGoOGEPj3EBZvpFzWYSVSWj0EIQ%3D
- Michael_Jenkins
  Cirrostratus
  Jan 16, 2015
  Ok. And you said that server1.domain.com and server2.domain.com aren't internet acessible, but your users are accessing this through internet, so they need publicname.domain.com? In this case, there's a couple things you might do. You could follow the ideas in this article (https://devcentral.f5.com/s/articles/rewriting-redirects) for the iRule redirect rewriting and replace server2.domain.com and server1.domain.com with publicname.domain.com and then change the iRule to check for starting with "/sso" and route to the auth pool. Then you still have only one path. The other way would be to have a second dns name like auth.domain.com and do basically the same thing as the other, but in the request, check for auth.domain.com host instead of the uri to decide which pool to send it to. Hope this makes sense.
- What_Lies_Bene1
  Cirrostratus
  Jan 19, 2015
  Just FYI, I'm pretty sure a stream profile won't rewrite a HTTP header, only the body.
Keith_Fox_15580
Nimbostratus
Jan 16, 2015
I tried using the below irule, and it still doesn't seem to be re-writing it. I would prefer to have only one outside public domain, but at this point I'll do two if needed. Naturally I am under a time table to have this site operational by next Friday, so no pressure.

when HTTP_RESPONSE { if { [HTTP::is_redirect] }{ HTTP::header replace Location [string map {"A.internal.com" "X.external.com"} [HTTP::header Location]] } }

Michael_Jenkins

Cirrostratus

Jan 17, 2015

You can try this and see what the logs turn up... Maybe that will help figure something out... Are you familiar with tcpdump too?

when HTTP_REQUEST {
    log local0. "URL: [HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE { 
    log local0. "  Response code: [HTTP::status]"
    if { [HTTP::is_redirect] }{ 
        log local0. "    Original: [HTTP::header value Location]"
        HTTP::header replace Location [string map {"A.internal.com" "X.external.com"} [HTTP::header Location]] 
        log local0. "    Updated: [HTTP::header value Location]"
    } 
}

Forum Discussion

Virtual server with two different web servers

15 Replies

Recent Discussions

What happens if I only enable ASM in BIG-IP Under System > Resource Provisioning

URL

Migration from i series 10200 with 1 child VCMP to r series 10900 series

Azure DP-100 Exam Questions

Deploying F5 WAF in front of Azure Web App Services

Related Content

Check a Virtual Server's SSL Status

Virtual Server graphical App for F5 LTM

Provide Content of different Webapps with one Virtual Server

virtual server config

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server