Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

iRule to forward https://x.x.com/backdoor to a specific node (requests ending with /backdoor only).

Hello mates,

I am literally new with the iRules in F5. I have red few similar questions and I had a look of provided iRules by that community, but honestly.. I am totally lost in codding and I am not sure that I can produce the iRule exactly needed to me, just looking at 5 other similar iRules.

What we have:

VIP operating on 443 (lets call it VS_test) Pool assigned to it (called pool_test) having two members 1.1.1.1 and 1.1.1.2 on port 9002.

The URL they are accessing is https://test.dimov.com/backdoor

So, when they access https://test.dimov.com/backdoor (with that /backdoor at the end) traffic should go to node 1.1.1.1 only. For the other traffic there might be two options (this is still not clarified).

1 All other traffic to go to ndoe 1.1.1.2 or

2 to be load balanced between both.

But requests including /backdoor at the end should go to 1.1.1.1 only!

We don't have any SSL Profile (client) or (server) so according to my understanding we don't really terminate the SSL on the F5. VIP is on 443 -> no SSL profiles -> nodes listening on 9002 -> I conclude that there is no offloading, but it is only assumption.

So possible iRules:

1 -> /backdoor hits 1.1.1.1, all other traffic is load balanced between both

2 -> /backdoor hits 1.1.1.1, all other traffic hits 1.1.1.2

3 -> /backdoor hits 1.1.1.1, all other traffic is load balanced between both

4 -> /backdoor hits 1.1.1.1, all other traffic hits 1.1.1.2

1

when HTTP_REQUEST {; if { [HTTP::uri] ends_with "/backdoor" } { node 1.1.1.1 9002 } else { pool pool_test } }

2

when HTTP_REQUEST {; if { [HTTP::uri] ends_with "/backdoor" } { node 1.1.1.1 9002 } else { node 1.1.1.2 9002 } }

3

when HTTP_REQUEST { switch -gob [string tolower [HTTP::uri]] { "/backdoor" { node 1.1.1.1 9002 } default { pool pool_test } } }

4

when HTTP_REQUEST { switch -gob [string tolower [HTTP::uri]] { "/backdoor" { node 1.1.1.1 9002 } default { node 1.1.1. 9002 } } }

Are those iRules even close to the "reality"? Also if I am right that we dont terminate the SSL on the F5 (because we dont have applied any SSL profile to client side, will it work? Or we should put a certificate so it will terminate the session?)

Cheers,

Best regards, Latcho

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You cannot examine the HTTP payload on encrypted traffic unless you terminate SSL on the BIG-IP system on the client-side connection. (You can re-encrypt the traffic on the server-side.) So you'll need a client SSL profile no matter what. If you need to re-encrypt on the back end (which it sounds like you do), you'll need a server SSL profile, too, along with the appropriate certs and keys installed on the BIG-IP system.

Your iRules are pretty close, with a couple of typos and suggestions. First of all, I see no difference between your requirements for options 1 and 3, and same for options 2 and 4. They cover the same thing just using IF vs SWITCH. These examples assume a single pool named "pool_test" with two members - 1.1.1.1:9002 and 1.1.1.2:9002.

For /backdoor to 1.1.1.1:9002 and all other traffic to both members:

when HTTP_REQUEST {
    if { [HTTP::uri] ends_with "/backdoor" } {
        pool pool_test member 1.1.1.1 9002
    } else {
        pool pool_test
    }
}

For /backdoor to 1.1.1.1:9002 and all others to 1.1.1.2:9002:

when HTTP_REQUEST {
    if { [HTTP::uri] ends_with "/backdoor" } {
        pool pool_test member 1.1.1.1 9002
    } else {
        pool pool_test member 1.1.1.2 9002
    }
}

Given that there are only two conditions, an IF statement will probably perform better than a SWITCH. You can also consider which request will be more common - with "/backdoor" in the URI or without. If without, then switch the conditional statement to check for "not /backdoor" first for better performance. For example, for most traffic is NOT /backdoor and should load balance to both pool members:

when HTTP_REQUEST {
    if { ![[HTTP::uri] ends_with "/backdoor"] } {
        pool pool_test
    } else {
        pool pool_test member 1.1.1.2 9002
    }
}

You can also do this with a local traffic policy but a slightly different pool configuration. You need two pools instead of just one because you cannot select a specific pool member from a local traffic policy, just a pool. So, for the /backdoor to 1.1.1.1:9002 and all other to both members, pool_test1 contains just 1.1.1.1:9002 and pool_test2 contains both pool members. The local traffic policy would be coded similar to this (using the GUI):

Policy Name: select_backdoor_pool

Strategy: Execute the first matching rule

Rule 1: select_backdoor_pool_rule

Match all of the following conditions:

    HTTP URI path ends with any of /backdoor at request time

Do the following when the traffic is matched:

    Forward traffic to pool pool_test1 at request time

Rule 2: select_all_other_traffic_pool_rule

Match all of the following conditions:

    All traffic

Do the following when the traffic is matched:

    Forward traffic to pool pool_test2 at request time

For this policy to work, it's important that you order the rule that checks for /backdoor first. To cover the other requirement where all other traffic load balances to 1.1.1.2:9002, just change pool_test2 to have that single member in it - same policy.

0
Comments on this Answer
Comment made 1 month ago by Latchezar Dimov 1

Hi crodriguez,

Wow, an amazing explanation, thanks!

Yep, exactly my doubt about the offloading. Thats why I notified that we are not doing it and most probably we will need to do so, in order for F5 to be able to see into the payload. I also noticed that in order for an iRule to work (at least applying it in such manner), firstly I will need to specify the pool name and then the member.

Thanks a lot for the policy explanation and examples.

Now the only thing I am waiting for is an approval from the customer to implement it.

Thanks again in case I face some other issues I will update the post and request for help again.

Cheers,

Best regards, Latchezar Dimov

P.S. Let me know if any actions are required from me, as I am new for the community.

0
Comment made 1 month ago by crodriguez

No further actions are required from you unless you have additional questions or comments related to this thread. And welcome to the community!

0