Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Redirect to pool member based on URI with persistence

We are implementing Kronos 8 with SSL offloading on our LTM. The SSL offload options in Kronos forces all traffic through the LTM so our Kronos admin can no longer hit the application directly on the individual servers. To accomplish this I need to direct traffic directly to the pool member based on URI. I also need to append /wfc/logon to all URIs. I have built an iRule based on examples I have found here, but it doesn't work correctly. It lands on the initial logon page correctly, but after the logon doesn't persist to the pool member.

Process I am trying to accomplish:

Any suggestions are greatly appreciated.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Careful you do not direct them to the logon page all the time and i would look at using switch instead of if elseif but put an if as a top level trigger, only do this if the URI starts with "/ap" then just strip the "/apx" from the uri.

Think the following should do the job:

# Allow server selection via uri
when HTTP_REQUEST {
    set uri [string tolower [HTTP::uri]]
    if {$uri eq "/"} {
        HTTP::uri "/wfc/logon"
    } elseif {$uri starts_with "/ap"} {
        switch -glob $uri {
            "/ap1" {
                pool Kronos member 192.168.1.121 80
                HTTP::uri [string map {"/ap1" ""} $uri]
            }
            "/ap2" {
                pool Kronos member 192.168.1.122 80
                HTTP::uri [string map {"/ap2" ""} $uri]
            }
            "/ap3" {
                pool Kronos member 192.168.1.123 80
                HTTP::uri [string map {"/ap3" ""} $uri]
            }
        }
    }
}
0
Comments on this Answer
Comment made 09-Feb-2018 by Rob 133

Hi AMG,

Thanks for your help. I've been testing and it certainly starts on the correct server, but then after the logon it seems like persistence is not respected (set to cookie insert on the VIP). Part of the problem I think is that Kronos makes you set the VIP in their application for SSL Offload options and when you log in it then throws you back to the VIP. When you land back on the VIP the /ap1 or /ap2 is of course stripped off.

Thanks, Rob

0
Comment made 09-Feb-2018 by Andy McGrath 2563

This all through a single VS? Does the logon redirect the use to another VS or another FQDN?

Also not sure if cookie will be set on the initial response if that is a 302 redirect, I would expect it to be but not 100% sure.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

you have to create 2 virtual servers:

  • http virtual server to redirect HTTP URLs to HTTPS. assign the default _sys_https_redirect irule.
  • https virtual server to manage

Apply this irule to the HTTPS virtual server

# HTTPS virtual server irule
when HTTP_REQUEST {
  switch -glob -- [HTTP::path] {
    "/wfc/logon" {
            switch -glob -- [URI::query [HTTP::uri] app] {
              "ap1" {
                pool Kronos member 192.168.1.121 80
                HTTP::uri "/wfc/logon"
              }
              "ap2" {
                pool Kronos member 192.168.1.122 80
                HTTP::uri "/wfc/logon"
              }
             default {pool Kronos }
            }
    }
    "/ap1" {HTTP::respond 307 Location "/wfc/logon?app=ap1" }
    "/ap2" {HTTP::respond 307 Location "/wfc/logon?app=ap2" }
    "/" {HTTP::respond 307 Location "/wfc/logon" }
  }       
}
0
Comments on this Answer
Comment made 10-Feb-2018 by Andy McGrath 2563

Very nice iRule but you don't need the HTTP::uri "/wfc/logon" within the switch statement as already redirected to it from '/ap1' and '/ap2'

Also removing this and using URI parameters might just fix your issue with persistence not working correctly.

0
Comment made 10-Feb-2018 by Stanislas Piron 10677

This command is to remove the query string which contains the app parameter.

0
Comment made 14-Feb-2018 by Rob 133

Hi Stanislas and AMG,

Thanks for the continued suggestions and feedback. Both iRules have gotten me close. I have some strange persistence issues going on that I need to dig into. I can't seem to stay on server #2 unless I disable server #1 from the pool.

0
Comment made 14-Feb-2018 by Stanislas Piron 10677

this irule doesn't manage persistence, it only redirect to right server based on the URI.

to manage persistence, configure persistence on the virtual server.

0