Forum Discussion

hc_andy_35682's avatar
hc_andy_35682
Icon for Nimbostratus rankNimbostratus
May 11, 2010

Bypassing a VIP based on destination address

Hi All,

 

 

Our LTM is configured with a PROXY_VIP and WEBMAIL_VIP which load balances proxy and webmail traffic for schools. Schools use the PROXY_VIP to access HTTP/HTTPS web sites and the IP address of the PROXY_VIP is hard coded in the student's browser.

 

 

So if schools need access to http://webmail.com, their request first gets served by the PROXY_VIP which load balances the request to a real proxy server and then the proxy server goes and fetches the webmail page which in turn gets load balanced by the WEBMAIL_VIP.

 

 

Can the LTM do the following:

 

 

1/ If the request is from a school IP address and the destination address is http://webmail.com, can we bypass the PROXY_VIP and redirect the request to the WEBMAIL_VIP.

 

 

2/ If 1 is not possible, once the request hits the PROXY_VIP and the destination address is http://webmail.com , can we use HTTP Redirection to redirect the request to the WEBMAIL_VIP but PRESERVE the School's IP address as the source IP rather than it being the IP address of the proxy server???

 

 

The reason for doing this is so that we can maintain source address persistence like so: school IP -> webmail machine rather than proxy server IP -> webmail machine.

 

 

Thanks.

 

 

Andy

 

 

 

 

 

 

 

 

 

 

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/afv/topic/aft/1172300/aff/5/showtab/groupforums/Default.aspx
config
design

10 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 11, 2010
    1. If the proxy ip address is hard-coded in the browser then it doesn't matter what you redirect to... It'll still go via the proxy... The only way around that really is to use a PAC file (It's a small javascript program that gets run for EVERY URL accessed. It can decide whether to use a proxy or go direct to a website).

     

    Beaware though that because it gets run for EVERY URL, you really really do want to keep it small. And avoid IP address lookups etc.

     

     

    2. redirects are no good.

     

     

    The best way would be via PAC file. Note that you can setup the PAC file on an HTTP server and then have the browsers load it from there. Thus you don't have to distribute a file every time it changes. Failing that, I'd recommend using an iRule on the proxy_vip. Simply detect the host they're accessing, and if it's webmail.com then use the webmail pool. Otherwise use the default pool. You can also enable/disable SNAT in the iRUle so that when accessing the webmail servers, the webmail will see the client IP address. But this also pre-supposes that the webmail servers use the F5 as their route back to the clients (Either by default route, or routes in the network etc).

     

     

    H
  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    May 16, 2010
    Thanks for the reply Hamish.

     

     

    I'm probably more interested in option 2. If we redirect the packet to the webmail pool once it hits the PROXY_VIP, can we code the irule to set the persistence and timeout we want so that each school's ip will be bound to the same real webmail machine? And yes the webmail servers use the F5 as the route back to the clients.

     

     

    Thanks.

     

     

    Andy

     

  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    May 17, 2010
    Been playing with this, but can't figure it out...

     

     

    How do I write an irule so that we can extract the webmail URL/IP from the packet that hits the proxy_vip and then redirect this to the webmail_vip/pool whilst maintaining the src ip as that of the school's IP???

     

     

    Original request:

     

    src ip (school) -> dest ip (proxy_vip)

     

     

    Desired request:

     

    src ip (school) -> dest_ip (webmail_vip)

     

     

    The proxy_vip is a Performance L4 VIP, so I can't use any of the HTTP_REQUEST and HTTP::redirect irule statements - is there another way to do what i want to accomplish?

     

     

    Thanks.

     

     

    Andy

     

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 18, 2010
    OK, you're looking for either the CONNECT (If using HTTPS on webmail) or the GET/POST/whatever requests if using cleartext. YOu do something like (Completely untested, syntax may not be 100%... YMMV... ). 

    
if { ([HTTP::uri] contains "webamil.server.com") || ([HTTP::header host] equals "webmail.server.com") } {
  use pool webmail_pool
  return
} 

use pool proxy_pool
snat automap

    The basic logic is that we test for the webmail server being in the URI or the host header of the request (Some hosts don't use FQ URI's when talking to proxies apparently, so we test the URI and the host: header). If we have a match, then we use the webmail pool and just return.

    Otherwise we fall through to the default actions... Which is to use the proxy pool, and perform snat automap (Or whatever snat you want).

    The VS should NOT have SNAT enabled... The iRule will doit for you.

    H
  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    May 19, 2010
    Thanks for the help Hamish... I've attempted to use the irule on the Performance L4 proxy_vip (Protocol TCP/FastL4 profile) but getting the following errors. 
    01070151:3: Rule [test] error: line 3: [command is not valid in current event context (CLIENT_ACCEPTED)] [HTTP::uri] line 3: [command is not valid in current event context (CLIENT_ACCEPTED)] [HTTP::header host]
    I'm using the code below which is exactly the same as what you suggested w/o the SNAT line. To be able to use any of the "HTTP::syntax", doesn't the vip have to be of type Performance (HTTP)??? Note that this is a proxy vip which is answering on TCP Port 3128. 
    when CLIENT_ACCEPTED  {

if { ([HTTP::uri] contains "webamil.server.com") || ([HTTP::header host] equals "webmail.server.com") } {
  use pool WEBMAIL_HTTP_POOL
  return
} 

use pool EDU_PROXY_POOL

}
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 20, 2010
    Sorry, the [HTTP::xx] commands are only available in the HTTP_ events... When CLIENT_ACCEPTED triggers, the only thing that has happened is the 3-way handshake... Move the HTP tests (For URI) out to the HTTP_REQUEST event, this event triggers after the client has sent their request (But before that request is sent to the server).

     

     

    You'll also have to have an HTTP profile attached. And because you're inspecting L7 traffic you'll lose the acceleration. But then you don't really have a choice unless you have the client do it for you...

     

     

    H
  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    May 20, 2010
    Thanks for the explanation Hamish.

    One final question...How do I update the iRule so it matches on the following pattern: webmail.*.server.com. This is because schools connect to our

    webmail system using their own domain name - eg: http://webmail.school123.server.com

    I've tried various permutations to include the the regex to match only letters {^[A-Za-z]+$} within the iRule but keep getting errors. How do I place the

    regex wildcard into the iRule. 

    
if { ([HTTP::uri] contains "webamil.*.server.com") || ([HTTP::header host] equals "webmail.*.server.com") }

    Thanks.

    Andy

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 21, 2010
    Note sure you require the complexity of a regex... You could try a glob... e.g. 

    
if { [HTTP::uri] matches_glob "webmail.*.server.com"} ...

    You could also get fancy with DG's and specific pools for specific domains if you really wanted.

    Depending on performance, you may also want to investigate whether a pre filter on starts_with "webmail" might help as well (To avoid using the glob match if the URL is something other than webmail.*.server.com. This however depends on whether starts_with is a lot quicker than the glob is tries to avoid for every hit...

    H
  • hc_andy_35682's avatar
    hc_andy_35682
    Icon for Nimbostratus rankNimbostratus
    May 23, 2010
    Hi Hamish,

     

     

    Thanks for the config. I've got a working config now based on matching the URL as seen below. 
    when HTTP_REQUEST {

if {  [HTTP::header host] matches_glob "webmail.*.server.com" } {
  persist source_addr 255.255.255.255 240
  use pool WEBMAIL_HTTP_POOL
  return
} 

use pool VMTEST_PROXY_POOL
}
    This works great and it does exactly what I want and I see the source address hitting the webmail_pool as being that of the school's IP address. I wanted to improve on this and was wondering if you could make it match on destination IP address instead. You see all of the schools have a CNAME for their webmail.*.server.com that resolves to say 10.10.10.10.

     

     

    Could I match on the destination IP address of 10.10.10.10 and redirect that to the webmail_pool??? I've tried the code below and it works BUT the source address that hits the webmail_pool is that of the real proxy server instead of the school's IP address which is not what I want to happen. 
    when HTTP_REQUEST {

if { [IP::addr [IP::local_addr] equals 10.10.10.10] } {
  persist source_addr 255.255.255.255 240
  use pool WEBMAIL_HTTP_POOL
  return
} 

use pool VMTEST_PROXY_POOL
}
    I want it to persist based on the school's ip address which was possible when matching using the HTTP:xx code. Why doesn't it do the same when I change it to match on destination IP and keep the source IP as that of the school's IP address??? Is this just a limitation of the IP:xx code or do I need to modify the code in some way. Appreciate any further guidance. Thanks. Andy
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    May 25, 2010
    Nice thread guys. Gave me an idea for a tech tip on command efficiencies:

     

     

    http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084375/Investigating-Efficiencies-in-iRules-Handling-Wildcards-in-Hostnames.aspx