keith_varga_107
Jun 07, 2012Nimbostratus
irule for http vs https requests
DevCentral Team,
Here is our current irule:
when HTTP_REQUEST {
HTTP::header insert "X_CLIENT_IP" [IP::client_addr]
HTTP::header insert "X-Forwarded-For" [IP::client_addr]
if { [string tolower [HTTP::uri]] contains "/pmcserver/checkforwork" } {
pool pm2_qa_web
return
} elseif { [string tolower [HTTP::uri]] contains "pmcserver" } {
pool pm2_qa_pmcserver
return
} elseif { [string tolower [HTTP::uri]] starts_with "/partner" } {
pool pm2_qa_soap
return
} else {
pool pm2_qa_web
return
}
}
the developers were asking for the following additional requirements:
1. Reject http://www.ourProduct.com:80/api/*. Returns HTTP status 403?
2. Route https://www.ourProduct.com:443/api/* to a pool for serverA using port 80.
The intention of the rules is to ensure that nothing going to /api is ever sent via HTTP, we want everything via HTTPS. Ideally the client can't open a connection, but they are not sure that is possible.
We have two F5 virtual servers, one for http and one for https. Since the irule is set a the virtual server level i could not find a way to do this without two separate irules. For example, using two irules (one for each VS) is what i came up with just below. However, was wondering if there was a more elegant way to perhaps combine these into one rule.
thanks much,
Keith Varga
Proposed http F5 virtual server irule:
when HTTP_REQUEST {
HTTP::header insert "X_CLIENT_IP" [IP::client_addr]
HTTP::header insert "X-Forwarded-For" [IP::client_addr]
if { [string tolower [HTTP::uri]] contains "/pmcserver/checkforwork" } {
pool pm2_qa_web
return
} elseif { [string tolower [HTTP::uri]] contains "pmcserver" } {
pool pm2_qa_pmcserver
return
} elseif { [string tolower [HTTP::uri]] starts_with "/partner" } {
pool pm2_qa_soap
return
} elseif { [string tolower [HTTP::uri]] starts_with "/api" } {
reject
HTTP::respond 403 content "api requires https"
} else {
pool pm2_qa_web
return
}
}
Proposed https F5 virtual server irule:
when HTTP_REQUEST {
HTTP::header insert "X_CLIENT_IP" [IP::client_addr]
HTTP::header insert "X-Forwarded-For" [IP::client_addr]
if { [string tolower [HTTP::uri]] contains "/pmcserver/checkforwork" } {
pool pm2_qa_web
return
} elseif { [string tolower [HTTP::uri]] contains "pmcserver" } {
pool pm2_qa_pmcserver
return
} elseif { [string tolower [HTTP::uri]] starts_with "/partner" } {
pool pm2_qa_soap
return
} elseif { [string tolower [HTTP::uri]] starts_with "/api" } {
pool pm2_qa_api
return
} else {
pool pm2_qa_web
return
}
}