443 to 7678

Question

Hi everybody. Recently I have been working with the v.9 BIgIP's quite frequently and have just started delving into the wonderful if not slightly complex world of iRules. I have read through a lot of the posts and done some searching, but I still can not find a good example of what I am trying to do. &nbsp;
&nbsp;I am by no means experienced with iRules, but more than willing to learn and contribute as I go. I have done a few http to https redirects with minimal effort, but now I have one that I can't seem to figure out.&nbsp;
&nbsp;We have a virtual server that terminates SSL connections on 443. We want to redirect them to a virtual server (same IP) on 7678 and then of course a pool with members listening on 7678. 
&nbsp; 
&nbsp;Can I just direct them to the pool listening on 7678 or do I redirect to the virtual server? &nbsp;
&nbsp;This rule is probably no where close and does not even load correctly, but I think this is close to what I want to do:
&nbsp;_______________________________________________&nbsp;
&nbsp;This will redirect from 443 to 7678
&nbsp;when HTTP_REQUEST {
&nbsp;     if { [TCP::local_port equals 443] }
&nbsp;redirect to ([TCP::local_port:7678]}
&nbsp;}
&nbsp;_______________________________________________
&nbsp;This is the error when I try to load it:
&nbsp;I would spend more time troubleshooting the error log if I knew I was on the right track.
&nbsp;_______________________________________________
&nbsp;01070151:3: Rule [SMART-SSL-Redirect] error: 
&nbsp;line 3: [wrong  args] [TCP::local_port equals 443]
&nbsp;line 3: [missing a script after "if"] []
&nbsp;line 4: [undefined procedure: TCP::local_port:7678] [TCP::local_port:7678]
&nbsp;line 5: [command is not valid in the current scope] [}]
&nbsp;_______________________________________________&nbsp;
&nbsp;Any help would be greatly appreciated.&nbsp;
&nbsp;Thanks ,&nbsp;
&nbsp;Brad&nbsp;&nbsp;

unruley_95363 · Answer

You should be able to simply use the pool with the pool members listening on 7678. The BIGIP will automatically take care of translating to that port (unless you specifically disabled port translation on the virtual). You don't even need an iRule for this task.

jrahm · Answer

Were you a version 4 user previously?  Your question reminded me of my confusion in transitioning...  In v4, you had to do the redirection to another virtual, in v9, utilizing the clientssl profile eliminates that redirection.  If you are needing http and https, you can create two virtuals, ip:80 and ip:443, utilizing a single pool for both and creating a clientssl profile for the ip:443 virtual.  Or, you can create a wildcard virtual ip:0, and write a rule to do the rest:
when CLIENT_ACCEPTED {
  if { [TCP::local_port] == "80" } {
    SSL::disable
    pool myPool
  } elseif { [TCP::local_port] == "443" } {
      pool myPool
  } else { discard }
}
Note that you will need to have a valid clientssl profile configured on the virtual server.

brad_scherer_11 · Answer

citizen_elah you are correct about coming from 4.X. That is exactly where my confusion lies. I am migrating 8 sets of 4x into a set of 6400's (production) and 4 sets of 4x to a set of 3400's (testlab). 
&nbsp; 
&nbsp;citizen_elah thanks for the info. So as I understand, the implementation would be, &nbsp;
&nbsp;443 vip 
&nbsp;clientssl profile (which I already have working) 
&nbsp;pool for the servers on 7678. &nbsp;&nbsp;&nbsp;
&nbsp;No iRule is necessary in this case right? Your rule is implemented if I want to allow port 80 or 443 without having a redirect. In this case the business requirement is for all 443 to the F5 with no redirect then 7678 to the server on the backend. They may want a redirect in the future but not yet. &nbsp;
&nbsp;Thanks

jrahm · Answer

Not yet, but hopefully soon??&nbsp;
&nbsp;Feel free to contact me directly if you have any questions.

Forum Discussion

443 to 7678

4 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

F5 health 443 monitor issue with Atlassian Conluence

80 and 443 redirection

Secure connection failed - pool 443

LTM (VIP on Port 443 and Backend Server on Port 80)

Sharepoint on port 80 and port 443