Port forward SSH and leave regular http

Question

I'm going insane trying to get rid of several virtual servers in favour of one iRule. 
&nbsp;  
&nbsp; Firstly, I have a lot of servers/ports to direct to when there's an HTTP_REQUEST. 
&nbsp; I have a "when HTTP_REQUEST" set up that seems to do nicely. 
&nbsp;  
&nbsp; The ssh virtual server was forwarding from 2500 on the outside to 22 on the inside. 
&nbsp;  
&nbsp;  
&nbsp; when CLIENT_ACCEPTED { 
&nbsp;   if { [ TCP::local_port serverside ] == 2500 } { 
&nbsp;       node 172.16.1.33 22 
&nbsp;       } 
&nbsp;   } 
&nbsp;  
&nbsp; If I put that before or after the "when HTTP_REQUEST" I lose connectivity to the entire website completely. 
&nbsp;  
&nbsp; Since this isn't an HTTP request, where do I put it, and what's wrong with my syntax?  The above is not the only valid syntax I've tried. 
&nbsp;  
&nbsp; any help would be much appreciated! 
&nbsp; --Christopher 
&nbsp;  
&nbsp;  
&nbsp;

hooleylist · Answer

Using one VIP makes for less configuration, but it also leaves you with fewer and more complicated options if you want to manipulate the traffic.  That, said, this should be pretty simple to do.  If you want to add an HTTP based event to a rule, you need to use an HTTP profile on the VIP.  If you have non-HTTP traffic going through the VIP, you'd want to disable the profile for it.  It looks like you can determine whether it's an HTTP request or not based on the port the client makes the request to.  So something like this should work:

when CLIENT_ACCEPTED {  
    
     log local0. "[IP::client_addr]:[TCP::client_port]: new TCP connection to [IP::local_addr]:[TCP::local_port]"  
      Check the port the client requested  
     switch [TCP::local_port] {  
        "2500" {  
            Client request is SSH, use SSH node  
           log local0. "[IP::client_addr]:[TCP::client_port]: SSH request. Using node and disabling HTTP"  
           node 172.16.1.33 22  
    
            Disable HTTP profile  
           HTTP::disable  
        }  
        "80" {  
            Client request is HTTP do nothing  
           log local0. "[IP::client_addr]:[TCP::client_port]: HTTP request"  
        }  
        default {  
            Client request is to an undefined port, so drop the packets  
           log local0. "[IP::client_addr]:[TCP::client_port]: undefined port. Dropping"  
           drop  
        }  
     }  
  }  
  when HTTP_REQUEST {  
    
      This event will only be triggered if the HTTP profile is enabled  
        and the HTTP headers are parsed  
     log local0. "[IP::client_addr]:[TCP::client_port]: new HTTP request to [HTTP::host][HTTP::uri]"  
  }

Aaron

Forum Discussion

Port forward SSH and leave regular http

1 Reply

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

Advanced iRules: Regular Expressions

Parameter Value - Regular Expression

Using Perl Compatible Regular Expressions (PCRE) in Protocol Inspection Custom Signatures

Bidirectional Forwarding Detection (BFD) Protocol Cheat Sheet

LTM stream profile: Multiple replacements & regular expressions