Forum Discussion

don_23889's avatar
don_23889
Icon for Nimbostratus rankNimbostratus
Aug 20, 2013

Inspect host header for pool member selection

Goal:

The customer wants to access the VIP and specifically target a given pool member for monitoring. My thought was to use a SAN cert with alternate names.

  • web.domain.com
  • web1.domain.com
  • web2.domain.com

When a user or application used a specific FQDN, the result would target a given pool member, using an iRule.

rule select_pool_web.domain.com_443
  when HTTP_REQUEST { 
    if { [string tolower [HTTP::host]] starts_with "web1.domain.com" } { 
        node 10.10.12.100 80
    } elseif { [string tolower [HTTP::host]] starts_with "web2.domain.com" } { 
        node 10.10.12.101 80
    } else {
        pool pl_web.domain.com_443
    }
  }

pool pl_web.domain.com_443 {
   lb method member predictive   
   monitor all mon_http
   members
      10.10.12.100:80
      10.10.12.101:80
}

virtual web.domain.com_80 {
   pool pl_web.domain.com_443
   destination 10.5.6.7:80
   ip protocol tcp
   httpclass class_http_https_redirect
   profiles
      http
      tcp
}

virtual web.domain.com_443 {
   pool pl_web.domain.com_443
   destination 10.5.6.7:443
   ip protocol tcp
   rules select_pool_web.domain.com_443
   profiles
      http
      tcp
      pro_ssl_web.domain.com_verisign_san
   persist per_web.domain.com_443
}

Two questions

  1. Does this seem reasonable, or does anyone have a better approach?
  2. For the irule "starts_with" -- do I need to include the FQDN, or would the host work as well, less "*.domain.com?"

3 Replies

  • I think this is a perfectly reasonable solution. You could maybe turn that if/else into a switch, but with only 2 choices and a default action it shouldn't matter.

     

    As for starts_with, you just just have to provide enough of the beginning of the host name to make it unique.

     

  • I'd also add that unless you want everyone and their brother to hit the node-specific VIPs, that you should perhaps consider some form of authentication mechanism to access those VIPs.

     

  • Thanks ... The VIP is internal..and your suggestion will be forwarded.