iRule rewrite | URL hiding

Different Protocol ( https vs. http)

this is done on the 1st f5 by assigning clientssl profile to virtual server. clientside will be https but serverside will be http.

Different Hostname ( www.mysite.com vs. news.bizsite.com)

you can change hostname using HTTP::header replace on either the 1st f5 or 2nd f5.

HTTP::header

Different Port : 443 vs. 8080

this is translated by virtual server and pool configuration.

everything after the "/help/site1" is passed to the the target webserver.

similar to hostname, uri can be changed using HTTP::uri.

HTTP::uri

Users\Internet browser should only see "https://www.mysite.com/help/site1/..." and NOT the HTTP://news.bizsite.com:8080/ehelp/microsites

address in browser won't be changed unless there is redirection.

Different Protocol ( https vs. http)

this is done on the 1st f5 by assigning clientssl profile to virtual server. clientside will be https but serverside will be http.

Different Hostname ( www.mysite.com vs. news.bizsite.com)

you can change hostname using HTTP::header replace on either the 1st f5 or 2nd f5.

HTTP::header

Different Port : 443 vs. 8080

this is translated by virtual server and pool configuration.

everything after the "/help/site1" is passed to the the target webserver.

similar to hostname, uri can be changed using HTTP::uri.

HTTP::uri

Users\Internet browser should only see "https://www.mysite.com/help/site1/..." and NOT the HTTP://news.bizsite.com:8080/ehelp/microsites

address in browser won't be changed unless there is redirection.

e.g.

 1st f5

root@ve10(Active)(tmos) list ltm virtual firstvs
ltm virtual firstvs {
    destination 172.28.24.9:https
    ip-protocol tcp
    mask 255.255.255.255
    pool firstpool
    profiles {
        clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    rules {
        firstrule
    }
    snat automap
}
root@ve10(Active)(tmos) list ltm pool firstpool
ltm pool firstpool {
    members {
        172.28.24.10:webcache { }
    }
}
root@ve10(Active)(tmos) list ltm rule firstrule
ltm rule firstrule {
    when HTTP_REQUEST {
  if { [HTTP::host] eq "www.mysite.com" and [HTTP::uri] starts_with "/help/site1/" } {
    HTTP::header replace Host "news.bizsite.com:8080"
    HTTP::uri [string map {"/help/site1/" "/ehelp/microsites/"} [HTTP::uri]]
  }
}
}

 2nd f5

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual secondvs
ltm virtual secondvs {
    destination 172.28.24.10:8080
    ip-protocol tcp
    mask 255.255.255.255
    pool secondpool
    profiles {
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 5
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool secondpool
ltm pool secondpool {
    members {
        200.200.200.101:8080 {
            address 200.200.200.101
        }
    }
}

this is trace.

 1st f5

[root@ve10:Active] config  ssldump -Aed -nni 0.0 -k /config/ssl/ssl.key/default.key port 8080 or port 443
New TCP connection 1: 172.28.24.1(49569) <-> 172.28.24.9(443)
1 1  1391838514.2509 (0.0391)  C>S SSLv2 compatible client hello
1 2  1391838514.2510 (0.0001)  S>CV3.1(81)  Handshake
1 3  1391838514.2510 (0.0000)  S>CV3.1(953)  Handshake
1 4  1391838514.2510 (0.0000)  S>CV3.1(4)  Handshake
1 5  1391838514.2538 (0.0027)  C>SV3.1(262)  Handshake
1 6  1391838514.2538 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 7  1391838514.2538 (0.0000)  C>SV3.1(36)  Handshake
1 8  1391838514.2734 (0.0195)  S>CV3.1(1)  ChangeCipherSpec
1 9  1391838514.2734 (0.0000)  S>CV3.1(36)  Handshake
1 10 1391838514.2747 (0.0013)  C>SV3.1(206)  application_data
    ---------------------------------------------------------------
    GET /help/site1/search.do?book=blah HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Accept: */*
    Host: www.mysite.com

    ---------------------------------------------------------------
New TCP connection 2: 172.28.24.15(49569) <-> 172.28.24.10(8080)
1391838514.2808 (0.0027)  C>S
---------------------------------------------------------------
GET /ehelp/microsites/search.do?book=blah HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Accept: */*
Host: news.bizsite.com:8080

---------------------------------------------------------------

 2nd f5

[root@ve11a:Active:In Sync] config  ssldump -Aed -nni 0.0 port 8080
New TCP connection 1: 172.28.24.15(49569) <-> 172.28.24.10(8080)
1391839588.3632 (0.0027)  C>S
---------------------------------------------------------------
GET /ehelp/microsites/search.do?book=blah HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Accept: */*
Host: news.bizsite.com:8080

---------------------------------------------------------------

New TCP connection 2: 200.200.200.14(49569) <-> 200.200.200.101(8080)
1391839588.3670 (0.0037)  C>S
---------------------------------------------------------------
GET /ehelp/microsites/search.do?book=blah HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Accept: */*
Host: news.bizsite.com:8080

---------------------------------------------------------------

Hi Nitass,

I forgot to mention. We don't manage the secondary F5 and the FW above it, it's for a different business group, they just want to use our domain's SSL certificate but the webserver pool is on the secondary F5. Do we really need to do anything on the second F5 to make this work?

There are also existing virtual server using the "mysite.com" VIP and its SSL with a few iRules associated. Question: Do I create a separate Virtual server for this purpose and associate it's own iRule you provided above. However as I have mentioned, the pool is on the secondary F5 that we don't managed.

Thanks, Edward

they just want to use our domain's SSL certificate but the webserver pool is on the secondary F5.

traffic between the first and secondary f5 is http (not https), isn't it? so, ssl certificate is not used.

Do we really need to do anything on the second F5 to make this work?

i understand we can do all stuff on the first f5.

Do I create a separate Virtual server for this purpose and associate it's own iRule you provided above.

if virtual server ip is same, you have to modify the existing virtual server.

hope this helps.

when HTTP_REQUEST { if { [HTTP::host] eq "www.mysite.com" and [HTTP::uri] starts_with "/help/site1/" } { HTTP::header replace Host "news.bizsite.com:8080" HTTP::uri [string map {"/help/site1/" "/ehelp/microsites/"} [HTTP::uri]] } }

So the the iRule above states that, when the 1st F5 sees the host "www.mysite.com" with a uri starting with "/help/site1/" and anything after it. It will pass the traffic to the 2nd F5 which has "news.bizsite.com:8080", the 2nd F5 will get the data/forms, etc to the pool on the 2nd F5 and return it to to the Internet user's browser. Correct for all?

I created the iRule and associated it with the existing Virtual Server for "www.mysite.com". I'm not sure the iRule above works though. When I check the SSL dump, I didn't see the IP of "news.bizsite.com:8080".

when the 1st F5 sees the host "www.mysite.com" with a uri starting with "/help/site1/" and anything after it. It will pass the traffic to the 2nd F5 which has "news.bizsite.com:8080", the 2nd F5 will get the data/forms, etc to the pool on the 2nd F5 and return it to to the Internet user's browser. Correct for all?

yes

I created the iRule and associated it with the existing Virtual Server for "www.mysite.com". I'm not sure the iRule above works though. When I check the SSL dump, I didn't see the IP of "news.bizsite.com:8080".

you may try to debug irule.

iRules 101 - 09 - Debugging by Joe Pruitt

Hi Nitass,

I appreciate your intention helping me learn. but I don't know how to put the logging. I have little coding background. The F5 is giving me an error and as I've mentioned I have little room for error as this is Prod. Can you help me put the logging properly?

when HTTP_REQUEST log local0. "Request:: [HTTP::host]" { if { [HTTP::host] eq "www.mysite.com" and log local0. "Request:: [HTTP::uri]" [HTTP::uri] starts_with "/help/site1/" } { log local0. "Request:: HTTP::header" HTTP::header replace Host "news.bizsite.com:8080" log local0. "Request:: HTTP::uri" HTTP::uri [string map {"/help/site1/" "/ehelp/microsites/"} [HTTP::uri]] } }

Dumb question: Do I need to put the iRule I created on top of the Irule list associated with the virtual server in order for it to be read by F5?

The F5 is giving me an error

can you try something like this?

e.g.

root@(ve11-8)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_REQUEST {
  log local0. "BEFORE: client:[IP::client_addr]:[TCP::client_port] host:[HTTP::host] uri:[HTTP::uri]"
  if { [HTTP::host] eq "www.mysite.com" and [HTTP::uri] starts_with "/help/site1/" } {
    HTTP::header replace Host "news.bizsite.com:8080"
    HTTP::uri [string map {"/help/site1/" "/ehelp/microsites/"} [HTTP::uri]]
    log local0. "AFTER: client:[IP::client_addr]:[TCP::client_port] host:[HTTP::host] uri:[HTTP::uri]"
  }
}
}

Do I need to put the iRule I created on top of the Irule list associated with the virtual server in order for it to be read by F5?

Stacking iRules: A Modular Approach by Deb Allen

as I've mentioned I have little room for error as this is Prod.

i think it is better if you can test using trial or evaluation license before applying to production.

Trial Software Site