Forum Discussion

Mali47_261353's avatar
Mali47_261353
Icon for Nimbostratus rankNimbostratus
Apr 28, 2016

uri forwarding to a pool on an SSL Virtual server

Setup 2 Virtual Servers - one on port 80 redirects to https virtual server, clientssl is applied on this virtual server, http profile.

 

Redirect anything starting with /abc to pool mypool -iRule applied on the HTTPS virtual server, this virtual server also has oneconnect applied when HTTP_REQUEST { if { [HTTP::uri] starts_with "/abc" } { pool mypool } }

 

I'm having an issue in where if I specify the full path https://domain.com/abc directly from the web browser it does not redirect to the pool mypool, this only happens when the virtual server is HTTPS. However if I do enter the root website https://domain.com first and establish the ssl I can then enter https://domain.com/abc so long as the web browser is open. I if I do close the web browser and re-type the full path https://domain.com/abc again, /abc is not redirect to pool mypool. Basically everything works fine with the exception that I am unable to directly access https://mydomain.com/abc directly unless I first connect to https://mydomain.com

 

15 Replies

  • Hi Mali,

     

    how does the rest of your configuration look like, I mean do you have a default pool assigned to your VS? Because when you access the page without URI, the iRule has nothing to match, but you still reaching the webserver correctly.

     

    And why do you need to specify the URI "/abc" differently from all the rest? Can you please provide some more background information or explain in more details what your requirements are?

     

    Thank you!

     

    Ciao Stefan :)

     

  • Hi Mali,

     

    I don't think it's related to SSL, because the SSL-handshake happens already before the HTTP_REQUEST event. Otherwise also access to the default pool wouldn't work.

     

    When you are doing SSL offload, this means you only have a clientSSL profile assigned, but no serverSSL, right?

     

    And your default pool, as well as the pool referred in the iRule (starts_with "/abc") have both members defined with port 80 (or at least any other non-default HTTP-based port)?

     

    Did you already check the logs, if there are any errors when executing the iRule?

     

    Can you please share the config from your SSL VS and the two pools (from conf-file or via tmsh-command)?

     

    Ciao Stefan :)

     

  • Maybe try this...

    when HTTP_REQUEST {

    if { not ([HTTP::uri] starts_with "/abc") } {

    pool normalpool

    } else {

    pool abcpool

    }

    }
    • Mali47_261353's avatar
      Mali47_261353
      Icon for Nimbostratus rankNimbostratus
      Hi Ekaleido, This doesnt work and does not even allow to hit the default pool.. my original config allows me to hit the default pool and after words once I access the page im also able to hit the 2nd pool if using HTTP or HTTPS, The problem I have is when using a HTTPS VS and I try to hit https://domain.com/abc on the first try it doesnt work, it only works when I first access https://domain.com a nd then I am able to access https://domain.com/abc.. I think best way to test this is to setup using the config I posted above.. Thanks.
    • ekaleido_26616's avatar
      ekaleido_26616
      Icon for Cirrocumulus rankCirrocumulus
      Odd. I'm using that iRule , with slight modifications (I use /api instead of /abc and my pools are obviously not named "normalpool" and "abcpool") and it runs a production VIP for me today. What code version is your LTM running?
    • Mali47_261353's avatar
      Mali47_261353
      Icon for Nimbostratus rankNimbostratus
      I'm running BIG-IP 11.5.3 Build 2.10.196 Engineering Hotfix HF2, are you running SSL on your VS?
  • Maybe try this...

    when HTTP_REQUEST {

    if { not ([HTTP::uri] starts_with "/abc") } {

    pool normalpool

    } else {

    pool abcpool

    }

    }
    • Mali47_261353's avatar
      Mali47_261353
      Icon for Nimbostratus rankNimbostratus
      Hi Ekaleido, This doesnt work and does not even allow to hit the default pool.. my original config allows me to hit the default pool and after words once I access the page im also able to hit the 2nd pool if using HTTP or HTTPS, The problem I have is when using a HTTPS VS and I try to hit https://domain.com/abc on the first try it doesnt work, it only works when I first access https://domain.com a nd then I am able to access https://domain.com/abc.. I think best way to test this is to setup using the config I posted above.. Thanks.
    • ekaleido's avatar
      ekaleido
      Icon for Cirrus rankCirrus
      Odd. I'm using that iRule , with slight modifications (I use /api instead of /abc and my pools are obviously not named "normalpool" and "abcpool") and it runs a production VIP for me today. What code version is your LTM running?
    • Mali47_261353's avatar
      Mali47_261353
      Icon for Nimbostratus rankNimbostratus
      I'm running BIG-IP 11.5.3 Build 2.10.196 Engineering Hotfix HF2, are you running SSL on your VS?
  • Hi Mali,

    I would try to sniffer next, to see what happend on network level. In case you are not using SNAT just filter on your sourceIP. Otherwise use the -p option to dump on "peer" flows:

    tcpdump -ni 0.0:nnnp -s 0 host client-ip -w /var/tmp/traffic_from_client.cap
    
    Note: Above capture takes advantage of new tcpdump flag "-p" that captures peer sides of the connection which
    is useful when traffic is snatted on the serverside. It requires a little workaround to reset/clear the filter
    internally (running a different capture without the -p flag that won't match original filter)
    
    tcpdump -ni 0.0:nnn -s 0 port 1
    
    Type Ctl -C to stop the capture immediately after it started.
    

    Ciao Stefan 🙂

  • You mean connection will be correctly established to a server in your abc-pool? And the GET-request will correctly be send to this server? And what is the response of this server? I mean if it's not working I would expect that either connection is not correctly established (network issue) or the GET-request is not handled correctly (application issue).

     

    As you are doing SSL-offload you should be able to verify/read the HTTP-requests towards the server, sure there isn't something wrong?

     

    Ciao Stefan :)

     

  • Hi Mali,

     

    you didn't answer my last question. When you open a fresh browser and try to connect directly towards https://domain.com/abc it's not working. But what do you see in the sniffer for this first request?

     

    • do you see successful TCP-handshake with the abc-pool server?
    • do you see the GET-request going out towards this server?
    • do you see the response for this GET-request coming back from this server?

    And what is the result/error in your browser? I guess a connection timeout or something else?

     

    Ciao Stefan :)