Forum Discussion

Randy_Johnson_L's avatar
Randy_Johnson_L
Icon for Nimbostratus rankNimbostratus
Jul 13, 2017

'HairPinning' on LTM ?

I have a case where I have a Virtual Server provisioned, and accessible from the world at 'https://company.com'.

 

Now we need other, 'internal' applications to be able to call to 'https://company.com/urihere'.

 

While I know I could create an 'internally facing' virtual server for this, then I'm faced with DNS challenges, or using host files.

 

Is there a better way to do this ?

 

6 Replies

  • Can you use an iRule to control who can access /urihere? Would seem to be the easiest way, given the information you've provided. There are cleaner ways, but this is a start...

    when HTTP_REQUEST {
      if { [HTTP::path] starts_with "/urihere" } {
        switch -glob [IP::client_addr] {
          "10.*" { return }
          "172.12.*" { return }
          "192.168.*" { return }
          default { discard }
        }
      }
    }
    
    • Randy_Johnson_L's avatar
      Randy_Johnson_L
      Icon for Nimbostratus rankNimbostratus

      Thaks, ekaleido-- Not quite what I'm going for, as my internal webservers do not seem to be able to even reach 'themselves' through the externally facing VIP / hairpinning. However, these 'internal' webservers are able to ping and traceroute from the internal servers to the external company.com. However, when attempting to connect to https://company.com, I get a 'Connection Reset'.

       

    • ekaleido_26616's avatar
      ekaleido_26616
      Icon for Cirrocumulus rankCirrocumulus

      Do you need to enable or disable SNAT AutoMap on the virtual server?

       

  • Can you use an iRule to control who can access /urihere? Would seem to be the easiest way, given the information you've provided. There are cleaner ways, but this is a start...

    when HTTP_REQUEST {
      if { [HTTP::path] starts_with "/urihere" } {
        switch -glob [IP::client_addr] {
          "10.*" { return }
          "172.12.*" { return }
          "192.168.*" { return }
          default { discard }
        }
      }
    }
    
    • Randy_Johnson_L's avatar
      Randy_Johnson_L
      Icon for Nimbostratus rankNimbostratus

      Thaks, ekaleido-- Not quite what I'm going for, as my internal webservers do not seem to be able to even reach 'themselves' through the externally facing VIP / hairpinning. However, these 'internal' webservers are able to ping and traceroute from the internal servers to the external company.com. However, when attempting to connect to https://company.com, I get a 'Connection Reset'.

       

    • ekaleido's avatar
      ekaleido
      Icon for Cirrus rankCirrus

      Do you need to enable or disable SNAT AutoMap on the virtual server?