Forum Discussion

JimT's avatar
JimT
Icon for Nimbostratus rankNimbostratus
Jan 13, 2018

Rewrite and forward to specific pool

Hi,

 

I have a question about rewrite and forward to specific pool based on URL accessed.

 

Setup:

 

One HTTPS VS, called VS1 with client SSL profile using certificate for .

 

Two pools, called Pool1 and Pool2 with one member in each pool.

 

In Pool1, the member is configured with port 80 and in Pool2, the member is configured with port 8443

 

I have used rewrite profile and policies, which are attached to the VS1

 

External URLs:

 

ExURL1: https://www.abc.com

 

ExURL2: https://www.abc.com/test

 

Internal URLs:

 

IntURL1: http://internal.abc.com/site1

 

IntURL2: https://internal.abc.com:8443/site2

 

Scenario:

 

Client connects to ExURL1, BIG-IP rewrites url to IntURL1 and forwards to Pool1. Then the client connects to ExURL2, BIG-IP rewrites url to IntURL2 and forwards to Pool2.

 

Question:

 

How can this be achieved, since IntURL2 are using SSL and there is not attached any server SSL profile to the VS.

 

Hope someone can point me in the right direction.

 

5 Replies

  • irule sample

    // config
    
    root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.24.10:443
        ip-protocol tcp
        mask 255.255.255.255
        profiles {
            clientssl {
                context clientside
            }
            http { }
            serverssl-insecure-compatible {
                context serverside
            }
            tcp { }
        }
        rules {
            qux
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        translate-address enabled
        translate-port enabled
        vs-index 19
    }
    root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool
    ltm pool pool1 {
        members {
            200.200.200.101:80 {
                address 200.200.200.101
            }
        }
    }
    ltm pool pool2 {
        members {
            200.200.200.111:8443 {
                address 200.200.200.111
            }
        }
    }
    root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
    ltm rule qux {
    when RULE_INIT {
      set static::internalhost "internal.abc.com"
    }
    when HTTP_REQUEST {
      switch -glob [HTTP::uri] {
        "/" {
          HTTP::uri "/site1"
          SSL::disable serverside
          pool pool1
        }
        "/test/*" {
          HTTP::uri [string map {/test/ /site2/} [HTTP::uri]]
          pool pool2
        }
        default {
           do something
        }
      }
    }
    when HTTP_REQUEST_RELEASE {
      HTTP::host "${static::internalhost}:[LB::server port]"
    }
    }
    
    // test1
    
    [root@ve13a:Active:In Sync] config  ssldump -Aed -nni 0.0 port 80 or port 443 or port 8443 -k /config/ssl/ssl.key/default.key
    New TCP connection 1: 172.28.24.1(33808) <-> 172.28.24.10(443)
    ...snipped...
    1 10 1515902215.1724 (0.0035)  C>SV3.3(128)  application_data
        ---------------------------------------------------------------
        HEAD / HTTP/1.1
        User-Agent: curl/7.29.0
        Accept: */*
        Host: www.abc.com
    
        ---------------------------------------------------------------
    New TCP connection 2: 200.200.200.14(24713) <-> 200.200.200.101(80)
    1515902215.1743 (0.0015)  C>S
    ---------------------------------------------------------------
    HEAD /site1 HTTP/1.1
    User-Agent: curl/7.29.0
    Accept: */*
    Host: internal.abc.com:80
    
    ---------------------------------------------------------------
    
    // test2
    
    [root@ve13a:Active:In Sync] config  ssldump -Aed -nnr /var/tmp/test2.cap -k /config/ssl/ssl.key/default.key
    New TCP connection 1: 172.28.24.1(33824) <-> 172.28.24.10(443)
    ...snipped...
    1 10 1515902715.2350 (0.0007)  C>SV3.3(128)  application_data
        ---------------------------------------------------------------
        HEAD /test/hello HTTP/1.1
        User-Agent: curl/7.29.0
        Accept: */*
        Host: www.abc.com
    
        ---------------------------------------------------------------
    
    [root@ve13a:Active:In Sync] config  ssldump -Aed -nnr /var/tmp/test2.cap -k /var/tmp/localhost.key
    New TCP connection 2: 200.200.200.14(43637) <-> 200.200.200.111(8443)
    ...snipped...
    2 10 1515902715.2410 (0.0006)  C>SV3.1(128)  application_data
        ---------------------------------------------------------------
        HEAD /site2/hello HTTP/1.1
        User-Agent: curl/7.29.0
        Accept: */*
        Host: internal.abc.com:8443
    
        ---------------------------------------------------------------
    
  • here is local traffic policy (cpm) sample. by the way, i did not use rewrite profile.

    // config
    
    root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.24.10:443
        ip-protocol tcp
        mask 255.255.255.255
        policies {
            testpolicy1 { }
        }
        profiles {
            clientssl {
                context clientside
            }
            http { }
            serverssl-insecure-compatible {
                context serverside
            }
            tcp { }
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        translate-address enabled
        translate-port enabled
        vs-index 19
    }
    root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool
    ltm pool pool1 {
        members {
            200.200.200.101:80 {
                address 200.200.200.101
            }
        }
    }
    ltm pool pool2 {
        members {
            200.200.200.111:8443 {
                address 200.200.200.111
            }
        }
    }
    root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm policy testpolicy1
    ltm policy testpolicy1 {
        controls { forwarding server-ssl }
        last-modified 2018-01-14:12:24:45
        requires { http }
        rules {
            testsite1 {
                actions {
                    0 {
                        server-ssl
                        disable
                    }
                    1 {
                        http-uri
                        replace
                        value /site1
                    }
                    2 {
                        http-host
                        replace
                        value internal.abc.com
                    }
                    3 {
                        forward
                        select
                        pool pool1
                    }
                }
                conditions {
                    0 {
                        http-uri
                        values { / }
                    }
                }
            }
            testsite2 {
                actions {
                    0 {
                        http-host
                        replace
                        value internal.abc.com:8443
                    }
                    1 {
                        http-uri
                        replace
                        value "tcl:[string map {/test/ /site2/} [HTTP::uri]]"
                    }
                    2 {
                        forward
                        select
                        pool pool2
                    }
                }
                conditions {
                    0 {
                        http-uri
                        starts-with
                        values { /test/ }
                    }
                }
                ordinal 1
            }
        }
        status published
        strategy first-match
    }
    
    // test1
    
    [root@ve13a:Active:In Sync] config  ssldump -Aed -nni 0.0 port 80 or port 443 -k /config/ssl/ssl.key/default.key
    New TCP connection 2: 172.28.24.1(33842) <-> 172.28.24.10(443)
    ...snipped...
    2 10 1515904001.6202 (0.0006)  C>SV3.3(128)  application_data
        ---------------------------------------------------------------
        HEAD / HTTP/1.1
        User-Agent: curl/7.29.0
        Accept: */*
        Host: www.abc.com
    
        ---------------------------------------------------------------
    New TCP connection 3: 200.200.200.14(3637) <-> 200.200.200.101(80)
    1515904001.6211 (0.0005)  C>S
    ---------------------------------------------------------------
    HEAD /site1 HTTP/1.1
    User-Agent: curl/7.29.0
    Accept: */*
    Host: internal.abc.com
    
    ---------------------------------------------------------------
    
    // test2
    
    [root@ve13a:Active:In Sync] config  ssldump -Aed -nnr /var/tmp/cpm2.cap -k /config/ssl/ssl.key/default.key
    New TCP connection 2: 172.28.24.1(33844) <-> 172.28.24.10(443)
    ...snipped...
    2 10 1515904108.0480 (0.0008)  C>SV3.3(128)  application_data
        ---------------------------------------------------------------
        HEAD /test/hello HTTP/1.1
        User-Agent: curl/7.29.0
        Accept: */*
        Host: www.abc.com
    
        ---------------------------------------------------------------
    
    [root@ve13a:Active:In Sync] config  ssldump -Aed -nnr /var/tmp/cpm2.cap -k /var/tmp/localhost.key
    New TCP connection 3: 200.200.200.14(43617) <-> 200.200.200.111(8443)
    ...snipped...
    3 10 1515904108.0549 (0.0004)  C>SV3.1(128)  application_data
        ---------------------------------------------------------------
        HEAD /site2/hello HTTP/1.1
        User-Agent: curl/7.29.0
        Accept: */*
        Host: internal.abc.com:8443
    
        ---------------------------------------------------------------
    
    • JimT's avatar
      JimT
      Icon for Nimbostratus rankNimbostratus

      Thanks a lot nitass. I will try both of your answers.

       

  • here is local traffic policy (cpm) sample. by the way, i did not use rewrite profile.

    // config
    
    root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.24.10:443
        ip-protocol tcp
        mask 255.255.255.255
        policies {
            testpolicy1 { }
        }
        profiles {
            clientssl {
                context clientside
            }
            http { }
            serverssl-insecure-compatible {
                context serverside
            }
            tcp { }
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        translate-address enabled
        translate-port enabled
        vs-index 19
    }
    root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool
    ltm pool pool1 {
        members {
            200.200.200.101:80 {
                address 200.200.200.101
            }
        }
    }
    ltm pool pool2 {
        members {
            200.200.200.111:8443 {
                address 200.200.200.111
            }
        }
    }
    root@(ve13a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm policy testpolicy1
    ltm policy testpolicy1 {
        controls { forwarding server-ssl }
        last-modified 2018-01-14:12:24:45
        requires { http }
        rules {
            testsite1 {
                actions {
                    0 {
                        server-ssl
                        disable
                    }
                    1 {
                        http-uri
                        replace
                        value /site1
                    }
                    2 {
                        http-host
                        replace
                        value internal.abc.com
                    }
                    3 {
                        forward
                        select
                        pool pool1
                    }
                }
                conditions {
                    0 {
                        http-uri
                        values { / }
                    }
                }
            }
            testsite2 {
                actions {
                    0 {
                        http-host
                        replace
                        value internal.abc.com:8443
                    }
                    1 {
                        http-uri
                        replace
                        value "tcl:[string map {/test/ /site2/} [HTTP::uri]]"
                    }
                    2 {
                        forward
                        select
                        pool pool2
                    }
                }
                conditions {
                    0 {
                        http-uri
                        starts-with
                        values { /test/ }
                    }
                }
                ordinal 1
            }
        }
        status published
        strategy first-match
    }
    
    // test1
    
    [root@ve13a:Active:In Sync] config  ssldump -Aed -nni 0.0 port 80 or port 443 -k /config/ssl/ssl.key/default.key
    New TCP connection 2: 172.28.24.1(33842) <-> 172.28.24.10(443)
    ...snipped...
    2 10 1515904001.6202 (0.0006)  C>SV3.3(128)  application_data
        ---------------------------------------------------------------
        HEAD / HTTP/1.1
        User-Agent: curl/7.29.0
        Accept: */*
        Host: www.abc.com
    
        ---------------------------------------------------------------
    New TCP connection 3: 200.200.200.14(3637) <-> 200.200.200.101(80)
    1515904001.6211 (0.0005)  C>S
    ---------------------------------------------------------------
    HEAD /site1 HTTP/1.1
    User-Agent: curl/7.29.0
    Accept: */*
    Host: internal.abc.com
    
    ---------------------------------------------------------------
    
    // test2
    
    [root@ve13a:Active:In Sync] config  ssldump -Aed -nnr /var/tmp/cpm2.cap -k /config/ssl/ssl.key/default.key
    New TCP connection 2: 172.28.24.1(33844) <-> 172.28.24.10(443)
    ...snipped...
    2 10 1515904108.0480 (0.0008)  C>SV3.3(128)  application_data
        ---------------------------------------------------------------
        HEAD /test/hello HTTP/1.1
        User-Agent: curl/7.29.0
        Accept: */*
        Host: www.abc.com
    
        ---------------------------------------------------------------
    
    [root@ve13a:Active:In Sync] config  ssldump -Aed -nnr /var/tmp/cpm2.cap -k /var/tmp/localhost.key
    New TCP connection 3: 200.200.200.14(43617) <-> 200.200.200.111(8443)
    ...snipped...
    3 10 1515904108.0549 (0.0004)  C>SV3.1(128)  application_data
        ---------------------------------------------------------------
        HEAD /site2/hello HTTP/1.1
        User-Agent: curl/7.29.0
        Accept: */*
        Host: internal.abc.com:8443
    
        ---------------------------------------------------------------
    
    • JimT's avatar
      JimT
      Icon for Nimbostratus rankNimbostratus

      Thanks a lot nitass. I will try both of your answers.