Forum Discussion

Dan_Howard's avatar
Dan_Howard
Icon for Nimbostratus rankNimbostratus
Jun 03, 2019

iRule to select different access profile based upon host header?

As the title states, I am looking for an iRule to select a different access profile based upon host header. In our current environment we configure VIPs with a specific access profile using SAML (BigIP as SP). Export the metadata to a passport server and use a SAML header insert iRule to pass the EPPN or whatever along to the web servers. This works fine, but we end up having to burn multiple VIPs for sites on the same server pairs. I am using an iRule for non-SAML sites to direct to different ports on the same server pair based on the host header (i.e. if the url is stage.site.com go to the pool on port 8000, if dev.site.com go to the pool on port 8001, etc) and was wondering if there was a way to do the same thing but select a different access profile as well.

APM
application delivery
iRules

2 Replies

Sort By
  • Lee_Sutcliffe's avatar
    Lee_Sutcliffe
    Icon for Nacreous rankNacreous
    Jun 03, 2019

    You can only apply one access profile per virtual sever, so you will have to use layered virtual servers.

    For example, having one Virtual Server, acting as a broker, then use an iRule to select the virtual server, with the associated access policy based on the required host header

    This can be done using a simple switch statement, but does need to have multiple Virtual Servers.

    when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "www.site1.com" {
            virtual site1_vs
        }
        "www.site2.com" {
            virtual site2_vs
        }
        "www.site3.com" {
            virtual site3_vs
        }
}
    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      Jun 04, 2019

      I agree With layered virtual server...

       

      but routing based on http event requires ssl profile assigned to front virtual server...

       

      APM can require ssl profile assigned to the 2nd virtual server :

      • client cert authentication
      • multi domain sso
      • ...

       

      so to make it work, you can use layered virtual servers based on TLS SNI extension which is same value as HTTP host header in real browser connection

       

      look at this article

       

      https://devcentral.f5.com/s/articles/sni-routing-with-big-ip-31348