Forum Discussion

BenJ's avatar
BenJ
Icon for Nimbostratus rankNimbostratus
May 14, 2015

LTM Policy Combining ASM and Forwarding - Not Working

Hi all,

I've combined two LTM policies that were both attached to a single VS. One just used Forwarding and the other effectively a "send all to ASM" default policy. Both policies are fairly simple as far as I'm concerned, but the combined policy (below) doesn't seem to work fully.

The last test I did, everything appeared to be OK, except for the "redirect-to-home" bit. It's supposed to ensure that if you enter the FQDN of the app and nothing else you get redirected to There are two ways in which this didn't work: 1) I just ended up with a blank page, which was not and 2) if I entered I would get redirected to

I tried each of the strategies, but all resulted in the same behaviour. I'm sure it's going to be something incredibly simple that I've overlooked - perhaps in disabling ASM in the redirect section? - but I can't seem to figure it out. I'm hoping someone can see an obvious error as I'm unable to re-apply this policy to the VS at the moment because the app is used quite heavily.

Thanks for any help.

Cheers, Ben.

ltm policy policy-asm-someapp-uat-3 {
    controls { asm forwarding }
    requires { http }
    rules {
        default {
            actions {
                0 {
                    asm
                    enable
                    policy /Common/asm-someapp-uat
                }
            }
            ordinal 3
        }
        poolselect-by-host-value {
            actions {
                0 {
                    forward
                    select
                    pool someappcaas-444.uat.somecorp.com
                }
                1 {
                    asm
                    enable
                    policy /Common/asm-someapp-uat
                }
            }
            conditions {
                0 {
                    http-host
                    host
                    values { someappcaas.uat.somecorp.com someapp.online.ecom.abc }
                }
            }
            ordinal 2
        }
        redirect-to-home {
            actions {
                0 {
                    asm
                    disable
                }
                1 {
                    http-reply
                    response
                    redirect
                    location https://[HTTP::host]/home
                }
            }
            conditions {
                0 {
                    http-uri
                    values { / }
                }
            }
            ordinal 1
        }
    }
    strategy best-match
}

4 Replies

  • 1) I just ended up with a blank page, which was not

    it seems HTTP::host returns null.

     configuration
    
    root@(B4200-R77-S7)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 200.200.200.114:80
        ip-protocol tcp
        mask 255.255.255.255
        policies {
            policy-asm-someapp-uat-3 { }
        }
        pool foo
        profiles {
            http { }
            tcp { }
            websecurity { }
        }
        security-log-profiles {
            "Log illegal requests"
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        vs-index 2
    }
    root@(B4200-R77-S7)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm policy policy-asm-someapp-uat-3
    ltm policy policy-asm-someapp-uat-3 {
        controls { asm forwarding }
        requires { http }
        rules {
            default {
                actions {
                    0 {
                        asm
                        enable
                        policy /Common/bar
                    }
                }
                ordinal 3
            }
            poolselect-by-host-value {
                actions {
                    0 {
                        forward
                        select
                        pool foo
                    }
                    1 {
                        asm
                        enable
                        policy /Common/bar
                    }
                }
                conditions {
                    0 {
                        http-host
                        host
                        values { someappcaas.uat.somecorp.com someapp.online.ecom.abc }
                    }
                }
                ordinal 2
            }
            redirect-to-home {
                actions {
                    0 {
                        asm
                        disable
                    }
                    1 {
                        http-reply
                        response
                        redirect
                        location https://[HTTP::host]/home
                    }
                }
                conditions {
                    0 {
                        http-uri
                        values { / }
                    }
                }
                ordinal 1
            }
        }
        strategy best-match
    }
    
     test
    
    [root@B4200-R77-S7:Active:Standalone] config  curl -I http://172.28.24.10/ -H "Host: test.com"
    HTTP/1.0 302 Found
    Location: https:///home
    Server: BigIP
    Connection: Keep-Alive
    Content-Length: 0
    

    2) if I entered I would get redirected to

    i think this one is not redirected by local traffic policies (because you uses equal in policies' condition).

  • Thanks for the superfast answer! I have double-checked that the iRules attached to the same VS do absolutely nothing with redirects. They're only manipulating cookies and removing unwanted headers from responses.

     

    I'm a bit confused by the HTTP::host returning nothing as I'm certain that was working? However, that would explain the blank page as a response. Can you suggest what I could use in place of HTTP::host, given that the hostname in the request could be any one of three?

     

    Thanks again for the help.

     

  • Can you suggest what I could use in place of HTTP::host, given that the hostname in the request could be any one of three?

     

    i tried IP::local_addr (replaced HTTP::host with IP::local_addr) and it returned correctly. i am not sure whether it is a bug or HTTP:: is not supported in location parameter. i do not find any known issue in knowledge base. if you want, you can also open a support case to verify.

     

  • Ah! I think it should be:

    https://[getfield [HTTP::host]]/home

    Found this on DevCentral: https://devcentral.f5.com/questions/creating-a-redirect-with-local-traffic-policies-v114

    I haven't yet had a chance to try it. Pulling the host name from the original request is important because this VS will answer for three separate URLs (eg. someapp.somecorp.com, someapp.internal.abc, someapp.somecorp.local) and the LTM Policy needs to redirect to an appropriate pool based on the Host value.

    I think I had used the "getfield [...]" option before, but for some reason thought I could get away with just using the HTTP::host portion, as used to work in HTTP Classes.