Forum Discussion

Latchezar_Dimov's avatar
Latchezar_Dimov
Icon for Nimbostratus rankNimbostratus
Nov 28, 2018

iRule to forward https://x.x.com/backdoor to a specific node (requests ending with /backdoor only).

Hello mates,

 

I am literally new with the iRules in F5. I have red few similar questions and I had a look of provided iRules by that community, but honestly.. I am totally lost in codding and I am not sure that I can produce the iRule exactly needed to me, just looking at 5 other similar iRules.

 

What we have:

 

VIP operating on 443 (lets call it VS_test) Pool assigned to it (called pool_test) having two members 1.1.1.1 and 1.1.1.2 on port 9002.

 

The URL they are accessing is https://test.dimov.com/backdoor

 

So, when they access https://test.dimov.com/backdoor (with that /backdoor at the end) traffic should go to node 1.1.1.1 only. For the other traffic there might be two options (this is still not clarified).

 

1 All other traffic to go to ndoe 1.1.1.2 or 2 to be load balanced between both.

But requests including /backdoor at the end should go to 1.1.1.1 only!

 

We don't have any SSL Profile (client) or (server) so according to my understanding we don't really terminate the SSL on the F5. VIP is on 443 -> no SSL profiles -> nodes listening on 9002 -> I conclude that there is no offloading, but it is only assumption.

 

So possible iRules:

 

1 -> /backdoor hits 1.1.1.1, all other traffic is load balanced between both 2 -> /backdoor hits 1.1.1.1, all other traffic hits 1.1.1.2 3 -> /backdoor hits 1.1.1.1, all other traffic is load balanced between both 4 -> /backdoor hits 1.1.1.1, all other traffic hits 1.1.1.2 1

when HTTP_REQUEST {; if { [HTTP::uri] ends_with "/backdoor" } { node 1.1.1.1 9002 } else { pool pool_test } }

 

2

when HTTP_REQUEST {; if { [HTTP::uri] ends_with "/backdoor" } { node 1.1.1.1 9002 } else { node 1.1.1.2 9002 } }

 

3

when HTTP_REQUEST { switch -gob [string tolower [HTTP::uri]] { "/backdoor" { node 1.1.1.1 9002 } default { pool pool_test } } }

 

4

when HTTP_REQUEST { switch -gob [string tolower [HTTP::uri]] { "/backdoor" { node 1.1.1.1 9002 } default { node 1.1.1. 9002 } } }

 

Are those iRules even close to the "reality"? Also if I am right that we dont terminate the SSL on the F5 (because we dont have applied any SSL profile to client side, will it work? Or we should put a certificate so it will terminate the session?)

 

Cheers,

 

Best regards, Latcho

 

application delivery
iRules
LTM

1 Reply

Sort By
  • crodriguez's avatar
    crodriguez
    Ret. Employee
    Nov 28, 2018

    You cannot examine the HTTP payload on encrypted traffic unless you terminate SSL on the BIG-IP system on the client-side connection. (You can re-encrypt the traffic on the server-side.) So you'll need a client SSL profile no matter what. If you need to re-encrypt on the back end (which it sounds like you do), you'll need a server SSL profile, too, along with the appropriate certs and keys installed on the BIG-IP system.

    Your iRules are pretty close, with a couple of typos and suggestions. First of all, I see no difference between your requirements for options 1 and 3, and same for options 2 and 4. They cover the same thing just using IF vs SWITCH. These examples assume a single pool named "pool_test" with two members - 1.1.1.1:9002 and 1.1.1.2:9002.

    For /backdoor to 1.1.1.1:9002 and all other traffic to both members:

    when HTTP_REQUEST {
    if { [HTTP::uri] ends_with "/backdoor" } {
        pool pool_test member 1.1.1.1 9002
    } else {
        pool pool_test
    }
}

    For /backdoor to 1.1.1.1:9002 and all others to 1.1.1.2:9002:

    when HTTP_REQUEST {
    if { [HTTP::uri] ends_with "/backdoor" } {
        pool pool_test member 1.1.1.1 9002
    } else {
        pool pool_test member 1.1.1.2 9002
    }
}

    Given that there are only two conditions, an IF statement will probably perform better than a SWITCH. You can also consider which request will be more common - with "/backdoor" in the URI or without. If without, then switch the conditional statement to check for "not /backdoor" first for better performance. For example, for most traffic is NOT /backdoor and should load balance to both pool members:

    when HTTP_REQUEST {
    if { ![[HTTP::uri] ends_with "/backdoor"] } {
        pool pool_test
    } else {
        pool pool_test member 1.1.1.2 9002
    }
}

    You can also do this with a local traffic policy but a slightly different pool configuration. You need two pools instead of just one because you cannot select a specific pool member from a local traffic policy, just a pool. So, for the /backdoor to 1.1.1.1:9002 and all other to both members, pool_test1 contains just 1.1.1.1:9002 and pool_test2 contains both pool members. The local traffic policy would be coded similar to this (using the GUI):

    Policy Name: select_backdoor_pool

    Strategy: Execute the first matching rule

    Rule 1: select_backdoor_pool_rule

    Match all of the following conditions:

    HTTP URI path ends with any of /backdoor at request time

Do the following when the traffic is matched:

    Forward traffic to pool pool_test1 at request time

    Rule 2: select_all_other_traffic_pool_rule

    Match all of the following conditions:

    All traffic

Do the following when the traffic is matched:

    Forward traffic to pool pool_test2 at request time

    For this policy to work, it's important that you order the rule that checks for /backdoor first. To cover the other requirement where all other traffic load balances to 1.1.1.2:9002, just change pool_test2 to have that single member in it - same policy.