Forum Discussion

rafaelbn's avatar
rafaelbn
Icon for Cirrostratus rankCirrostratus
Sep 04, 2020

LTM HTTP virtual-server with policy matching URI path and cookie intertion

Hello Devs!

 

How are you all doing? Hopefully everyone is safe in this crazy times!

 

I'm trying to wrap my head around policies and matching strategies.

 

Here's is what I'm trying to achieve:

1- A vitual-server that serves HTTP content. It's just one IP on port 80.

2- Client connects to the VIP and depending of the URI path, I have to direct to a different pool, like, if path contains /app1, forward to pool1. If path contains /app2, forward to pool2. There almost 50 paths.

3- Just 1 of these paths needs persistence with cookie insert. All others do not need it.

4- If no path is matched, forward to a default pool.

 

The virtual-server has the default TCP profile and the default HTTP profile and a cookie insert profile (because of item n3). No SNAT is in place. No iRules are in place. Just a plain old vip on port 80 with the default HTTP profile.

 

My first policy was like this. I trimmed it down a bit.

 

 

 

To my surprise, both rules 2 and 3 (site2 and catch all) were generating cookies. After some further testing I concluded that since the persistence profile is applied to the virtual-server, everything defaults to it.

 

This is not optimal because in this example it's only site1 and site2. But in production there are tons of paths and virtual-servers. Going inside each rule and negating persistence seems impractical.

 

Reasearched a little further and found that the all-match strategy should solve this scenario for me. I quote: "Note: In an all-match strategy, when multiple rules match, but specify conflicting actions, only the action of the best-match rule is implemented. A best-match rule can be the lowest ordinal, the highest priority, or the first rule that matches in the Rules list." Ref: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/local-traffic-policies-getting-started-12-1-0/1.html

 

To me, that reads in human like: If more than one rule matches and they conflict, BIG-IP will use the first rule that matches.

 

With that in mind, I generated this second policy as follows:

 

 

 

This time, the end result was as follows:

A- Navigating to /site1, cookie was applied and forwarded to the correct pool

B- Going to /site2 did not apply the cookie BUT I was sent to the default pool

C- Navigating to anything else I was sent to the default pool and no cookie was inserted.

 

 

Any ideias on how to achieve this configuration? I would prefer to NOT use an iRule. If anybody got a really good documentation on policies I would love to read.

 

Running version 15.1.0.4

 

Thanks, Rafael.