Forum Discussion

Bill_95597's avatar
Bill_95597
Icon for Nimbostratus rankNimbostratus
Jan 29, 2013

Capture client IP and redirect to virtual website - no SSL profile

I am moving all certificates off the LTM3900. This eliminates the use of ssl and http profiles. I have iRules that currently use http_request to get ip and replace http header.

 

Now I can use CLIENT ACCEPT to get the ip. I cannot replace anything in the HTTP Header as that will require http profiles. I can redirect to a web site but CLIENT ACCEPT and HTTP: Redirect don't work together. I also need to pass the client ip to the webserver. I cannot use x-forward. Any help here is appreciated.

 

 

I'm looking at something simple like this: This is just a sample of what I am rying to accomplish. If there is a better way, please let me know.

 

when CLIENT_ACCEPTED {

 

if { [matchclass [IP::client_addr] equals $::ipaddresses] } {

 

HTTP::redirect https://www.website.com

 

log "Selected Site www.website.com"

 

} else {pool Test_Apps

 

log "Selected pool is Test_Appt"}

 

}

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 29, 2013
    Without a HTTP profile you simply can't meet your requirements I'm afraid. Is there a particular reason you don't want any?
  • Bill_95597's avatar
    Bill_95597
    Icon for Nimbostratus rankNimbostratus
    Jan 29, 2013

    It is my understanding that HTTP profiles require SSL profiles wich require SSL certificates. The main objective in the project I am managing is to remove the SSL certificates from the LTM 3900. I did have a case open with support and received an email here is a part of what was stated "set the http profile. To do that you need SSL Profiles" With that info I moved on to research this without http profiles.

     

     

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jan 29, 2013
    Here's a TCP-only iRule to do redirection: 

    
when RULE_INIT {
set static::REDIRSITE "http://www.f5.com"
set static::LOCALPOOL "local-pool"
}
when CLIENT_ACCEPTED { 
if { [class match [IP::client_addr] equals my_ip_group] } {
log local0. "IP match: redirect"
TCP::respond "HTTP/1.0 302 Found\r\nServer: BIG-IP\r\nConnection: Close\r\nContent-Length: 0\r\nLocation: $static::REDIRSITE\r\n\r\n"
} else {
log local0. "No IP match: local pool"
pool $static::LOCALPOOL
}
}

    That said, as Steve relays, if you're not terminating the SSL on the BIG-IP then you're not going to see any of the clear text traffic anyway. If your HTTP traffic is encrypted, then to use an HTTP profile (and HTTP iRule) you would indeed need an SSL profile applied to the virtual server. And if you wanted to see the clear text traffic for the above TCP iRule, you would still need an SSL profile. In fact if you want to do anything at all with iRules, you need to be able to see the requests and responses, which would require an SSL profile if the traffic is encrypted.

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jan 29, 2013

    -Hadn't seen Kevins post when I wrote this;

     

     

    Fair point. They don't unless SSL/TLS is involved which it is here so sorry for missing that. Unless you terminate the SSL on the BIG-IP, it can't deal with the HTTP within.

     

     

    So, your situation is even worse. You can't do the HTTP::redirect in the iRule unless you have both HTTP and SSL profiles assigned to the VS. Is the site you wish to redirect to under your control?

     

     

    BTW, the other part looks fine.