Forum Discussion

Chris_Admas_391's avatar
Chris_Admas_391
Icon for Nimbostratus rankNimbostratus
Jun 29, 2006

Simple http redirect according to port

I'm sure you've already answered this if so sorry.

 

 

How would I write an irule for the following situation.

 

 

I have http traffic http://www.domain.com to vs 1 (http) and two physical servers in a pool 10.10.1.10:80 and 10.10.1.11:80

 

 

How do I route ssl traffic for https://secure.domain.com (443) to vs 2 (ssl with cert and chain cert installed on this vs so no ssl to servers) to the same two physical servers in a different pool 10.10.1.20:80 and 10.10.1.21:80

 

 

 

I'm using the same external self IP 10.1.1.2 with both dns records pointing to it. On the two physical servers i'm using the two different ip's for each server with the corresponding website assigned to them.

 

 

I'm wondering if i'm making any sense. Thanks for your response.

 

 

-Chris

3 Replies

  • Hi Chris,

     

     

    Could you clarify the scenario?

     

     

    This is what I'm gathering about the scenario:

     

     

    You have two FQDN's that DNS points to the same IP address (a virtual address on the BIG-IP).

     

     

    http://www.domain.com -> VIP1 1.1.1.1:80 -> pool of two HTTP web servers (10.10.1.10:80 and 10.10.1.11:80)

     

     

    https://secure.domain.com -> VIP2 1.1.1.1:443 -> pool of two HTTP web servers (10.10.1.20:80 and 10.10.1.21:80)

     

     

    What relation to you want between the two VIP's? As it is, you could configure these pools and VIPs without using iRules.

     

     

    Aaron
  • Yes thats pretty much correct.

     

     

    I don't really need a relationship between the two VIP's i'm assuming I could have set up another virtual address on the big-ip and point the dns there and do everything independent from each other.

     

     

    But everytime I talked to f5 support they said I should do it with an irule. If that is the case i'm sorry because I understand this is a strictly irule forum.

     

     

    Is the second virtual address for the big-ip the better way to go or should I still try an irule?

     

     

    Can I add a second virtual address to the big-IP?

     

     

    Also I only have 2 physical web servers total. They belong to two different pools (to clarify, it sounded confusing when I reread what I wrote)

     

     

    thanks
  • Chris,

    If the requests for www.domain.com are always port 80 and requests for secure.domain.com are always going to come in 443 then you should not need a rule if you set it up as hoolio described. The port definition on each VIP will process the traffic to the correct pool (understand that 10.1.1.2:80 and 10.1.1.2:443 are separate VIP's even though they have the same IP and so they may be assigned to separate pools).

    If you are concerned that requests for secure.domain.com are going to come in port 80, then you may address that with an iRule to perform a redirect.

    You would apply the rule to the port 80 VIP, something like this (syntax not validated):

    
    when HTTP_REQUEST {
      if { [HTTP::host] equals "secure.domain.com" } {
         HTTP::redirect https://secure.domain.com
      } else {
         pool pool_1
       }
    }

    actually if pool_1 is the default you don't even really need the else statement, if the "if" doesn't fire, the rule will just fall out to the default pool on the port 80 VIP.

    Hope that helps,

    Denny