Forum Discussion

mikeshermanit_2's avatar
mikeshermanit_2
Icon for Nimbostratus rankNimbostratus
Aug 30, 2016

How to use iRules to switch between pools?

My Goal:

 

Add an iRule to switch the pool to PoolDevCCELegacy if the URL includes:

 

/svc/CCEUserMonitor.asp

 

I have two virtual servers sharing the same IP but with different service prots.

 

1) Virtual Server (DevCCE) is using service port 80 and is using a pool called "PoolDevCCELegacy" 2) Virtual Server (DevCCEHttps) is using service port 443 and is using a pool called "PoolDevCCE"

 

My iRule: when HTTP_REQUEST { if { [HTTP::uri] contains "/svc/CCEUserMonitor.asp" } { pool PoolDevCCELegacy } else { log local0. "Failure on iRule for [HTTP::uri]" } }

 

But what's happening when I navigate to the https://virtual server/svc/cceUserMonitor.asp I'm getting "redirected you too many times"

 

The irule is only being applied to the DevCCEHttps

 

Any help would be much appreciated.

 

7 Replies

    • Are you terminating SSL on the F5 for VS:443 ?
    • What ports are the pools configured to listen ?
    • Can you execute a curl command post the output for the relevant uri ?

    If the iRule is attached only to VS:443 and you want the traffic to go to the pool for VS:80, you can try to redirect but then again, it depends on other configurations like the one on the server:

    when HTTP_REQUEST { 
    if { [HTTP::uri] contains "/svc/CCEUserMonitor.asp" } {
    HTTP::respond 301 Location "http://virtual server/svc/cceUserMonitor.asp"
    }
    }
    
  • Actually using Oddah's sugggested code it actually does what I want it to. (Thanks!)

     

    when HTTP_REQUEST { if { [HTTP::uri] contains "/svc/CCEUserMonitor.asp" } { HTTP::respond 301 Location "http://virtual server/svc/cceUserMonitor.asp" } }

     

    If I want to add more contains "blah blah blah.blah" to this how would I code it like after .asp I want to add another if statement.

     

    For example:

     

    when HTTP_REQUEST { if { [HTTP::uri] contains "/svc/CCEUserMonitor.asp" } { HTTP::respond 301 Location "http://virtual server/svc/cceUserMonitor.asp" if { [HTTP::uri] contains "/svc/blahblahblah.asp" } { HTTP::respond 301 Location "http://virtual server/svc/cceUserMonitor.asp" } } }

     

    Can I just add if statement after if statement? Sorry I just have zero programing experience.

     

    Thanks guys!

     

    • Vijay_E's avatar
      Vijay_E
      Icon for Cirrus rankCirrus

      If you want to redirect anything that starts with /svc:

      when HTTP_REQUEST { 
      if { [HTTP::uri] starts_with "/svc/" } { 
      HTTP::respond 301 Location "http://virtual server/svc/cceUserMonitor.asp" 
      }
      }
      
  • Hi guys,

     

    Thanks for your replies on this topic but I've actually run into another hurdle. Forgive me for not explaining this very well as I'm new to F5 and LoadBalancing in general.

     

    What the Dev's are asking for which I'm not even sure is possible is the following:

     

    1) Two Virtual Servers that share the same IP 2) Both need to be able to "pass" SSL traffic to back end Servers running IIS (It's the same site name on both IIS configurations but on different physical servers, because one is designed in .net Core and the other one isn't.) 3) They want to pass only certain SSL content to one VS and other SSL content to another based on what the uri ends with. For example (/svc/test.asp)

     

    Based on those requirements, I decided to setup the Virtual Servers so that both share the same IP but one is using Service Port 80 and the other is Service Port 443, because of course it errors if I try to make them the same service port.

     

    The Virtual Server that is using Service Port 443 has an SSL profile and I'm terminating the cert on the F5. The pool assigned to it is called PoolDevCCEhttps and only has one member.

     

    The Virtual Server that is using Service Port 80 has it's SSL certificate terminating on the IIS webserver. The pool assigned to it is called PoolDevCCE and only has one member.

     

    On the Virtual Server that is using Service Port 443 I've added the following iRule to its resources. Hoping that when I try access the site using https that the F5 would send the traffic to the pool (PoolDevCCE):

     

    when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri]] { "/svc/CCEUserMonitor.asp" { pool PoolDevCCE } } }

     

    Results of this config:

     

    1) When I navigate to the site using https it goes to pool PoolDevCCEhttps (works as expected) 2) When I navigate to the site using http it goes to pool PoolDevCCE (works as expected) 3) When I navigate to the site using https including /svc/CCEUserMonitor.asp I'm getting a blank white screen and it appears to be using pool PoolDevCCEhttps because I see the cert I terminated on the F5.

     

    See the problem that I have is that if this is how they want it to work in production I don't think the 301 is an option being that both servers have the same site name??

     

    • Vijay_E's avatar
      Vijay_E
      Icon for Cirrus rankCirrus

      You don't need 2 VS.

      You need 1 VS listening on port 443 with SSL terminated on the F5.

      You need 2 pools - one for .net and another for non-.net

      Use an iRule like this:

      when HTTP_REQUEST {
      if { [HTTP::uri] eq "" } {
      pool POOL_FOR_DOTNET
      } else {
      pool POOL_FOR_NOT-DOTNET
      }
      }
      
    • mikeshermanit_2's avatar
      mikeshermanit_2
      Icon for Nimbostratus rankNimbostratus

      That strategy seems a lot more logical.

       

      So I've made the changes.

       

      I'm running on VS listening on 443 with SSL terminated on the F5

       

      2 Pool are setup as you suggested

       

      iRule is setup like you suggested

       

      Results:

       

      1) If I go to the VS in my browser via http it cannot reach the site (probably cause it's only listening on 443). I wonder if there's a way to modify the irule to turn http requests into https?

       

      2) If I go to the VS in my browser via https it goes to the correct back end (works great!)

       

      3) If I add /svc/CCEUserMonitor.asp (So I go to page loads all white page.

       

    • Vijay_E's avatar
      Vijay_E
      Icon for Cirrus rankCirrus
      1. The design is for HTTPS and not HTTP. You can create VS:80 and redirect everything to HTTPS, if that is what you want.

         

      2. Good.

         

      3. Looks to be working ? If not, use CURL to see if the traffic is being sent to the server by checking the response.