Forum Discussion

fxn-f5-bot_3543's avatar
fxn-f5-bot_3543
Icon for Nimbostratus rankNimbostratus
Feb 27, 2019

iRule or policies based redirection based on HTTPS username behind a GTM

Hi, I am looking into a requirement to redirect client's traffic to a particular vip/pool based on client's username. The requirement is to have this feature for services running behind a GTM wid-ip. GTM wide-ip being a DNS function, not sure if an iRule inspecting HTTPS username will work for a GTM DNS function. So maybe the GTM should be allowed to do its job by redirecting traffic to a particular LTM. Once the request goes to LTM, then introduce an irule or policy to redirect traffic to a pool or vip based on username. Something similar to "https://devcentral.f5.com/questions/irule-to-redirect-based-on-client-username?lc=1";

 

The GTM is active/passive with 2 DCs in scope and a web based application. I am looking for help with following: 1. should this be an iRule or policy based approach 2. should the irule be applied on GTM or LTM feature? 3. If there are other HTTPS redirection based irules on LTM, should this new irule go after the existing https redirection one or after?

 

Regards RM

 

application delivery
BIG-IP DNS
iRules

2 Replies

Sort By
  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Feb 27, 2019

    The F5 GTMs are never going to see the HTTPS request so not possible for any selection to take place on the DNS side.

    Better option would be to forward to an LTM Virtual Server and use make the selection to forward to a select pool or another Virtual Server. You can do with with an iRule or a Traffic Policy.

    Create a data group named 

    userToPoolMappingDG
    and populate with Usernames and associated Pool names (make sure they are valid Pool names and they can include full path if required e.g. 
    /production/BobsPool
    ) and you can us the following iRule to do the pool selection:

    when CLIENT_ACCEPTED {
    set default_pool [LB::server pool]
}

when HTTP_REQUEST {

    if {[HTTP::username] ne ""}{
        set pool_name [class match -value [HTTP::username] equals userToPoolMappingDG]

        if {($pool_name ne "") && ([active_members $pool_name] > 0)}{
            pool $pool_name
            return
        }
    }
    pool $default_pool
}

    This iRule can be changed if needed to allow multiple matches by using the 

    starts_with
    , 
    contains
    or 
    ends_with
    operator in the 
    class match
    command.

  • Faruk_AYDIN's avatar
    Faruk_AYDIN
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2019

    It can be done on LTM not GTM. You can use iRule or a LTM policy. If you have more iRule in the VS, the orders of the iRules are important in terms of which one is first applied. Irule is like :

    when HTTP_REQUEST {    
    switch -glob [URI::query [HTTP::uri] username] {
        "user1" -
        "user2" -
        "user3" 
        {
            pool pool123            
        }            
        "user1" -                      
        "user2" -            
        "user3"            
        {
            pool pool456                
        }
   }            
 }