Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
Aug 22, 2006

Proxying or rewriting http traffic

Hi,

 

 

I have a number of services within a third party network which run over https and am trying to look at the best way to handle these via virtual servers, and i'm sure the iRules are going to form the basis of whatever i end up doing, but am unsure of the ideal approach. As it's all https traffic and most of our connections are coming from websphere, we have the ability to either proxy or rewrite the traffic. currently if we just forward the traffic using a standard virtual server we get errors that the remote service is not on the same ip address as the virtual server, so somehow the requests need to hit the remote server with the correct IP address for that server... so... how?

 

 

Running a sort of proxy seems attractive as then multiple services can be routed via a single virtual server. I am fairly sure that earlier this year i saw someone post an iRule which was a full basic http proxy, but i am unable to track this down now.

 

 

A rewrite would be my first thought, but having not actually tried to do rewriting on the box yet i'm not sure what i'd actually need to rewrite...

 

 

Thoughts or advice most appreciated.

 

 

Cheers

 

 

Chris
application delivery
dev
devops
iRules

1 Reply

Sort By
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Aug 26, 2006
    Hi Chris -

     

     

    I'm not sure you need an iRule at all...

     

     

    LTM is a full basic IP proxy. By default, if you configure a virtual server with a pool of real servers as its only resource, requests passing through the virtual server will have the destination address/port translated to the selected real server's address/port.

     

     

    For HTTPS traffic, you can apply a clientssl profile to the virtual server, which enables backend communication with the real servers via HTTP, offloading the crypto processing overhead to LTM.

     

     

    Some applications cause the client to imbed the destination address elsewhere in the data stream, which proscribes proxying connections in this manner, but I've not run into WebSphere displaying that particular idiosyncracy.

     

     

    A clearer description of how you need to modify or interact with the existing data stream would help determine whether an iRule is the solution here...

     

     

    HTH

     

    /deb