Jump to content
Welcome to our new Citrix community!

Data Groups


Recommended Posts

Hi All, 

 

I am here again, now stuck with new issue during Migration from F5 to Netcsaler. Can see some iRules - Data Group created/configured on F5 (based on string and IP addresses). What is the equivalent of Data Group in netscaler ADC. 

 

Apart from these i need help from you guys to convert some irules to Netscaler policy (as they are not covered in netscaler iRule conversion guide probably). i'll share some 3-4 sample irules for conversion and need kind help from this community. 

Link to comment
Share on other sites

Can you share an example of your F5 data group irule to aid in "translation".  And how you use the data group.

 

My thought is this will be similar to a stringmap in the ADC appexpert advanced epressions...but there may be more to this than I can tell here.  A stringmap is a hash table consisting of named value pairs. You can then use various expressions to invoke policies or configure actions based on these name=value pairs.

Such as mapping IPs to FQDNs for redirects, consolidating a lot of vanity path mappings to full path mappings for redirects, etc....

 

You can always ask for help with irule conversions, but you may need to provide some examples of the irule for someone to help with the associated ADC feature.  Sometimes it helps to just get exposure to 1) the advanced policy expressions first and 2) which features on the adc do different things.  Part of the irule conversion is mapped to policy expressions the other part is figuring out which feature you need such as content switching, responder, rewrite or something else.  

 

For some policy stuff, my comments in this thread can give you some quick reference to policy syntax basics:

https://discussions.citrix.com/topic/409145-netscaler-policy-assistance/

Rest of policies in admin guide here:  https://docs.citrix.com/en-us/citrix-adc/13/appexpert.html

 

An F5 to ADC conversion tool does exist (may require you to contact an SE), not a lot of tech details but here:  https://www.citrix.com/blogs/2019/06/19/fast-track-your-move-from-f5-to-citrix-using-the-config-migration-tool/

 

Link to comment
Share on other sites

Hi Rhonda, 

 

Sure, here is the Data Group Sample configuration.

 

This is the iRule :

 

when HTTP_REQUEST {
        set app_pool [class match -value -- [string tolower [HTTP::uri]] starts_with services_red_to_class_8085]
        if {$app_pool ne ""} {
            pool $app_pool
        } else {
          return
        }
    }

 

** Blue highlighted stuff is the Data Group name

 

 

And here below is , what has been configured under  - services_red_to_class_8085 Data Group

 

/aci :=app1_test_pool8080
/ipam := app1_test_pool8081
/learning :=app1_test_pool8082
/online :=app1_pool8080
/swap1 := app1_pool8081


*** Brown highlighted information in above configurations are the name of POOLS in F5 ( Service Group Name or Server Name in Netscaler ADC).

 

I do understand that this is redirection to specific pool based on the sublink or "/" . 

 

Please help if you can created and share the NS ADC policy for this iRule/Data Group. 

 

For Netscaler PS services  , So far ...We have tried initially, but probably some challenges (not sure what are they). Anyway...at this moment we have migrated/configured majority of portion but just stuck with iRules or some other strange or unknown things which i usually querying and sorting out here in this forum.

 

Rgds

 

Link to comment
Share on other sites

Ok - a service pool in F5 (if I recall correctly) is a group of destinations. So on the NetScaler this would be to a load balancing vserver with a set of services (or service groups behind) them.

 

You would then use content switching to receive the traffic on one vip, use a cs policy to identify the traffic by path, and a cs policy directs it to the lbvserver/services.

 

(NOTE: I know you are switching based on ports above...that would be handled differently...but this will start to illustrate the point.  I'll do that next.)

 

Basic example:

# you can use services or servicegroups here; represent the backend destinations for traffic

add service svc_appA_1 192.168.10.11 http 80

add service svc_appA_2 192.168.10.12 http 80

add service svc_appB_1 192.168.10.21 http 80

add service svc_appB_2 192.168.10.22 http 80

 

# create lb vservers; if these will only be used behind the cs vserver, they can be made non-addressable (no vips)

#  For the netscaler the lb vserver receives traffic on a specific vip:port and it is the distribution engine which contains the lb method and persistence (whereas I think f5 does that at the pool level)

add lb vserver lb_vsrv_appA http 0.0.0.0 0 -lbmehotd leastconnections -persistencetype sourceip   #for example or a VIP/port such as 10.10.10.100 80....

bind lb vserver lb_vsrv_appA svc_appA_1

bind lb vserver lb_vsrv_appA svc_appA_2

add lb vserver lb_vsrv_appB http 0.0.0.0 0 -lbmehotd leastconnections -persistencetype sourceip  

bind lb vserver lb_vsrv_appB svc_appB_1

bind lb vserver lb_vsrv_appB svc_appB_2

 

# create a cs vserver to receive traffic and then policies to sort to lb tier

add cs vserver cs_vsrv_demo HTTP 10.10.10.100 80   # VIP:PORT on adc to receive traffic

# create cs policies to identify traffic of interest...

add cs action cs_act_appA -targetLBVserver lb_vsrv_appA

add cs policy cs_pol_toAppA -rule "http.REQ.URL.PATH.STARTSWITH(\"/appA\")" -action cs_act_appA
 

add cs action cs_act_appB -targetLBVserver lb_vsrv_appB

add cs policy cs_pol_toAppB -rule "http.REQ.URL.PATH.STARTSWITH(\"/appB\")" -action cs_act_appB
 

bind cs vserver cs_vsrv_demo -policyName cs_pol_toAppA -priority 100

bind cs vserver cs_vsrv_demo -policyName cs_pol_toAppB -priority 200

 

===

So now your variation, if I understand your above example (if i'm not interpeting the scenario right, then ignore me):

Your user is making a request to a given vserver (on port 80?) and then based on the path you see, you will REDIRECT them to a given port.

So user goes to http://demo.company.com/<stuff>

And depending on which path you see, you want them to be sent to http://demo.company.com:<newport>

To redirect, you will a RESPONDER policy (and can use several individual policies or use a stringmap to allow multiple mappings) and include the port and vip in the redirect destination.

Then you would need separate lb vservers on the specific port combinations.

 

If you don't need the user to see the port change, and instead have users come in on port 80 (or 443) to http://demo.company.com/<stuff> and you

want to forward them based on their path to a specific port on the backend, but the user doesn't change their client side config.

Then a cs vserver example like the above would work, but you would create your various services behind the lb vservers on the respective ports. 

If this isn't all considered web traffic, then you would create separate entry points either cs vservers on a specific port on this vip  or lb vservers on a specific port, and separate vservers for each port.  

 

Before we do either one, let's narrow down the scenario for you. (Or someone else can jump in.)

 

 

 

 

 

Link to comment
Share on other sites

Hello All, 

 

As mentioned in initial post...pls find iRules with their purpose and help to convert them to Netscaler Policies.

 

iRule #1 

 

# When client send a HTTP request
when HTTP_REQUEST {
# save hostname for use in response
#
#Stores a variable with FQDN hostname (and port when explicit) from host header during client request.

set fqdn_name [HTTP::host]
#
# e.g.
# HTTP request header
#
# GET /path/page?param=value HTTP/1.1
# Host: www.mysite.com
# User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
# Accept: */*
#
#
# fqdn_name = www.mysite.com
}
 
# When server respond that HTTP request

when HTTP_RESPONSE {
# Check if the server response is a redirection to another location
# e.g.
#
# HTTP/1.1 302 Found
# Location: /login
# Connection: Keep-Alive
# Content-Length: 0
#
#

if { [HTTP::is_redirect] }{
# If Location header starts with "/", means that you were implicited redirected to a resource on same FQDN and protocol.
# e.g.
# Location: /login (Implicit location
http://www.mysite.com/login)
# Location: http://www.mysite.com/login (Explicit location)
#

if { [HTTP::header Location] starts_with "/" }{
# Rewrite Location header to redirect to https protocol and fqdn stored on variable plus location address before send response to client
HTTP::header replace Location "https://$fqdn_name[HTTP::header Location]"
# e.g.
# Location: /login - rewrite to - Location:
https://www.mysite.com/login
#
} else {
# Else, rewrite/replace protocol http to https on that location
HTTP::header replace Location "[string map {{http://} {https://}} [HTTP::header Location]]"
# e.g.
# Location:
http://www.mysite.com/login - rewrite to - https://www.mysite.com/login
# Location: https://www.mysite.com/login - nothing to match or do
}
}
}

 

 

++++++++++++++++++++++

 

iRule#2

 

# When client is connected to VS

when CLIENT_ACCEPTED {

# Check that the client's IP matches a record within data group wich name is stored in the static variable: $::ins-prod-xyz_class

if { [matchclass [IP::client_addr] equals $::ins-prod-xyz_class] } {

# If so, do a source address translation with addresses within a snat pool

snatpool xyz_prod_snatpool

}

}

 

Here "ins-prod-xyz_class" is a data group ,  and "xyz_prod_snatpool" is a pool (Service Group/Servers in Netscaler).

 

+++++++++++++++++++++++

 

iRule#3

 

when HTTP_REQUEST {

    set app_pool [class match -value -- [string tolower [HTTP::uri]] starts_with services_red_to_class_8085]

    if {$app_pool ne ""} {

      pool $app_pool

    } else {

     pool abc_uatpool1

    }

  }

 

 

The rule is searching for a pool name based on URI or on within data group (services_red_to_class_8085)  , then if found (not equals empty), request are send to this pool name, otherwise return or send to a default pool.

 

 

Would be great if reply preferably contains GUI steps for policies creation.

Link to comment
Share on other sites

Hi All, 

 

Requesting all if anyone can help me for below irule conversion to Netscaler Policy.

 

when HTTP_REQUEST {

    set app_pool [class match -value -- [string tolower [HTTP::uri]] starts_with services_red_to_class_8085]

    if {$app_pool ne ""} {

      pool $app_pool

    } else {

     pool abc_testpool1

    }

  }

 

Where "services_red_to_class_8085" is Data Group in F5 contains string for matching Service Group . Foe eg ...if clients hits on URL which contains "/aci"  (eg : https://hello.com/aci)  then request should be forward to service group - "app1_test_pool8080"  simillary if client hits on URL which contains "/online" (eg : https://hello.com/online) then request should forward to service group app1_pool8080...if there is no match then send to default pool configured under VS.

 

Point to note here that on successful matching , traffic is forwarded to Service Group, not to VS.

 

/aci :=app1_test_pool8080
/ipam := app1_test_pool8081
/learning :=app1_test_pool8082
/online :=app1_pool8080
/swap1 := app1_pool8081

 

Above rule is searching for a pool name based on URI or on within data group (services_red_to_class_8085)  , then if found (not equals empty), request are send to this pool name, otherwise return or send to a default pool. 

 

I am not finding anything with responder policy nor with rewrite policy to define   "/" string conditions.

Link to comment
Share on other sites

I can't help with the irule in more detail until this weekend; but someone else might be able to get to you sooner.

 

A responder policy can redirect to some path "/newstring" as a relative url or an absolute url.

 

The trigger is based on if urls match the policy expression like:

http.req.url.set_text_mode(ignorecase).path.eq("/")

or

http.req.url.path.set_text_mode(ignorecase).starts_with("/somestring")

 

But since you are doing a port change, I think there's going to be a few more steps in here (like content switching)

This has a responder with ports examples (full responder command included):  https://discussions.citrix.com/topic/400899-netscaler-12-redirect-url-responderrewrite-policies/?ct=1592587211

 

Link to comment
Share on other sites

Hi Rhonda, 

 

Thanks ..!! I referred the URL shared by you. few difference with my requirement. 

 

Lem'me update this post  and will again try to clear my requirement (In case of any confusion to anyone).

 

1- Virtual Server for https://mysite.com is configured and binded with a Service Group (mysite_pool1)...Referring this as Default Service-Group of this virtual server here.

 

2- End User hit the application with URL :    https://mysite.com/learn  (appending string "/learn" to URL), Netscaler Policy is required  which check and inspect or match the "/< >" (here /learn) parameter and accordingly forward client to respective ServiceGroup (other then Default ServiceGroup mentioned above). For Eg :  to ServiceGroup :    mysite_learn_pool

 

3. Similarily, when user try to access URL:  https://mysite.com/finance   (URL apprnded with "/finance"), Same Netscaler policy should work for checking, inspect and match the hits with client provided "/< >" (here /financeparameter and directed or forward to respective ServiceGroup (other then Default ServiceGroup). For Eg : to ServiceGroup:   mysite_finance_pool

 

4. Similar like above examples, when end user hitting for URL https://mysite.com/shopping (URL appended with "/shopping") , Same Netscaler policy should work for checking, inspect and match the hits with client provided "/< >"(here /shopping) parameter and directed or forward to respective ServiceGroup (other then Default ServiceGroup again p). For Eg : to ServiceGroup :    mysite_shopping_pool

 

if end user hits are not matching with the defined criteria based on matching "/< >" parameter, then user should land on Default Service Group , which is mysite_pool1 instead diverting to any other ServiceGroup. 

 

All these SeviceGroups contains Servers with different ports. Eg :

 

SG mysite_pool1       -      (10.10.10.1:8086 , 10.10.10.2:8086)

SG : mysite_learn_pool   - (10.10.10.1:8080 ,   10.10.10.2:8080)

SG : mysite_finance_pool - (10.10.10.1:8085 , 10.10.10.2:8085)

SG mysite_shopping_pool - (10.10.10.1:8090  , 10.10.10.1:8090)

 

Link to comment
Share on other sites

On 6/19/2020 at 1:03 PM, Sudhir Bhagat said:

Point to note here that on successful matching , traffic is forwarded to Service Group, not to VS.

 

/aci :=app1_test_pool8080
/ipam := app1_test_pool8081
/learning :=app1_test_pool8082
/online :=app1_pool8080
/swap1 := app1_pool8081

Sorry, I couldn't get back sooner (a lot of work stuff). 

 

What you're going to have to accept when mapping irules to netscaler features, its not always the exact same component.

This type of feature will be handled with traffic arriving at a cs vserver, cs policies will look at URL for match and then direct traffic to the appropriate "destination" which will be a non-addressable lb vserver with the services behind it.  The lb vserver can point to different service (backend) destnations or it can go to the same.

 

Also, for the ADC the lb vserver is the load distribution engine where as services/service groups are just the backend destination.

 

Any traffic not matched on a policy can be directed to a cs vserver's default destination.

 

And if you have a lot of these, you can even use an expression to direct traffic to a lb vserver based on naming convention.  But lets build the basics first. 

Handling lb/cs/services on HTTPS:443.  Note because the lb vserver is non-addressable, the cs vserver is SSL and the service is SSL; but the lb vserver can be http or ssl in this case.

 

#1  - Create servicegroup destinations / and lb tiers; load balancers will be non-addressable for this example (no vips; internal to adc only)

#   for demo purposes only creating servicegroup members destination ips for the first group as an exmaple; the rest can be added to their respective groups later...

# 1.1 - servicegroups; with backend destinatinos for each "group"; only server ips for svcg_aci is shown for brevity

add serviceGroup svcg_aci SSL
bind servicegroup svcg_aci 192.168.30.51 443
bind servicegroup svcg_aci 192.168.30.52 443

add servicegroup svcg_aci ssl
add servicegroup svcg_ipam ssl
add servicegroup svcg_learning ssl
add servicegroup svcg_online ssl
add servicegroup svcg_swap1 ssl

add serviceGroup svcg_default_umatched SSL
 

 

# 1.2 - Create lb vservers (non-addressable) and bind servicegroups for each "destination";  adjust lbmethods / persistence base don app needs

add lb vserver lb_vs_aci http 0.0.0.0 0 -lbmethod leastconnection -persistencetype sourceip
add lb vserver lb_vs_ipam http 0.0.0.0 0 -lbmethod leastconnection -persistencetype sourceip
add lb vserver lb_vs_learning http 0.0.0.0 0 -lbmethod leastconnection -persistencetype sourceip
add lb vserver lb_vs_online http 0.0.0.0 0 -lbmethod leastconnection -persistencetype sourceip
add lb vserver lb_vs_swap1 http 0.0.0.0 0 -lbmethod leastconnection -persistencetype sourceip

add lb vserver lb_vs_default_unmatched HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
 

bind lb vserver lb_vs_aci svcg_aci
bind lb vserver lb_vs_ipam svcg_ipam
bind lb vserver lb_vs_learning svcg_learning
bind lb vserver lb_vs_online svcg_online
bind lb vserver lb_vs_swap1 svcg_swap1

bind lb vserver lb_vs_default_unmatched svcg_default_umatched
 

# 2 - Create CS vservers and cs policies to sort traffic to lb tier

# 2.1     Replace <VIP1> with the vip for the cs vserver and replace the <certkey> with the certkey name....you'll have to create a certkey to represent your certificate to do ssl

#            default destination is bound to cs vserver; no condition it will be used last only if no cs policies hit occur

add cs vserver cs_vsrv_demoapp ssl <VIP1> 443
bind ssl vserver cs_vsrv_demoapp -certkeyname <certkeyname>

bind cs vserver cs_vsrv_demoapp -lbvserver lb_vs_default_unmatched

 

#2.2  - Create the cs policies to direct traffic to the lb vserver tier and set default destination if no policies bound

#          NOTE: There are multiple ways to do this cs policies with actions, expression based or policies only; I'm showing the first method to give you flexibility

#          For complex mapping a string map can be used. Just note there are lots of ways to do this.

#          CS policies identify traffic of interest in this case your path and will direct traffic to the appropriate lb vserver tier

add cs action cs_act_aci -targetLBVserver lb_vs_aci
add cs action cs_act_ipam -targetLBVserver lb_vs_ipam
add cs action cs_act_learning -targetLBVserver lb_vs_learning
add cs action cs_act_online -targetLBVserver lb_vs_online
add cs action cs_act_swap1 -targetLBVserver lb_vs_swap1

# NOTE: the actual policy expression can be based on path.eq("/aci"), path.startswith("/aci") or path.get(1).eq("aci")  just went with startswith to give you an idea

add cs policy cs_pol_aci -rule "HTTP.REQ.URL.PATH.SET_TEXT_MODE(ignorecase).STARTSWITH(\"/aci\")" -action cs_act_aci
add cs policy cs_pol_ipam -rule "HTTP.REQ.URL.PATH.SET_TEXT_MODE(ignorecase).STARTSWITH(\"/ipam\")" -action cs_act_ipam
add cs policy cs_pol_learning -rule "HTTP.REQ.URL.PATH.SET_TEXT_MODE(ignorecase).STARTSWITH(\"/learning\")" -action cs_act_learning
add cs policy cs_pol_online -rule "HTTP.REQ.URL.PATH.SET_TEXT_MODE(ignorecase).STARTSWITH(\"/online\")" -action cs_act_online
add cs policy cs_pol_swap1 -rule "HTTP.REQ.URL.PATH.SET_TEXT_MODE(ignorecase).STARTSWITH(\"/swap1\")" -action cs_act_swap1
 

bind cs vserver cs_vsrv_demoapp -policyName cs_pol_aci -priority 100
bind cs vserver cs_vsrv_demoapp -policyName cs_pol_ipam -priority 110
bind cs vserver cs_vsrv_demoapp -policyName cs_pol_learning -priority 120
bind cs vserver cs_vsrv_demoapp -policyName cs_pol_online -priority 130
bind cs vserver cs_vsrv_demoapp -policyName cs_pol_swap1 -priority 140
 

 

 

 

Link to comment
Share on other sites

Hi Rhonda, 

 

Thanks very much for your valueable suggestion, now i at-least having some clue.  

 

I am also thinking to bind multiple Service-Groups (Eg : sg_mysite_learn_poolsg_mysite_shopping_poolsg_mysite_finance_pool etc) under a single Virtual Server (for eg: lbvs_mysite_com) , and apply the appropriate policy(ies) so that once End-User land on Virtual Server with "/learn" or "/shopping" or "/finance" appended in his/her url hits... traffic can be forwarded to matching service-groups (as defined in created policy) .

 

However...honestly I am not sure how effective and good this solution Is ?  or  if you find this  solution helpful but a point again here is "what exact policy need to be created and called under Virtual Server to foward the traffic to respective matched Service-Group.

 

 

Link to comment
Share on other sites

If the traffic for multiple vanity paths needs to go to the same set of fulfillment servers on the backend AND use the same lb method/persistence, this is fine.

You can have separate policies that point to a single lb_vs_appA on backend (multiple policies pointing to same lb vserver/servicegroup).  Or you can write policies that match on multiple conditions with OR clauses (one policy going to one lb vserver/servicegroup for lots of expressions)

add cs policy cs_pol_aci -rule "HTTP.REQ.URL.PATH.SET_TEXT_MODE(ignorecase).STARTSWITH(\"/aci\") ||  HTTP.REQ.URL.PATH.SET_TEXT_MODE(ignorecase).STARTSWITH(\"/learning\")" -action cs_act_aci

 

There are even ways to consolidate these into a single expression using patternsets and a startswith_any("<patternset>") expression.

 

And epxression based content switching could let you use a policy to match traffic and then forward to a lb vserver by using the policy engine to consturct the lb vserver name (entity name on this adc.    This example (from this article), could actually use the path we extract to build the lb vserver name:  http://www.virtual-hawk.com/2018/01/02/citrix-advanced-content-switching-policy-action/.  Such as directing traffic to lb vservers based on mae:  "lb_vs_" +  http.req.url.path.get(1)

 

The more scenarios you look at the more you need to look at the policy documentation for options or take training.  

 

The other irule question is mostly responder policies; i might have a chance to mock it up tomorrow evening if someone has given you an example.

Link to comment
Share on other sites

Thanks a Ton !! Rhonda for your help,,,,, This CS VS things works for me.....

 

Now , next Policy to covert is (this is old one only and in previous post)...

 

# When client send a HTTP request
when HTTP_REQUEST {
 

# save hostname for use in response, Stores a variable with FQDN hostname (and port when explicit) from host header during client request.
set fqdn_name [HTTP::host]
 

# e.g. HTTP request header
# GET /path/page?param=value HTTP/1.1
# Host: www.mysite.com
# User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
# Accept: */*
# fqdn_name = www.mysite.com

}
 # When server respond that HTTP request
when HTTP_RESPONSE {
 

# Check if the server response is a redirection to another location
# e.g.
# HTTP/1.1 302 Found
# Location: /login
# Connection: Keep-Alive
# Content-Length: 0

if { [HTTP::is_redirect] }{
 

# If Location header starts with "/", means that you were implicited redirected to a resource on same FQDN and protocol.
# e.g. Location:  /login (Implicit location http://www.mysite.com/login)
# Location: http://www.mysite.com/login (Explicit location)

if { [HTTP::header Location] starts_with "/" }{
 

# Rewrite Location header to redirect to https protocol and fqdn stored on variable plus location address before send response to client
HTTP::header replace Location "https://$fqdn_name[HTTP::header Location]"
# e.g. Location: /login - rewrite to - Location: https://www.mysite.com/login
 

} else {
 

# Else, rewrite/replace protocol http to https on that location
HTTP::header replace Location "[string map {{http://} {https://}} [HTTP::header Location]]"
# e.g. Location: http://www.mysite.com/login - rewrite to - https://www.mysite.com/login
# Location: https://www.mysite.com/login - nothing to match or do

}
}
}

Link to comment
Share on other sites

I saw it. Short answer this is handled through a feature called responder which can easily do all sorts of redirects for you.  If someone else answers, great. If not, I can answer after work today. Sorry, its taken so long to get back to you.

Multiple responder policies can look at specific url paths or headers as an expression (trigger) and the action is usually a redirect with the contents of a relative or absolute url to redirect to. These redirects can be hardcoded static paths or dynamic paths using the policy engine.

 

Responder policies can the be bound to lb/cs vservers.  If application wide, you can do it to the cs vserver. If it would only apply to some of your filtered paths, then you could bind it to the lb vserver (if for the cs vserver example).

 

Responder redirects means client requests "x" and then we respond with a new destination "y" and user will make a new request to new destination. If you want the client to request "x" and the ADC to fetch alternate content from the server (backend) without the user make a new request, then you use a feature called rewrite.

 

More later.

Link to comment
Share on other sites

Hi Rhonda, 

 

ok Thanks...Take your time...pl

 

But point to be note for this iRule is "Server response" for redirection (if any).  As per my understanding since this involves "response from server" ... and may require REWRITE policy instead of RESPONDER......but  you better knows...:-) 

 

 

Link to comment
Share on other sites

[note I started this last night and ran out of time - responder is first and should work; just couldn't get a test environment together; the rewrite section is half-baked and may not be useful.]

So, you can do responder or rewrite depending on how you want to do this, since the ADC can parse elements of requests/responses together very easily.

I'll give you both, so you can use either feature for different scenarios in the future.

 

With responder, we do the redirects with the request. So even if the server gave a redirect via http, we would let the client make the request and then redirect to https.

As a result, you have a placeholder vserver on http (with a placeholder service). Traffic that arrives on http can then be affected by responder policies to get to https. Especially if you don't need any traffic on http at all. If your app is mixed http and https, then  we can use conditional expressions to redirect some instead of all from http:// to https://.

 

With rewrite, you can intercept the responses and modify them changing the value being returned. BUT you have to make sure the server is not compressing responses.  If multiple rewite policies are in effect, you have to ensure policies are set to find additional matches via "next" in the bindings.

 

Example 1 Notes:

For this one, create an HTTP lb vserver, use the ssl redirect responder policy on the HTTP entity and any traiffic to http will be redirected to https://<FqDN>  a separate policy can handle if the user uses VIP instead of hostname.  Any url path and/or query will be attached to destination. so "/" will go to https://<fqdn>/ and /<stuff> will go to https://<fqdn>/<stuff>

 

Example 1: responder sending http to https (during requests)

add responder action rs_act_sendtossl redirect "\"https://\" + http.REq.HEADER(\"host\") + http.REQ.URL.PATH_AND_QUERY" -responseStatusCode 301
add responder action rs_act_sendtossl_iptofqdn redirect "\"https://demo.company.com\" + http.REQ.URL.PATH_AND_QUERY" -responseStatusCode 301
add responder policy rs_pol_sendtossl http.REQ.IS_VALID rs_act_sendtossl
add responder policy rs_pol_sendtossl_iptofqdn "!http.REQ.HEADER(\"host\").EQ(\"demo.company.com\")" rs_act_sendtossl_iptofqdn
 

add service svc_alwaysup 1.2.3.4 http 80 -healthmonitor NO
add lb vserver lb_vsrv_appa_sendtossl HTTP <VIP1> 80
bind lb vserver lb_vsrv_appa_sendtossl svc_alwaysup

bind lb vserver lb_vsrv_appa_sendtossl -policy rs_pol_sendtossl_iptofqdn -priority 100

bind lb vserver lb_vsrv_appa_sendtossl -policy rs_pol_sendtossl -priority 110

 

==============

I started rewrites...but I couldn't test and I was trying to be fancy about multiple possible fqnds vs. IPs without hardcoding...

Bottom line...none of the rewrite has been tested and may be bad. Before I try it again, I would narrow the solutions.

 

But the responder is much easier...

 

Example 2 Notes:

So I did one for relative paths and absolute paths as needed. Though really, to make them all https://<host>/stuff is easy.  The only difference the v1 and v2 examples for each is whether the original request has a hostname that we can use or an IP and you can then hardcode the fqdn. (If policy will be used generaically, we'd have to use a stringmap to map ips to fqdns.  But if used on specific vservers, then hardcoding the fqdn is fine.  So you might be able to get by with only 2 of the examples or need all 4.

 

The decision for which rewrite you need will be in the policy/expression side.  The rewrite is the same in almost all cases. And if the originating request is already on https://<fqdn> you don't have to rewrite the location header at all.

 

Example 2:  rewrites based on the location header response

add rewrite action rw_act_replace_lochdr_relative1 replace "http.RES.HEADER(\"Location\")" "\"https://\" + http.REQ.HEADER(\"host\") + http.RES.HEADER(\"Location\")"
add rewrite action rw_act_replace_lochdr_relative2 replace "http.RES.HEADER(\"Location\")" "\"https://demo.company.com\" + http.RES.HEADER(\"Location\")"
add rewrite action rw_act_replace_lochdr_absolute1 replace "http.RES.HEADER(\"Location\")" "\"https://\" + http.REQ.HEADER(\"host\") + http.RES.HEADER(\"Location\").TYPECAST_HTTP_URL_T.PATH_AND_QUERY"
add rewrite action rw_act_replace_lochdr_absolute2 replace "http.RES.HEADER(\"Location\")" "\"https://demo.company.com\" + http.RES.HEADER(\"Location\").TYPECAST_HTTP_URL_T.PATH_AND_QUERY"
 

add rewrite policy rw_pol_replace_lochdr_relative1 "!http.REQ.HEADER(\"host\").SET_TEXT_MODE(ignorecase).EQ(\"afweb.workspacelab.com\") && http.RES.IS_REDIRECT && http.RES.HEADER(\"Location\").STARTSWITH(\"/\")" rw_act_replace_lochdr_relative1
add rewrite policy rw_pol_replace_lochdr_relative2 "http.REQ.HEADER(\"host\").EQ(\"172.21.10.111\") && http.RES.IS_REDIRECT && http.RES.HEADER(\"Location\").STARTSWITH(\"/\")" rw_act_replace_lochdr_relative2
 

 

 

 

 

 

Link to comment
Share on other sites

Hi Rhonda,   We applied Responder  , but it's not working. 

 

Please note that the Virtual Server where we applying this Responder Policy is configured with port-443(https). 

 

We have tested it in legacy environment, Observation..when hitting the URL on browser it maintaining the SESSION-ID and also the backend server where hits are landing. This all is showing under URL. 

Link to comment
Share on other sites

  • 2 weeks later...

Hello All, 

 

Still to hear from anyone on requested scenario.

 

Kindly refer prior posts, we applied Responder Policy ..but did'nt worked and then we applied a workaround , i.e. simply applied sourceip cookie and things started working (removed policies). 

 

Point to note here that in legacy setup with F5, Only iRule was applied for above scenario but there was no Cookie applied.

 

But in further coming migration scenario...We have Virtual Server where Cookies and iRules(same iRule) both applied on F5, so some different or can say additional configurations.

 

in short, requirement is (which i understand during last activity is), we have to maintain the session ID reverted by server in it's response along with the server hostname which is responding the client request. and all this should be visible in the URL (auto changes to below)

 

https://mysite.com/login/pages/sessionid=aahahadgdkdkwduwdiwknkwhofuff/<server_host_name>

 

Plus, "if anyone hits the URL with http only, it should be redirect to https", For this as of now we have applied and configured the redirection in protection path.

 

 

Regards

 

 

Link to comment
Share on other sites

Hi Rhona, 

 

Hope you are doing great !!

 

You remember for a solution of content switching VS for different "/___"  string.

 

Eg: if client tried URL with /school , he can be directed to specific pool configured for "/school" in rewrite and content policy. We are facing a issue with some similar content in /string 

 

For Eg ;    /school &  /schoolground ...i.e. Even requests for "/schoolground" is getting directed to "/school" service group just due to similarity of initial content in string here in this example "/school"   (/school and /schoolground, both startswith  school),

 

In our Case we are using expressions:

1)  HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/school")    for /School  

 

2) HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/schoolground") for /schoolground

 

we tried and replaced STARTSWITH with CONTAINS also for similar initials of "/" string but no luck! probably missing something.

 

If there is any change require, then is that require for both the "/string"  ( as per this eg /school and /schoolground)

Could you pls help.

 

Rgds

 

 

Link to comment
Share on other sites

42 minutes ago, Sudhir Bhagat said:

n our Case we are using expressions:

1)  HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/school")    for /School  

 

2) HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH("/schoolground") for /schoolground

 

 

Yes, since these overlap, you have a couple of ways to address it.

 

Option 1:   if all of your paths contains /school/<stuff> vs. /schoolground/<stuff> , then you can just modify the startswith("/school/") vs "/schoolground/".  However, if /school appears on its own, that won't be useful. 

The alternative would be making the startswith('/schoolground") at a higher priority (100) to reun before the "/school"  test (110) would mean the match for "/schoolground" would match BEFORE the match on "/school".

 

But the better option would be Option 2 as it disambiguates any overlaps as well.

 

Option 2:  Switch from startswith to Get(<integer>)

So for a sample url like this, GET breaks the path into elements (between slashes), and is "1-based" (other array functions are 0-based)

http://www.demo.com/dir/subdir/somepage.cgi?a1=b1

http.req.url.path.get(1)  is dir

http.req.url.path.get(2) is subder

http.req.url.path.get(3) is somepage.cgi

and http.req.urlpath.get(4) wouldn't match and be undefined in this example.

 

So change your two policies to this and they can exactly match on school vs. schoolground

http.req.url.path.get(1).eq("school")

http.req.url.path.get(1).eq("schoolground")

 

 

Link to comment
Share on other sites

On 6/17/2020 at 10:01 AM, Sudhir Bhagat said:

Hi All, 

 

I am here again, now stuck with new issue during Migration from F5 to Netcsaler. Can see some iRules - Data Group created/configured on F5 (based on string and IP addresses). What is the equivalent of Data Group in netscaler ADC. 

 

Apart from these i need help from you guys to convert some irules to Netscaler policy (as they are not covered in netscaler iRule conversion guide probably). i'll share some 3-4 sample irules for conversion and need kind help from this community. 

 

Sorry, I haven't gotten back to you on this one (or the earlier issue). I know there was an issue with the responder but I think there was another issue too, I missed.

 

I think we need to go back to the exact request or response that you are dealing with and what you want the changes to be. (less about the irule, but more about the problem that needs to be solved). My guess is that the way the irule deals with the problem will be different than the ADC and we may need to back off and look at this differently.

 

Also, one of the reported issues, it really wasn't clear if the request came from client --> some other proxy --> lb vserver on adc --> to services   or whether your statements on "proxy" is the equivalent of the lb vserver.

 

You may want to repost a NEW thread with the current issue to be solved as a description of the traffic flow. The irule can be useful, but sometimes a different approach is needed because there are differences in the traffic handling.  You can include a reference link to this thread and you will get more visibility from other participants as this is now no longer on the main page.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...