星痕1216
f5 irules

1.插入XFF  

when HTTP_REQUEST {
    if { [HTTP::header exists X-Forward-For] } {
        set old_xff  [HTTP::header values X-Forwarded-For]
        HTTP::header remove X-Forwarded-For
        HTTP::header insert X-Forwarded-For_Org "[IP::client_addr],$old_xff"
    } else {
        HTTP::header insert X-Forwarded-For [IP::client_addr]
    }
}

2.重定向

  1)a.xin.com、a.youxin.com均重定向到https://a.youxin.com/owa  

when HTTP_REQUEST {
    if { ([string tolower [HTTP::host]] equals "a.xin.com") and ([HTTP::uri] equals "/") } {
        HTTP::redirect https://a.youxin.com/owa
}elseif { ([string tolower [HTTP::host]] equals "a.youxin.com") and ([HTTP::uri] equals "/") } {
        HTTP::redirect https://a.youxin.com/owa
    } else {
        HTTP::redirect https://[HTTP::host][HTTP::uri]
    }
    }

  2)多域名下,只单域名http重定向到https  

  需求:域名a.xin.com和b.xin.com都解析到1.1.100.21。目前a.xin.com和b.xin.com都是通过http访问。

  现需要将访问包含a.xin.com的http访问都转到https,同时b.xing.com保持不变。  

when HTTP_REQUEST {
if { [string tolower [HTTP::host]] contains "a.xin.com" } {
        HTTP::redirect https://[HTTP::host][HTTP::uri]
    } 
    }

 3.f5 通过irules 将通过f5负载地址访问非80/443时的真实源IP输出到ELK  

when CLIENT_ACCEPTED {
   set hsl [HSL::open -proto TCP -pool pool_ELK]
   set reqtime [clock format [clock seconds] -format "%Y-%m-%d %T"]     
   set trueip [IP::remote_addr]
   set vip [IP::local_addr]
   set vipport [TCP::local_port] 
}

when SERVER_CONNECTED {
   set snatip [IP::local_addr]
   set snatport [TCP::local_port]
 
}

when SERVER_CLOSED {
   HSL::send $hsl "{\"request_time\":\"$reqtime\",\t\"source_IP\":\"$trueip\",\t\"snat_ip\":\"$snatip\",\t\"snat_port\":\"$snatport\",\t\"vip\":\"$vip\",\t\"vip_port\":\"$vipport\"}"
}

 

posted on 2018-11-06 10:41  星痕1216  阅读(776)  评论(0编辑  收藏  举报

Copyright © 2024 星痕1216
Powered by .NET 9.0 on Kubernetes Powered By博客园