Translating an F5 rule

peter peter_booth at s5a.com
Tue Mar 19 17:54:20 UTC 2013


You might find that you get most traction with open resty ­ its an nginx
bundle project that includes ngx_lua,
HttpHeadersMoreModule and a bunch of other mopdules that are great for
transforming requests
and implementing F5-like logic. I have been using it for six months and its
saved me a bunch of time
and helped me get weird stuff done. The openresty mailing list is very
responsive.

On 3/19/13 10:42 AM, "WBrown at e1b.org" <WBrown at e1b.org> wrote:

> Peter Booth wrote on 03/19/2013 10:43:12 AM:
> 
>> > The code does the following:
>> >
>> > 1. remove an HTTP header named "SWSSLHDR"
>> > 2. replaces it with SWSSLHDR: port, where the port is the local port of
>> > the "current context's TCP connection", presumably the port that your F5
>> > virtual server is listening on.
> 
> I had somewhat figured that out.  It isn't clear from the notes I got from
> vender as to what the current context is.  I'm guessing the client side,
> but I can test that.
> 
>> > This is presumably to separate SSL and non SSL traffic , or to allow for
>> > load balancing across websites that are hosted on ports 8080, 8000 or
>> > other nonstandard ports.
>> >
>> > One thought- are you configuring the nginx server to terminate SSL and
>> > then proxy to a single upstream endpoint? Is this the same topology as
>> > the F5 one? Is the entire site SSL or just the login portions?
> 
> Presently, we are using an Centos box with Piranha for load balancing, but
> we wish to implement SSL.  There are about 50 sites hosted with three
> upstream servers.  I don't want to tie up 150 IP addresses for SSL on
> them, so I want to terminate the SSL connection at the nginx server and
> use HTTP on port 80 to connect from nginx to IIS.
> 
> The F5 information is just what the IIS application vendor says they use
> in their configuration.  We may be buying an F5 in the future, but I need
> SSL in the short term.
> 
> Would I add to the location section something like this:
> 
>         more_set_input_headers -r SWSSLHDR $server_port
> 
> If $server_port isn't correct, I could try $remote_port.  Are there any
> other port variables that I've missed?
> 
> From my reading of the F5 docs, the "when HTTP_REQUEST" indicates this is
> only processed on requests received from clients.  Since they are always
> removing the SWSSLHDR from incoming requests, then adding it again, I
> think using the -r option is sensible and only adding it if it exists.
> 
> Now I'm off to rebuild nginx with HttpHeadersMoreModule.
> 
> 
> 
> 
> Confidentiality Notice:
> This electronic message and any attachments may contain confidential or
> privileged information, and is intended only for the individual or entity
> identified above as the addressee. If you are not the addressee (or the
> employee or agent responsible to deliver it to the addressee), or if this
> message has been addressed to you in error, you are hereby notified that
> you may not copy, forward, disclose or use any part of this message or any
> attachments. Please notify the sender immediately by return e-mail or
> telephone and delete this message from your system.
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20130319/8b004ccb/attachment.html>


More information about the nginx mailing list