Hi,
perhaps the question is still open?
For testing I'm using a virtual server on a 2nd BIG-IP (might be located on the same BIG-IP and addressed via iRule "virtual" command.
The iRule returns the internally seen parameters (as modified by the rewrite profile):
when HTTP_REQUEST {
set internal_domain [join [lrange [split [getfield [HTTP::host] ":" 1] "."] 1 end] "."]
HTTP::respond 301 \
content " \
internal host : [getfield [HTTP::host] ":" 1]\r\n \
internal path : [URI::path [HTTP::uri]]\r\n \
internal base : [URI::basename [HTTP::uri]]\r\n \
internal query : [HTTP::query]\r\n \
internal domain: ${internal_domain}\r\n" \
noserver \
Content-Type "text/plain" \
Location https://[HTTP::host][HTTP::uri] \
Date [clock format [clock seconds] -format {%a, %b %d %Y %H:%M:%S GMT} -gmt 1] \
Set-Cookie "TrackingMe=[format %09d [expr int(rand()*1e9)]]; Domain=${internal_domain}; Path=[URI::path [HTTP::uri]]" \
Connection Close
}
The rewrite profile and the virtual server on the device under test looks as follows:
ltm virtual vs_test-rewrite_443 {
destination 10.131.131.53:443
ip-protocol tcp
mask 255.255.255.255
pool pool_rewrite-test
profiles {
clientssl-secure {
context clientside
}
http2 { }
http { }
profile_test-rewrite { }
serverssl {
context serverside
}
tcp { }
}
}
ltm profile rewrite profile_test-rewrite {
bypass-list none
client-caching-type cache-css-js
defaults-from rewrite
java-ca-file ca-bundle.crt
java-crl none
java-sign-key default.key
java-sign-key-passphrase-encrypted none
java-signer default.crt
location-specific false
request {
insert-xforwarded-for enabled
insert-xforwarded-host enabled
insert-xforwarded-proto enabled
rewrite-headers enabled
}
response {
rewrite-content enabled
rewrite-headers enabled
}
rewrite-list none
rewrite-mode uri-translation
set-cookie-rules {
cookie_1597831515516 {
client {
domain lb-net.bit
path /prefixext/
}
server {
domain lb-net.internal
path /prefixint/
}
}
}
split-tunneling false
uri-rules {
uri_1597822570761 {
client {
path /prefixext/
}
server {
host test.lb-net.internal
path /prefixint/
scheme https
}
}
}
}
Testing with cURL returns the expected results:
$ curl -svk https://test.lb-net.bit:443/prefixext/test.label/object?query=test --resolve test.lb-net.bit:443:10.131.131.53
* Added test.lb-net.bit:443:10.131.131.53 to DNS cache
* Hostname test.lb-net.bit was found in DNS cache
* Trying 10.131.131.53...
* Connected to test.lb-net.bit (10.131.131.53) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x1735150)
> GET /prefixext/test.label/object?query=test HTTP/1.1
> Host: test.lb-net.bit
> User-Agent: curl/7.47.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 301
< content-type:text/plain
< location:https://test.lb-net.bit/prefixext/test.label/object?query=test
< date:Wed, Aug 19 2020 12:48:04 GMT
< set-cookie:TrackingMe=480369567; Domain=lb-net.bit; Path=/prefixext/test.label/
<
internal host : test.lb-net.internal
internal path : /prefixint/test.label/
internal base : object
internal query : query=test
internal domain: lb-net.internal
Both redirect (host and path) and the cookie domain and path set by the server are properly rewritten.
The setup above was tested on TMOS v12.1.4.1 with HTTP/1.1 and HTTP/2.
Be aware, that a stream profile and disabled serverside compression might be required as well to replace references in the payload.
The rewrite profile above just modifies the http-protocol data but not the the delivered payload.
Cheers, Stephan