Idea Details

Permit use of Context Variables to specify IP addresses in Routing Properties

Last activity 2 days ago
Marlos Chida's profile image
11-28-2019 03:46 PM

Hi,

   After some research trying to solve a particular routing case during Policy Development, I came into a scenario that I would like to share and suggest an improvement in "Route to HTTP(S)" Assertion.

  My customer has 3 separate servers providing the same content, but each one serving a different group of users.

  Besides having different IP Addresses, all servers share the same hostname. The requestors use hosts file to point to the right server in the no-gateway scenario.

  In this particular case there is no load balancer involved.

  When developing a Policy to manage requests to this servers via Gateway, I have to branch different route assertions to the same hostname, but specifying a different IP address depending on request source, as in this case I can't rely on DNS to resolve the server's IP address.

  My first thought was to use a Context Variable to hold the IP Address after evaluating the request source, but the assertion's input field of IP address in "Use the following IP addresses:" property only accepts numbers, dot (.) and Hex Characters (A-F), thus making it impossible to provide a context variable reference like "${ServerIP}".

  Out of curiosity, I copied the Policy XML code and replaced the hardcoded IP I had provided with a context variable reference.

---
<L7p:HttpRoutingAssertion>
<L7p:CustomIpAddresses stringArrayValue="included">
<L7p:item stringValue="10.20.30.40"/>
</L7p:CustomIpAddresses>
---
With
---
<L7p:HttpRoutingAssertion>
<L7p:CustomIpAddresses stringArrayValue="included">
<L7p:item stringValue="${ip}"/>
</L7p:CustomIpAddresses>
---

After pasting it back and saving the policy, to my surprise It worked, which makes me belileve that assertion is ready to process variable references and just the IP input field suffers validation.

As this behavior benefits some particular complex scenarios such as my example above, my suggestion would be to remove validation in the input field of IP addresses in Routing Assertion. Calling the servers using the IP instead of hostname is not a good solution in an HTTPS scenario since all server certificates would have to be reissued including the IP address in the SAN field.

I would like to hear the thoughts of CA Staff and other members regarding this suggestion.

I've attached a screenshot to illustrate.