How to divert rest api calls from external applications to a particular node

@Sanu Soman Hi. I have implemented it. It works great. Implement the below irule in F5. Thanks.

when HTTP_REQUEST {

log local0. "New code"
set referrer_host [ URI::host [HTTP::header value Referer]]
log local0. "host: [HTTP::host]"
log local0. "uri: [HTTP::uri]"
log local0. "path: [HTTP::path]"
log local0. "Referer: $referrer_host"


if { ([HTTP::header exists "Referer"]) } {

if { $referrer_host eq "" } {
 set referrer_host "none"
 }

if { !($referrer_host contains "jiratest.corp.chartercom.com") } {

log local0. "referrer is not equal to jira"
 if { ([HTTP::uri] contains "/rest/") } {
log local0. "referrer is not equal to jira and contain rest"
 pool JIRA-test-external-pool
 } else {
 pool JIRA-test-pool
 }
 
 } else {
 log local0. "referer is jira"
 pool JIRA-test-pool
 }

} else {
log local0. "Referer does not exist"

if { !([HTTP::uri] contains "/rest/") } {
log local0. "referrer is not equal to jira and contain rest"
 pool JIRA-test-pool
 } else {
 pool JIRA-test-external-pool
 }
 }


}

Great and many thanks for sharing it.

Is your JIRA running with SSL enabled? If so, do we need to terminate SSL at F5 level to configure this?

I dont know about SSL.

Dear @Jonnada Kiran,

you have to terminate SSL on F5 otherwise you cannot filter, because the path information will be encrypted.

So long

Thomas

Hi Thomas,

We have the same requirement where we want to redirect external Rest API only to specific node we have 4 node and we want to redirect external REST traffic to node 4.

We have written iRule for that but we observed few thing

1. Jira becomes slow.

2. Xray plugin is not working as expected like "Test" tab is not appear on the screen.

Thomas,

what do you mean "terminate the SSL on F5"? because we have SSL implemented on F5.

Dear @Sachin,

as I wrote, if you will try to load balance HTTP traffic depending on the path information of the URL, it may not be encrypted.

This slow Jira will result (I guess) from Jira's own communication over the REST API. Best do not balance this to only one node.

For the XRay Plugin, best ask the vendor. They should know about their plugin engine.

So long

Thomas

Hi Thomas,

Thanks for reply.

So what you r saying is we should not redirect REST API call to specific one node if we have SSL on F5?

And if we want to redirect then we have to skip ssl?

Thanks,

Sachin

@Thomas Deiler@Sachin@Sanu Soman Sorry for replying late. Redirecting traffic to a node raised indexing problems between nodes. 

@Jonnada Kiran:  Did you experience this? Did Atlassian confirm about this? what is solution for this then?

Arlassian recommended not to divert rest calls till they find a solution 

@Jonnada Kiran Thanks for reply. Does they have created bug or any issue for their developer for this?

Hi all, 

I see that this is some confusion around LoadBalancing, so to prevent the uncertainty please let me clarify some points. :)  

• To do session affinity at Loadbalancer and redirect traffic based on URL path (/REST), you would need to see request plain text, so as Thomas mentioned you need to terminate SSL on F5 (do SSL offloading). This is just a technical requirement. 
• This is very crucial to make sure that you redirect traffic only from External application (bot), not from the normal user. In another case, you will be break session affinity which leads to different functional and performance problems. 
•  Regarding Redirecting traffic to a node raised indexing problems between nodes. It's hard to comment without context, but in general, redirecting some traffic to the separate node does differ from any other normal setup. We have many clients running this without any problems.
  • Speculating here: if dedicated node would receive too many changes, those changes would need to be propagated to other nodes (load is skewed) and in case cluster doesn't have enough capacity that would case indexing delays. That being said, this is not specific to Redirecting traffic to a node but like a genetic balancing load problem. 

How you can check that session affinity is fine. 

• Check reply headers from Jira and find x-anodeid, eg:

x-anodeid: i-02b2b80fafcf9ad1d

• make sure it's the same for all requests 

Hope this helps

Cheers

@Andriy Yakovlev _Atlassian_ 

We have written the same iRule which target only external REST API.

Can you please explain 2nd point i.e  "This is very crucial to make sure that you redirect traffic only from External application (bot), not from the normal user. In another case, you will be break session affinity which leads to different functional and performance problems."

In that you mentioned *Not from the normal user* what does it mean? and how do we check this?

Thanks,

Sachin

Hi  @Orit Nachshon

Sure, please let me help with this part:

>In that you mentioned *Not from the normal user* what does it mean?

That means, that user sessions should not be part of the redirect config. They should always talk to the same node.

>and how do we check this?

see the section (How you can check that session affinity is fine. ) in the comment above 

Cheers. 

@Andriy Yakovlev _Atlassian_@Thomas Deiler

This is the iRule we have implemented. Can you please check. it?

when
HTTP_REQUEST {
 if

{ !([HTTP::header value Referer] contains "jirapbguat") and ([HTTP::uri] contains "/rest") and ([HTTP::uri] ne "/login.jsp") }

{   node 10.233.128.120 8080  }

}

Thanks,
Sachin

@Jonnada Kiran and @Sanu Soman,

keep in mind, that Jira is communicating with itself via REST. So best you do not balance requests from Jira.

Jira will request the F5 from its external network interface and not communicate from localhost to localhost.

This is not valid for Confluence, only Jira.

So long

Thomas 

Hi all, 

To clarify @Thomas Deiler answer:

Everything that carries /rest/api/ in the destination URL is directed to a specific node.

Jira UI operations also use same REST API, so you should be careful here and redirect traffic to specific Node4 only from External application (bot), not from normal user. In another case you will have user session expired all the time. 

There is no single way how you can do this, a couple of options to name:

•  based on Referer, as suggested in traffic-distribution-with-atlassian-data-center

• If referrer != app.yourdomain.com and the request ~ /rest:
   If the page requested == /login.jsp:
      Direct traffic to Node 1 or Node 2 or Node 3 //normal traffic
   Else:
      Direct to Node 4 //external REST API traffic

• Based on SrcIP
• Based on UserAgent

Hope this helps.