Create a rule for HTTP or HTTPS traffic
Control panel
OpenStack CLI
-
В control panels go to Cloud platform → Balancers.
-
Open the tab Balancers → balancer page.
-
Click Create a rule.
-
Select the protocol for receiving traffic — HTTP or HTTPS.
-
For the selected protocol, the default port on which the balancer will listen to traffic will be automatically selected — change it if necessary.
-
If you selected the HTTPS protocol, select a certificate to terminate HTTPS traffic on the balancer — select a certificate from the Secrets Manager or download a new one. Read more in the instructions TLS(SSL)-certificates of the load balancer.
Certificates with an empty field
CN(Common Name) are not supported in load balancers. -
Select the default target group or create a new target group with the HTTP protocol. The default destination group will be forwarded traffic that does not match the HTTP Policies. To discard traffic that does not fall under HTTP policies, select Without a target group.
-
Mark it HTTP request headers that will be transmitted to the servers.
-
Optional: create HTTP Policies:
9.1. Press Add a new policy.
9.2 Select the parameter for which the query will be checked:
HOSTNAMEfor the domain name orPATHto check the path.9.3 Select the type of match to the reference value:
EQUAL TO— is a match;STARTS WITH— begins with;ENDS WITH— ends in;CONTAINS— contains;REGEX— regular expression.
9.4 Enter the control value to check. If you selected the condition in step 6
REGEX, enter a regular expression.9.5 Optional: to add another condition to the policy, press New condition and customize it. If there are multiple conditions in the policy, the request must match each condition to fall under the policy.
9.6 Specify where the appropriate request should be redirected to:
- Direct to the target group — select a target group or create a new with the HTTP protocol;
- Redirect to URL — enter a target URL that will completely replace the request URL, including protocol, domain name, path, and request parameters;
- Redirect to URL prefix — enter the part of the URL to replace the protocol and domain name in the request URL. For example, if you enter
https://example.com/newthen the request forhttps://example.com/apiwill be forwarded tohttps://example.com/new/api
To not accept requests that match the policy, select Reject traffic.
9.7 Enter a policy name or leave the default one generated.
9.8. Press Add.
9.9 Optional: to add another policy, press Add a new policy and set it up.
-
Optional: change connection settings To do this, open the block Advanced rule settings and specify:
- for incoming requests to the balancer — specify the connection timeout and maximum connections;
- for requests from the balancer to servers — specify the connection timeout, inactivity timeout and TCP packet waiting timeout.
-
Click Create.
-
Create a rule for the balancer:
openstack loadbalancer listener create \
--name <listener_name> \
--protocol <protocol> \
--protocol-port <port> \
--default-tls-container=<certificate_uuid> \
--default-pool <default_pool> \
<loadbalancer>Specify:
<listener_name>— NAME OF RULE;<protocol>— protocol name, HTTP or TERMINATED_HTTPS;<port>— port number;--default-tls-container=<certificate_uuid>— ID of the TLS(SSL)-certificate for HTTPS traffic termination on the balancer. Specify if you selected the protocolTERMINATED_HTTPS. You can copy it into control panels: under Cloud platform → The manager of secrets → tab Certificates → in the menu of the certificate, select Copy UUID. Read more about TLS(SSL)-certificates of the load balancer;- optional:
--default-pool <default_pool>— The default ID or name of the default target group to which traffic that does not fall under the HTTP Policies in the rule. If you do not specify a parameter, traffic that does not fall under the policy will be discarded. You can view the list of groups byopenstack loadbalancer pool list. If you don't have the right target group, create it; <loadbalancer>— ID or name of the load balancer. The list can be viewed viaopenstack loadbalancer list
-
Create HTTP policy in the rule:
openstack loadbalancer l7policy create \
--action <action> \
[--redirect-url <url> | --redirect-prefix <prefix_url> | --redirect-pool <pool> ]
--position <position> \
--name <policy_name> \
<listener_name>Specify:
-
<action>— action to balance traffic:REDIRECT_TO_URL— completely replace the request URL, including protocol, domain name, path, and parameters;REDIRECT_PREFIX— replace the protocol and domain name in the request URL;REDIRECT_TO_POOL— to target the target group,REJECT— dismiss;
-
<policy_name>— L7-policy name; -
where the traffic needs to be directed:
--redirect-url <url>— the full URL for the redirect. Specify if the action is selectedREDIRECT_TO_URL;--redirect-prefix <prefix_url>— URL prefix to replace the protocol and domain in the request, e.g.https://example.com. Indicate if the action is selectedREDIRECT_PREFIX;--redirect-pool <pool>— ID or name of the target group. Specify if the action is selectedREDIRECT_TO_POOL. The list can be viewed withopenstack loadbalancer pool list. If you don't already have a target group, create it.
-
--position <position>— the position of the policy in the rule. Indicate if there will be more than one policy with the same action in the rule, the policy with position1will be the first to apply; -
<listener_name>— the name of the rule you created in step 2.
-
-
Create a condition in the HTTP policy:
openstack loadbalancer l7rule create \
--compare-type <compare_type> \
--type <type> \
--value <value> \
<policy_name>Specify:
-
<compare_type>— type of match with the control value:EQUAL TO— is a match;STARTS WITH— begins with;ENDS WITH— ends in;CONTAINS— contains;REGEX— regular expression;
-
<type>— parameter in the query to check:HOST_NAME,PATH,COOKIE,FILE_TYPE,HEADER; -
<value>— control value; -
<policy_name>— name of the L7 policy you created in step 3.
-