Create a rule for HTTP or HTTPS traffic

Control panel

1. In the Control panel, on the top menu, click Products and select Cloud Servers.

2. Go to the Load Balancers section → Load Balancers tab.

3. Open the load balancer page.

4. Click Create Rule.

5. Select the traffic reception protocol — HTTP or HTTPS.

6. For the selected protocol, the standard port on which the load balancer will listen for traffic will be automatically selected — change it if necessary.

7. Optional: enter allowed CIDRs — IP addresses from which the load balancer will accept traffic with the selected protocol and port. You can enter a subnet in CIDR format or a single IP address with a /32 mask. If you leave the field empty, the load balancer will accept traffic from any IP address. You can specify allowed IP addresses in the rule after creating the load balancer.

   If the field is missing, traffic filtering (port security) is disabled in the load balancer network.

8. If you selected the HTTPS protocol, specify a certificate for terminating HTTPS traffic on the load balancer — select a certificate from the secret manager or upload a new one. Learn more in the Load Balancer TLS(SSL) Certificates guide.

9. Select the default target group or create a new target group with the HTTP protocol. Traffic that does not match any HTTP policies will be directed to the default target group. To drop traffic that does not match any HTTP policies, select No target group.

10. Select the HTTP request headers that will be passed to the servers.

11. Optional: create HTTP policies:

    11.1. Click Add New Policy.

    11.2. Select the parameter to check the request against:

    • HOSTNAME — to check the domain name;
    • PATH — to check the path.

    11.3. Select the match type for the reference value:

    • EQUAL TO — equal to;
    • STARTS WITH — starts with;
    • ENDS WITH — ends with;
    • CONTAINS — contains;
    • REGEX — regular expression.

    11.4. Enter the reference value for the check. If you selected the REGEX condition in step 11.3., enter a regular expression.

    11.5. Optional: to add another condition to the policy, click New Condition and configure it. If a policy has multiple conditions, a request must match all of them to be caught by the policy.

    11.6. Specify where to direct matching requests:

    • Direct to target group — select a target group or create a new one with the HTTP protocol;
    • Redirect to URL — enter the target URL that will fully replace the request URL, including the protocol, domain name, path, and request parameters;
    • Redirect to URL prefix — enter the part of the URL that will replace the protocol and domain name in the request URL. For example, if you enter https://example.com/new, a request to https://example.com/api will be redirected to https://example.com/new/api

    To not accept requests that match the policy, select Reject traffic.

    11.7. Enter a policy name or leave the one generated by default.

    11.8. Click Add.

    11.9. Optional: to add another policy, click Add New Policy and configure it.

12. Optional: change connection settings; to do this, open the Advanced Rule Settings block and specify:

    • for incoming requests to the load balancer — specify the connection timeout and maximum connections;
    • for requests from the load balancer to servers — specify the connection timeout, inactivity timeout, and TCP packet wait timeout.

13. Click Create.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a rule for the load balancer:

   openstack loadbalancer listener create \
     --name <listener_name> \
     --protocol <protocol> \
     --protocol-port <port> \
     [--allowed-cidr <allowed_cidr>] \
     --default-tls-container=<certificate_uuid> \
     --default-pool <default_pool> \
     <loadbalancer>

   Specify:

   • <listener_name> — rule name;
   • <protocol> — protocol name, HTTP or TERMINATED_HTTPS;
   • <port> — port number;
   • optional: --allowed-cidr <allowed_cidr> — IP address from which traffic is allowed, where <allowed_cidr> is a subnet in CIDR format or a single IP address with a /32 mask. If you need to specify multiple addresses, specify each in a separate --allowed-cidr parameter. For the restriction to work, traffic filtering (port security) must be enabled in the load balancer network. You can specify allowed IP addresses in the rule after creating the load balancer;
   • --default-tls-container=<certificate_uuid> — ID of the TLS(SSL) certificate for terminating HTTPS traffic on the load balancer. Specify this if you chose the TERMINATED_HTTPS protocol. You can copy it in the Control panel: on the top menu, click Products → Certificate Manager → in the menu of the certificate, select Copy UUID. Read more about Load Balancer TLS(SSL) Certificates;
   • optional: --default-pool <default_pool> — ID or name of the default target group to which traffic not caught by HTTP policies in the rule will be directed. If the parameter is not specified, traffic not caught by policies will be dropped. You can view the list of groups using the openstack loadbalancer pool list command. If you do not have a suitable target group, create one;
   • <loadbalancer> — load balancer ID or name. You can view the list using the openstack loadbalancer list command.

3. Create an HTTP policy in the rule:

   openstack loadbalancer l7policy create \
     --action <action> \
     [--redirect-url <url> | --redirect-prefix <prefix_url> | --redirect-pool <pool> ]
     --position <position> \
     --name <policy_name> \
     <listener_name>

   Specify:

   • <action> — traffic balancing action:

     • REDIRECT_TO_URL — fully replace the request URL, including the protocol, domain name, path, and parameters;
     • REDIRECT_PREFIX — replace the protocol and domain name in the request URL;
     • REDIRECT_TO_POOL — direct to a target group,
     • REJECT — reject;

   • <policy_name> — L7 policy name;

   • where to direct traffic:

     • --redirect-url <url> — full URL for redirection. Specify this if the REDIRECT_TO_URL`` action is selected;
     • --redirect-prefix <prefix_url> — URL prefix used to replace the protocol and domain in the request, for example, https://example.com. Specify this if the REDIRECT_PREFIX`` action is selected;
     • --redirect-pool <pool> — ID or name of the target group. Specify this if the REDIRECT_TO_POOL action is selected. You can view the list using the openstack loadbalancer pool list command. If you do not have a target group yet, create one.

   • --position <position> — policy position in the rule. Specify this if the rule will have multiple policies with the same action; the policy with position 1 will be applied first;

   • <listener_name> — name of the rule you created in step 2.

4. Create a condition in an HTTP policy:

   openstack loadbalancer l7rule create \
     --compare-type <compare_type> \
     --type <type> \
     --value <value> \
     <policy_name>

   Specify:

   • <compare_type> — match type for the reference value:

     • EQUAL TO — equal to;
     • STARTS WITH — starts with;
     • ENDS WITH — ends with;
     • CONTAINS — contains;
     • REGEX — regular expression;

   • <type> — request parameter to check: HOST_NAME, PATH, COOKIE, FILE_TYPE, HEADER;

   • <value> — reference value;

   • <policy_name> — name of the L7 policy you created in step 3.