Create a rule for HTTP or HTTPS traffic

Create a rule for HTTP or HTTPS traffic

Control panel

1. In control panel from the top menu, press Products and select Cloud servers.

2. Go to the section Balancers → tab Balancers.

3. Open the balancer page.

4. Click Create a rule.

5. Select the protocol for receiving traffic — HTTP or HTTPS.

6. For the selected protocol, the default port on which the balancer will listen to traffic will be automatically selected — change it if necessary.

7. Optional: Enter the allowed CIDR — IP addresses from which the balancer will accept traffic with the selected protocol and port. You can enter a subnet in CIDR format or a single IP address with a mask /32. If you leave the field blank, the balancer will accept traffic from any IP addresses. You can specify the allowed IP addresses in the rule after the balancer has been created.

   If the field is absent, the balancer network is turned off traffic filtering (port security).

8. If you have selected HTTPS protocol, specify a certificate for HTTPS traffic termination on the balancer — select a certificate from the secrets manager or download a new one. See the instructions for more details TLS(SSL)-certificates of the load balancer.

9. Select the default target group or create a new target group with the HTTP protocol. The default destination group will be directed to traffic that does not fit the HTTP Policies. To discard traffic that does not fall under HTTP policies, select Without a target group.

10. Mark it HTTP request headers that will be transmitted to the servers.

11. Optional: create HTTP Policies:

    11.1. Press Add a new policy.

    11.2 Select the parameter for which the request will be checked:

    • HOSTNAME — to verify the domain name;
    • PATH — to check the path.

    11.3. Select the type of match to the reference value:

    • EQUAL TO — is a match;
    • STARTS WITH — begins with;
    • ENDS WITH — ends in;
    • CONTAINS — contains;
    • REGEX — regular expression.

    11.4 Enter the control value to check. If in step 11.3 you selected the condition REGEX, enter a regular expression.

    11.5 Optional: to add another condition to the policy, press New condition and customize it. If there are multiple conditions in the policy, the request must match each condition to fall under the policy.

    11.6 Specify where to redirect the appropriate request:

    • Direct to the target group — select a target group or create a new with the HTTP protocol;
    • Redirect to URL — enter a target URL that will completely replace the request URL, including protocol, domain name, path, and request parameters;
    • Redirect to URL prefix — enter the part of the URL to replace the protocol and domain name in the request URL. For example, if you enter https://example.com/newthen the request for https://example.com/api will be forwarded to https://example.com/new/api

    To not accept requests that match the policy, select Reject traffic.

    11.7 Enter a policy name or leave the default one generated.

    11.8. Press Add.

    11.9 Optionally: to add another policy, press Add a new policy and set it up.

12. Optional: change connection settings To do this, open the block Advanced rule settings and specify:

    • for incoming requests to the balancer — specify the connection timeout and maximum connections;
    • for requests from the balancer to servers — specify the connection timeout, inactivity timeout and TCP packet waiting timeout.

13. Click Create.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a rule for the balancer:

   openstack loadbalancer listener create \
     --name <listener_name> \
     --protocol <protocol> \
     --protocol-port <port> \
     [--allowed-cidr <allowed_cidr>] \
     --default-tls-container=<certificate_uuid> \
     --default-pool <default_pool> \
     <loadbalancer>

   Specify:

   • <listener_name> — NAME OF RULE;
   • <protocol> — protocol name, HTTP or TERMINATED_HTTPS;
   • <port> — port number;
   • optional: --allowed-cidr <allowed_cidr> — The IP address from which traffic is allowed to be received, where <allowed_cidr> — subnet in CIDR format or single IP address with mask /32. If you want to specify several addresses, specify each address in a separate parameter --allowed-cidr. In order for the restriction to work, the balancer network must have the following enabled traffic filtering (port security). You can specify the allowed IP addresses in the rule after the balancer has been created;
   • --default-tls-container=<certificate_uuid> — ID of the TLS(SSL)-certificate for HTTPS traffic termination on the balancer. Specify if you selected the protocol TERMINATED_HTTPS. You can copy it into control panels: from the top menu, press Products → The manager of secrets → tab Certificates → in the menu of the certificate, select Copy UUID. Read more about TLS(SSL)-certificates of the load balancer;
   • optional: --default-pool <default_pool> — The default ID or name of the default target group to which traffic that does not fall under the HTTP Policies in the rule. If you do not specify a parameter, traffic that does not fall under the policy will be discarded. The list of groups can be viewed using the command openstack loadbalancer pool list. If you don't have the right target group, create it;
   • <loadbalancer> — ID or name of the load balancer. You can view the list using the command openstack loadbalancer list.

3. Create HTTP policy in the rule:

   openstack loadbalancer l7policy create \
     --action <action> \
     [--redirect-url <url> | --redirect-prefix <prefix_url> | --redirect-pool <pool> ]
     --position <position> \
     --name <policy_name> \
     <listener_name>

   Specify:

   • <action> — action to balance traffic:

     • REDIRECT_TO_URL — completely replace the request URL, including protocol, domain name, path, and parameters;
     • REDIRECT_PREFIX — replace the protocol and domain name in the request URL;
     • REDIRECT_TO_POOL — to target the target group,
     • REJECT — dismiss;

   • <policy_name> — L7-policy name;

   • where the traffic needs to be directed:

     • --redirect-url <url> — the full URL to redirect to. Specify if the action is selected REDIRECT_TO_URL;
     • --redirect-prefix <prefix_url> — URL prefix to replace the protocol and domain in the request, e.g. https://example.com. Specify if the action is selected REDIRECT_PREFIX;
     • --redirect-pool <pool> — ID or name of the target group. Specify if the action is selected REDIRECT_TO_POOL. The list can be viewed using the command openstack loadbalancer pool list. If you don't already have a target group, create it.

   • --position <position> — the position of the policy in the rule. Indicate if there will be more than one policy with the same action in the rule, the policy with position 1 will be the first to apply;

   • <listener_name> — the name of the rule you created in step 2.

4. Create a condition in the HTTP policy:

   openstack loadbalancer l7rule create \
     --compare-type <compare_type> \
     --type <type> \
     --value <value> \
     <policy_name>

   Specify:

   • <compare_type> — type of match with the control value:

     • EQUAL TO — is a match;
     • STARTS WITH — begins with;
     • ENDS WITH — ends in;
     • CONTAINS — contains;
     • REGEX — regular expression;

   • <type> — parameter in the query to check: HOST_NAME, PATH, COOKIE, FILE_TYPE, HEADER;

   • <value> — control value;

   • <policy_name> — name of the L7 policy you created in step 3.