Create a rule for HTTP or HTTPS traffic

Create a rule for HTTP or HTTPS traffic

Control panel

1. In the dashboard, on the top menu, click Products and select Cloud Servers.

2. Go to Balancers → Balancers tab.

3. Open the balancer page.

4. Click Create Rule.

5. Select the protocol for receiving traffic — HTTP or HTTPS.

6. For the selected protocol, the default port on which the balancer will listen to traffic will be automatically selected — change it if necessary.

7. Optional: Enter the allowed CIDR — IP addresses from which the balancer will accept traffic with the selected protocol and port. You can enter a subnet in CIDR format or a single IP address with a /32 mask. If you leave the field blank, the balancer will accept traffic from any IP addresses. You can specify the allowed IP addresses in the rule after the balancer is created.

   If this field is absent, port security is disabled on the balancer's network.

8. If you selected HTTPS protocol, specify a certificate for HTTPS traffic termination on the load balancer — select a certificate from the Secrets Manager or download a new one. For more information, see the TLS(SSL)-Certificates for Load Balancer instruction.

9. Select the default target group or create a new target group with HTTP protocol. Traffic that does not match HTTP policies will be directed to the default target group . To discard traffic that does not fall under HTTP policies, select No Target Group.

10. Mark the HTTP request headers that will be passed to the servers.

11. Optional: create HTTP policies:

    11.1.Click Add New Policy.

    11.2.Select the parameter for which the query will be checked:

    • HOSTNAME — to check the domain name;
    • PATH — to check the path.

    11.3.Select the type of match to the reference value:

    • EQUAL TO — match;
    • STARTS WITH. — begins with;
    • ENDS WITH. — ends with;
    • CONTAINS — Contains;
    • REGEX — regular expression.

    11.4.Enter a control value to check. If you selected the REGEX condition in step 11.3, enter a regular expression.

    11.5.Optional: To add another condition to the policy, click New Condition and customize it. If there are multiple conditions in the policy, the request must match each of them to fall under the policy.

    11.6.Specify where to redirect the matching request:

    • Direct to a target group — select a target group or create a new one with the HTTP protocol;
    • URL redirect — enter a target URL that will completely replace the request URL, including protocol, domain name, path, and request parameters;
    • Redirect to URL prefix — enter the part of the URL to replace the protocol and domain name in the URL requests. For example, if you enter https://example.com/new, then the request to https://example.com/api will be forwarded to https://example.com/new/api

    To not accept requests that match the policy, select Deny Traffic.

    11.7 Enter a policy name or leave the default one generated.

    11.8. Click Add.

    11.9 Optional: To add another policy, click Add New Policy and configure it.

12. Optional: change the connection settings, to do this, open the Advanced Rule Settings block and specify:

    • for incoming requests to the balancer — specify the connection timeout and maximum connections;
    • for requests from the balancer to servers — specify the connection timeout, inactivity timeout and TCP packet waiting timeout.

13. Click Create.

OpenStack CLI

1. Open the OpenStack CLI.

2. Create a rule for the balancer:

   openstack loadbalancer listener create \
     --name <listener_name> \
     --protocol <protocol> \
     --protocol-port <port> \
     [--allowed-cidr <allowed_cidr>] \
     --default-tls-container=<certificate_uuid> \
     --default-pool <default_pool> \
     <loadbalancer>

   Specify:

   • <listener_name> — rule name;
   • <protocol> — protocol name, HTTP or TERMINATED_HTTPS;
   • <port> — port number;
   • optional: --allowed-cidr <allowed_cidr> — IP address from which it is allowed to receive traffic, where <allowed_cidr> — subnet in CIDR format or single IP address with mask /32. If you need to specify multiple addresses, specify each address in a separate --allowed-cidr parameter . For the restriction to work, port security must be enabled on the balancer network . You can specify the allowed IP addresses in the rule after the balancer is created;
   • --default-tls-container=<certificate_uuid> — ID of the TLS(SSL)-certificate for terminating HTTPS traffic on the balancer. Specify if you selected the protocol TERMINATED_HTTPS. Can be copied in control panel: in the top menu, click Products → Secrets Manager → tab Certificates → in the menu of the certificate, select Copy UUID. More about TLS(SSL)-based load balancer certificates;
   • optional: --default-pool <default_pool> -ID or name of the default target group to which traffic that is not subject to HTTP policies in the rule will be forwarded . If you do not specify the parameter, traffic not caught by the policies will be discarded. You can view the list of groups using the openstack loadbalancer pool list command . If you do not have a suitable target group, create one;
   • <loadbalancer> — The ID or name of the load balancer. The list can be viewed with the command openstack loadbalancer list.

3. Create an HTTP policy in the rule:

   openstack loadbalancer l7policy create \
     --action <action> \
     [--redirect-url <url> | --redirect-prefix <prefix_url> | --redirect-pool <pool> ]
     --position <position> \
     --name <policy_name> \
     <listener_name>

   Specify:

   • <action> — action to balance traffic:

     • REDIRECT_TO_URL — completely replace the request URL, including protocol, domain name, path, and parameters;
     • REDIRECT_PREFIX — replace the protocol and domain name in the request URL;
     • REDIRECT_TO_POOL — redirect to target group,
     • REJECT — REJECT;

   • <policy_name> — L7 policy name;

   • where the traffic needs to be directed:

     • --redirect-url <url> — The full URL for the redirect. Specify if the action is selected REDIRECT_TO_URL;
     • --redirect-prefix <prefix_url> — URL prefix to replace the protocol and domain in the request, e.g. https://example.com. Specify if the action is selected REDIRECT_PREFIX;
     • --redirect-pool <pool> — ID or name of the target group. Specify if the action is selected REDIRECT_TO_POOL. The list can be viewed with the command openstack loadbalancer pool list. If you don't have a target group yet, create one.

   • --position <position> — position of the policy in the rule. Specify if there will be multiple policies with the same action in the rule, the policy with position 1 will be applied first;

   • <listener_name> — the name of the rule you created in step 2.

4. Create a condition in the HTTP policy:

   openstack loadbalancer l7rule create \
     --compare-type <compare_type> \
     --type <type> \
     --value <value> \
     <policy_name>

   Specify:

   • <compare_type> — type of match with the control value:

     • EQUAL TO — match;
     • STARTS WITH. — begins with;
     • ENDS WITH. — ends with;
     • CONTAINS — Contains;
     • REGEX — regular expression;

   • <type> — parameter in the query to check: HOST_NAME, PATH, COOKIE, FILE_TYPE, HEADER;

   • <value> — control value;

   • <policy_name> — name of the L7 policy you created in step 3.