Forum Discussion
Marker_58065
Nimbostratus
NimbostratusAppend domain when needed and redirect to HTTPS
Here is the background - we have a couple of internal F5s with a bunch of applications that we are doing SSL offloading on. When users access these applications they don't have to type the FQDN because of a dns search suffix. So if a user types 'sharepoint' in the browser, it resolves 'sharepoint.ourdomain.net' but the host header only has 'sharepoint' and not the FQDN. We like to use one general rule for redirecting to HTTPS on our virtuals when possible. We use the following rule external:
when HTTP_REQUEST {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
Which works great with a FQDN, but we would like to have something similar that looks to see if the the host request has the FQDN and if not, append it, then redirect to HTTPS. Here is something i have come up with, but I wanted to know if maybe there is a better way.
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
*.ourdomain.net {
HTTP::redirect https://[HTTP::host][HTTP::uri]
} default {
HTTP::redirect https://[HTTP::host].ourdomain.net[HTTP::uri]
}
}
}
Today we just build a custom redirect irule per application, but we would like a generic one we can apply across multiple virtuals. Any feedback you would have would be great.
Thanks.
hooleylistCirrostratus
Hi Marker,
Do you need to support access by IP address to the virtual servers? If so, the rule you've posted wouldn't work, as clients would get redirected to 1.2.3.4.ourdomain.net. I can think of a few possible solutions for this:
- Use the iRule you've listed and in effect break access by IP address
- Use an iRule per virtual server with a hardcoded hostname. Redirect everything to that hostname with the URI preserved.
- Use one iRule for all virtual servers and a datagroup that maps the virtual server IP to a hostname. You'd need to update the datagroup anytime the mapping changes.
- Use one iRule and do a DNS reverse lookup on the VS IP to get a hostname that can be sent to the client in a redirect. This assumes that there is a DNS server which has valid PTR records for the virtual servers.
Aaron
Marker_58065Thanks for the quick reply. No, we do not access them by IP address, though if I was using that irule I would probably put '10.* -' on the first match string. If someone used an IP I would want it to work, but wouldn't care if they got a cert error. Our company actually uses your 2nd solution today and it works great, I am just trying to see about a more efficient way (I am lazy...I know).
I have actually been looking at datagroups because I have about 500 redirects on an old cisco css that I need to decommission, but I would still need to parse the host request to see if it is FQDN or not. Do you have a suggested irule to use with the datagroup and check whether it is FQDN or not? We don't usually do PTR records for our virtual servers so I am not sure if I would go that route.
Thanks!- hooleylistHere's an example of the datagroup mapping:
Datagroup mapping the VS IP to hostname class redirect_vs_to_host_class { { host 1.1.1.1 { "vs1.example.com" } host 1.1.1.2 { "vs2.example.com" } host 1.1.1.3 { "vs3.example.com" } } } iRule which references the above datagroup when HTTP_REQUEST { Look up the VS IP in the IP to hostname datagroup set match [class search -value redirect_vs_to_host_class equals [IP::local_addr]] If a match was found redirect to the hostname from the class if {$match ne ""}{ HTTP::redirect https://$match[HTTP::uri] } else { Take some default action? HTTP::redirect https://[HTTP::host][HTTP::uri]" } }
Note that the datagroup would need to be manually updated anytime a VS or hostname changes.
Aaron - hooleylistAnother option would be to name the virtual server with the FQDN that is in DNS and then parse [virtual name] to get the correct hostname. You could avoid manually configuring the IP to hostname mappings with this. A caveat is that you can't rename virtual servers via the GUI. The example below uses the virtual server name up to the first underscore:
virtual www.example.com_http_vs { destination 10.1.0.15:80 ip protocol tcp rules vs_name_to_redirect_rule profiles { http {} tcp {} } }when HTTP_REQUEST { log local0. "parsed https://[getfield [virtual name] _ 1][HTTP::uri]" HTTP::redirect "https://[getfield [virtual name] _ 1][HTTP::uri]" }
Aaron - Marker_58065I like both of your examples. I think I will try and use your second example because we do use FQDN for our virtual server names and it would be simpler to implement. Thanks for your help!
- Marker_58065Thanks again..the vs_name script works great. I have another somewhat related question. We have one virtual that is doing redirects so are users can have easier access to sites. Right now, we are using a 'switch -glob' irule to match and I would like to move to datagroups. Here are my questions:
1. This is on our internal network, so I have the dns search suffix issues again(host header may have the domain, but 90% won't). Would you do an 'if, else' statement to check for the domain and then do a lookup on the datagroup? Another thought would be do a string map and just always remove the domain, but since most requests won't have it, would that be unnecessary overhead? If someone could give an irule example that would be great!! (I am running 10.0.1)
2. At what point do you do an internal datagroup vs an external? I have about 300 redirects...I would guess it will grow to 500 or so in a year.
Any help would be appreciated!
Thanks. - hooleylistCan you clarify for scenario 1 why you wouldn't redirect all HTTP requests to HTTPS using the statically assigned hostname which matches the cert for the HTTPS virtual server? Or are you referring to something different?
As for internal versus external datagroups, I don't think there is a difference in performance. Both datagroups are loaded into memory on a config load. I think the main advantage to using an external datagrroup is that you can update the file without modifying the bigip.conf. Anyone else have something to add on this?
Aaron - Marker_58065Sorry about the confusion...this one is totally different. Now I am just taking about a standard url redirect, like a user puts in 'site1' and gets sent to 'http://sharepoint.domain.net/somesite/etc/'. I got about 300 of them all on 1 virtual. I have the same problem with not always getting the full domain in the host request. Today I have this:
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::host]] {
site1* {
HTTP::redirect https://sharepoint.domain.net/sites/default.aspx
}
helpdesk* {
HTTP::redirect http://remedy.domain.net/login
}
dashboard* {
HTTP::redirect https://dashboards.domain.net/corda/dashboards/
}
}
}
It is a really long irule, but it works. Seems like a datagroup would be easier to maintain than this. I came up with this, but I am wondering if there would be a better way.
class URL-REDIRECTS {
{
site1 { "https://sharepoint.domain.net/sites/default.aspx" }
helpdesk { "http://remedy.domain.net/login" }
dashboard { "https://dashboards.domain.net/corda/dashboards/" }
}
}
when HTTP_REQUEST {
Remove domain and look up the requested host in the datagroup
set Host [class search -value URL-REDIRECTS eq [string map -nocase {".domain.net" ""} [HTTP::host]]]
log local0. "Host var is $Host"
if { $Host ne "" } {
HTTP::redirect $Host
}
}
Maybe I should have started a new thread on this one.....Anyway, I hope that clears up what I am trying to do. Thanks! - hooleylistThanks for clarifying. I like your use of string map to remove the domain before doing the class lookup. If that works, it looks efficient and easy to administer to me.
Aaron - Marker_58065Sounds good. Thanks again for your help.