Forum Discussion

Mark_35110's avatar
Mark_35110
Icon for Nimbostratus rankNimbostratus
Nov 26, 2016

Confusion over basic HTTPS to HTTP irule

Customers browsers point at: https://companya.com:8443

My F5 LTM has a VS configured to: 1. Perform SSL termination for that traffic 2. Forward it on to a Pool of servers on HTTP port 8080

My iRule needs to: 1. Change https to http 2. CHange the :8443 to :8080

Here is that irule:

when HTTP_RESPONSE {
    if { ( [HTTP::is_redirect] ) } then {
        HTTP::header replace "Location" [string map [list "http://" "https://" ":8080" ":8443"] [HTTP::header value "Location"]]
    }
}

To me, this seems fine, however things aren't working and when doing a packet capture on one of the pool servers I can see that the URI still has :8443 in it. How do I convert to http:8080 for inbound traffic and back to http:8443 for outbound??

Any help appreciated

devops
iRules
LTM

3 Replies

  • Mark_35110's avatar
    Mark_35110
    Icon for Nimbostratus rankNimbostratus
    Nov 26, 2016

    I can't seem to edit my original post, but my last question should read:

     

    How do I convert to http:8080 for inbound traffic and back to https:8443 for outbound??

     

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Nov 27, 2016

    Out of curiosity, why do you need :8443 in https://companya.com ? Can't you just use https://companya.com and configure the pool members to listen on port 8080. I think your configuration can be simplified unless you have specific reasons to utilize :8443 within https://

    If you still want to retain the existing set up, try using:

    [string map -nocase "http:// https:// :8080/ :8443/" [HTTP::header value Location]]

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Nov 27, 2016

    I just did a quick rebuild in my lab to see what's the behavior on my BIG-IP and it looks like it's doing the same. Here is my setup:

    On my BIG-IP a VS listening on port 8443 with a clientssl profile attached. Also is attached a pool with a member that listens on port 8080 (no SSL). When I do a curl to the VS on 8443 the webserver at 8080 is working:

    [nielsvs@localhost ~]$ curl -v -k https://10.23.98.20:8443
* Rebuilt URL to: https://10.23.98.20:8443/
*   Trying 10.23.98.20...
* Connected to 10.23.98.20 (10.23.98.20) port 8443 (0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject:      E=root@localhost.localdomain,CN=localhost.localdomain,OU=IT,O=MyCompany,L=Seattle,ST=WA,C=US
*       start date: Mar 01 12:23:46 2016 GMT
*       expire date: Feb 27 12:23:46 2026 GMT
*       common name: localhost.localdomain
*       issuer:     E=root@localhost.localdomain,CN=localhost.localdomain,OU=IT,O=MyCompany,L=Seattle,ST=WA,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.40.0
> Host: 10.23.98.20:8443
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 27 Nov 2016 19:47:29 GMT
< Server: Apache/2.4.17 (Fedora) PHP/5.6.20
< Last-Modified: Sun, 27 Nov 2016 19:25:51 GMT
< ETag: "74-5424d52b75603"
< Accept-Ranges: bytes
< Content-Length: 116
< Content-Type: text/html; charset=UTF-8
<


  Listen on port 8080


Listen on port 8080 test


* Connection 0 to host 10.23.98.20 left intact
[nielsvs@localhost ~]$

    When I perform a tcpdump on the pool member it shows the Host header is unchanged:

    20:50:53.398593 IP 10.23.98.5.47039 > localhost.localdomain.webcache: Flags [P.], seq 1:110, ack 1, win 4380, options [nop,nop,TS val 2807503574 ecr 680267002], length 109: HTTP: GET / HTTP/1.1
    0x0000:  4500 00a1 fb9a 4000 fe06 ae86 0a17 6205  E.....@.......b.
    0x0010:  0a17 5c02 b7bf 1f90 ce7f de44 3552 3cad  ..\........D5R<.
    0x0020:  8018 111c dcd0 0000 0101 080a a757 1ad6  .............W..
    0x0030:  288c 0cfa 4745 5420 2f20 4854 5450 2f31  (...GET./.HTTP/1
    0x0040:  2e31 0d0a 5573 6572 2d41 6765 6e74 3a20  .1..User-Agent:.
    0x0050:  6375 726c 2f37 2e34 302e 300d 0a48 6f73  curl/7.40.0..Hos
    0x0060:  743a 2031 302e 3233 2e39 382e 3230 3a38  t:.10.23.98.20:8
    0x0070:  3434 330d 0a41 6363 6570 743a 202a 2f2a  443..Accept:.*/*
    0x0080:  0d0a 582d 466f 7277 6172 6465 642d 466f  ..X-Forwarded-Fo
    0x0090:  723a 2031 302e 3233 2e39 322e 320d 0a0d  r:.10.23.92.2...
    0x00a0:  0a                                       .

    The iRule you use also seems to work. My redirect.php script looks like this:

    [root@localhost test_8080]  cat redirect.php

[root@localhost test_8080]

    When I retrieve this page via the VS it's changing the port number from 8080 to 8443.

    [nielsvs@localhost ~]$ curl -v -k https://10.23.98.20:8443/redirect.php
*   Trying 10.23.98.20...
* Connected to 10.23.98.20 (10.23.98.20) port 8443 (0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*       subject:     E=root@localhost.localdomain,CN=localhost.localdomain,OU=IT,O=MyCompany,L=Seattle,ST=WA,C=US
*       start date: Mar 01 12:23:46 2016 GMT
*       expire date: Feb 27 12:23:46 2026 GMT
*       common name: localhost.localdomain
*       issuer:     E=root@localhost.localdomain,CN=localhost.localdomain,OU=IT,O=MyCompany,L=Seattle,ST=WA,C=US
> GET /redirect.php HTTP/1.1
> User-Agent: curl/7.40.0
> Host: 10.23.98.20:8443
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Sun, 27 Nov 2016 19:52:31 GMT
< Server: Apache/2.4.17 (Fedora) PHP/5.6.20
< X-Powered-By: PHP/5.6.20
< Location: https://10.23.98.20:8443/new_page.html
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection 0 to host 10.23.98.20 left intact
[nielsvs@localhost ~]$

    So what isn't exactly working in your setup?