Forum Discussion
milo
Nimbostratus
Nimbostratusconsolidate all http to https request under one virtual server
I would like to create one virtual server that uses a network segment to support all incoming http requests. The majority of my company's http traffic is redirected to https. I've come up with four different iRules that could be used to support the various redirects, including one to simply forward traffic to the correct pool.
Can I consolidate the following iRules into one iRule? And, does it even make sense to do this?
Rule URI_https_redirect
Purpose - Redirect http URI to specific https URI
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri] ] {
"/portal*" {HTTP::redirect "https://secure.aaa.com/login.do"}
"/b-portal*" {HTTP::redirect "https://secure.bbb.com/login.do"}
}
}
Rule domain_https_redirect
Purpose - Redirect http domains to specific https URI
when HTTP_REQUEST
switch [string tolower [HTTP::host] ] {
www.aaa.com { HTTP::redirect https://www.aaa.com[HTTP::uri] }
www.bbb.com { HTTP::redirect https://www.bbb.com[HTTP::uri] }
}
}
Rule http_no_redirect
Purpose - Forward http traffic to appropriate pool
when HTTP_REQUEST {
switch [string tolower [HTTP::host] ] {
www.ccc.com {pool www.ccc.com}
www.ddd.com {pool www.ddd.com}
}
}
Rule http_to_https_redirect
Purpose - Redirect any http URL to an https URL
when HTTP_REQUEST { HTTP::redirect https://[HTTP::host][HTTP::uri] }
4 Replies
hoolioCirrostratus
Do you have an HTTP and an HTTPS virtual server? Which iRules are for HTTP requests and which are for HTTPS? Do you have a pool of webservers that answer for all web applications on the network segment you refer to?
Aaron
miloThe majority of our public facing sites are built with two virtual servers; one listening on port 80 and the other listening on port 443. We're using a class C block for all the virtuals. The webservers are segmented into different vlans according to the application being supported.
What I would like to accomplish is to get away from creating virtual servers listening on port 80 that are primarily used to redirect http traffic to https. Setting up one virtual server that uses our virtual IP network segment with a port 80 listener seemed like a good start. Then, applying the four iRules above to that virtual server will allow the F5 to direct http requests to the correct https URI as they hit the VIP. I can configure the iRules to redirect http requests based on the domain name or URI content for any traffic coming in on that class C block.- hoolioYou could combine the rules into one with something like this:
when HTTP_REQUEST { switch -glob [string tolower [HTTP::uri] ] { "/portal*" { log local0. "[IP::client_addr]:[TCP::client_port]: Matched URI /portal*, redirecting." HTTP::redirect "https://secure.aaa.com/login.do" return } "/b-portal*" { log local0. "[IP::client_addr]:[TCP::client_port]: Matched URI /b-portal*, redirecting." HTTP::redirect "https://secure.bbb.com/login.do" return } } switch [string tolower [HTTP::host] ] { www.aaa.com { log local0. "[IP::client_addr]:[TCP::client_port]: Matched host www.aaa.com, redirecting" HTTP::redirect "https://www.aaa.com[HTTP::uri]" return } www.bbb.com { log local0. "[IP::client_addr]:[TCP::client_port]: Matched host www.bbb.com, redirecting" HTTP::redirect "https://www.bbb.com[HTTP::uri]" return } www.ccc.com { log local0. "[IP::client_addr]:[TCP::client_port]: Matched www.ccc.com, using pool" pool www.ccc.com return } www.ddd.com { log local0. "[IP::client_addr]:[TCP::client_port]: Matched www.ddd.com, using pool" pool www.ddd.com return } } log local0. "[IP::client_addr]:[TCP::client_port]: Matched , " HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
I added logging as I'm not 100% sure it matches your scenario. Anyhow, it should give you a start.
Aaron - miloThanks Hoolio. This appears to be exactly what I need. I'm definitely going to need the logging when testing, I appreciate that. But, I especially appreciate you adding the "return" command. It never dawned on me that the iRule processing would continue evaluating each condition after a match was found.
