Don't redirect to SSL if URI exists

Hi,

Something like this?

when HTTP_REQUEST {
    Check if requested path isn't /training
   if {not ([HTTP::path] eq /training)}{
       Redirect request to the same host/uri, but via HTTPS
      HTTP::redirect https://[HTTP::host][HTTP::uri]
   }
}

Also, if you use your email address as your login, you're email address will appear in search engine results and is susceptible to spam.

Aaron

Thanks for the reply...still not working...it still redirects to https://www.mysite.com/training

 

 

I think I needed to add quotes to the /training, because I got an error without them

 

 

when HTTP_REQUEST {

 

Check if requested path isn't /training

 

if {not ([HTTP::path] eq "/training")}{

 

Redirect request to the same host/uri, but via HTTPS

 

HTTP::redirect https://[HTTP::host][HTTP::uri]

 

}

 

}

 

 

Also thanks for the heads up on the email. I didn't realize it used my login for the posting name until after I'd posted, and didn't see any way to change it.

Sorry...typing faster than thinking. You do need quotes for the comparison.

Can you log the URI before testing if it's literally "/training"? I would imagine that either the client is requesting a mixed case of training, the URI is longer than just "/training", the URI is fully qualified with the hostname, or the app itself is sending the redirect.

Here is a version with additional logging to /var/log/ltm:

when HTTP_REQUEST {
   log local0. "Client [IP::client_addr] requested [HTTP::host][HTTP::uri]"
    Check if requested path isn't /training
   if {not ([HTTP::path] eq "/training")}{
      log local0. "Redirecting client [IP::client_addr] from [HTTP::path] to [HTTP::host][HTTP::uri]"
       Redirect request to the same host/uri, but via HTTPS
      HTTP::redirect https://[HTTP::host][HTTP::uri]
   }
}

Aaron

Here's what the logs show:

 

 

Feb 7 12:33:29 tmm tmm[1656]: Rule ssl_redirect : Client x.x.x.x requested www.mysite.com/training

 

Feb 7 12:33:30 tmm tmm[1656]: Rule ssl_redirect : Client x.x.x.x requested www.mysite.com/training/

 

Feb 7 12:33:30 tmm tmm[1656]: Rule ssl_redirect : Redirecting client x.x.x.x from /training/ to www.mysite.com/training/

 

 

Now, I'm pretty confident that the app isn't doing the redirect, because if I turn off this irule the redirect doesn't happen.

It sounds like you want to allow HTTP access to any URI starting with /training, not just equal to /training. Can you try this version?

when HTTP_REQUEST {
   log local0. "Client [IP::client_addr] requested [HTTP::host][HTTP::uri]"
    Check if requested path doesn't start with /training
   if {not ([HTTP::path] starts_with "/training")}{
      log local0. "Redirecting client [IP::client_addr] from [HTTP::path] to [HTTP::host][HTTP::uri]"
       Redirect request to the same host/uri, but via HTTPS
      HTTP::redirect https://[HTTP::host][HTTP::uri]
   }
}

Aaron

Third time was a charm. Glad it's working for you.

 

 

Aaron

hi,

 

I was doing something similar with the below script, but i didn't work...

 

I wanted to allow HTTPsSaccess to any URI starting with some words but it's not working.

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/m-admin" } {

 

use pool Portal_m_443

 

}

 

elseif { [HTTP::uri] starts_with "/myblog" } {

 

use pool Portal_m_443

 

}

 

else {

 

use pool Portal_443

 

}

 

}

 

 

I name this irule portal_443.

 

 

i applied this irule to HTTPS virtual server like 10.8.52.9:443 , resource-> irule portal_443

 

 

Please note that the BIG-IP is not the termination of the SSL connection. the servers are..( so HTTPS encryption/decryption will happen on the pool members.) SSL keys/certificates are all installed on the pool members.

 

 

pool Portal_443 members:

 

10.8.52.244:443

 

10.8.52.245:443

 

10.8.52.246:443

 

 

pool Portal_m_443 member:

 

10.8.52.244:443

 

 

Does anybody know why it is not working ??

 

is it because the BIG-IP is not the SSL termination ??

 

 

please advise.

 

 

Sakolan

 

 

 

 

Hi Sakalon,

 

 

in order for F5 LTM to inspect HTTP content or header, you need to terminate SSL at F5.

 

you can try offload the ssl to F5 and test your irule again.

 

 

cheers.

 

 

Regards,

 

KY

Hi KY,

 

you were right. I needed to terminate SSL at the LTM for the irule to work.

 

now, everything is working fine.

 

Thank you.

 

 

Sakolan,.