Forum Discussion
jacob900_39797
Nimbostratus
Nimbostratusdual redirect problem..
I am having problems getting this rule to work when the websphere plug-in is doing a redirect on top of my redirect. Here is the situtation.
1) User types in http://www.mysite.com/* (anything), my rule redirects them to https://www.mysite.com/main.jsp hopefully.
2) The moment the websphere plug-in gets this url it temporarily redirects it again to http://www.mysite.com/idm/user/login.jsp?extPage=user%2Fmain.jsp.
when I look at it with http analyzyer it looks like a constant loop happens either because of the http to https redirect rule or due to the immediate redirect on their end. I am not sure.
I use one vip that is ip_address/80 for the redirect and I use the rule below for the actual ip_address/443 vip. It is 443 coming in from the clients and port 80 back to the servers on the backend.
-------------------------------------------------
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
"/idm/user/main.jsp" {
pool IDM_IIS_YGC_80
}
default {
HTTP::redirect https://[HTTP::host]/idm/user/main.jsp }
}
}
-------------------------------------------------
Two questions
1) Should I ask to them to have their redirect page be https?
2)How can I make my rule work with this second redirect? BTW, their redirect listed above is so that the user can be authenticatd by a third-party and then sent back ot www.mysite.com/main.jsp.
Any advice would be highly appreciated.
Thank you,
- Hi Jacob --
Instead of having the app owner change the redirect, you can set LTM's "Redirect Rewrite" option in the http profile applied to the port 443 virtual to "Matching" to re-write redirects with the same hostname to HTTPS rather than HTTP. But I think it might be only part of the problem.
You say the WebSphere plugin redirects to 3rd party authentication, but the hostname in the redirect is the same as the original requested hostname.
That means the traffic must be flowing something like this:Port 80:
-- client req http://* -> VS:80 -> redirect to https:://* (no problem here if everything is redirected)
Port 443:
-- client req https://...(main.jsp) -> VS:443 -> forward to pool
-- server responds with redirect to https:://.../login.jsp
-- client req https://...(login.jsp) -> VS:443 -> redirect to https:://.../main.jsp
-- lather, rinse, repeat ad nauseum (the looping behavior you are seeing)Looks like with this iRule in place, and login.jsp page and main.jsp both hosted behind it, the client is never going to hit the login page.
You mentioned that the WebSphere server is supposed to be redirecting to a 3rd party host for authentication. That would probably solve this situation. If necessary, you can re-write the redirect in the iRule to reference a different location, or if both pages are intended to live behind the iRule, you should add a switch case allowing the login.jsp through without redirecting.
HTH (As always, post back if you need clarification or if I seem to have it all wrong.)
/deb 
jacob900_39797Yes you are understanding it perfect. Your feedback was right on. Oddly enough, two lightbulbs went on last night that correlate with your advice.
1) I added the proxy_rewrite http profile to the redirect vip to handle the first redirect problem.
2) I added an additional switch statement to make the second url redirect legal as well.
Here is the rule and it appears to be working. (I think)
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
"/idm/user/main.jsp" {
pool IDM_IIS_YGC_80
}
"/idm/user/login.jsp*" {
pool IDM_IIS_YGC_80
}
default {
HTTP::redirect https://[HTTP::host]/idm/user/main.jsp }
}
}
Thank you for all your help.
