Forum Discussion
stevelee_88077
Nimbostratus
Nimbostratushelp with http to https rediect - XenDesktop
Big-IP LTM 1600 10.2.2 (763.3)
Hello
I've been through the setup guide for XenDesktop http://www.f5.com/pdf/deployment-guides/ltm-citrix-xendesktop-dg.pdf
This all went fine and we are offloading SSL at Big-IP. The site loads fine over https, however I want to redirect any client requests from http to https. I've used this forum and added this to my setup: http://devcentral.f5.com/wiki/default.aspx/iRules/Redirect_non_ssl_requests_on_ssl_vs_rule.html
So now I have a VS on 443 (https) with the following iRule:
when HTTP_REQUEST {
Check if the client used an SSL cipher
if {not ([catch {SSL::cipher version} result]) && $result ne "none"}{
Client did use a cipher log local0. "\$result: $result. Allowing encrypted request."
} else {
Client did not use a cipher log local0. "\$result: $result. Redirecting unencrypted request."
HTTP::redirect https://xen.mysite.com } }
I've also changed the SSL Profile (Client) to allow "Non-SSL Connections" as per the above article.
https://xen.mysite.com loads fine and I can see traffic through Big-IP
http://xen.mysite.com does not redirect to https and I get page connot be displayed error. (in Chrome its Error 102 (net::ERR_CONNECTION_REFUSED)
If I take Big-IP out of the equation and go directly to the Cirtix XenDesktop web it works over both 80 and 443. I can also get it to work over 80 via Big-IP if I change the VS to 80.
Is there something wrong with the iRule or have I missed something in the config?
Many thanks in advance for any help you can provide!
6 Replies
stevelee_88077for info, I've also tried these iRules on the https VS without success:
when HTTP_REQUEST {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
or
when HTTP_REQUEST {
if { [TCP::local_port] == 80 }{
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
}
Must be something to do with the VS config or the client SSL profile....can't figure out what though :(- stevelee_88077I've managed to sort this. Although it may be obvious to other Big-IP users, we've only just started using it here so thought I would post back what the resolution was.
The article below states that you only need to change SSL Profile (Client) to allow "Non-SSL Connections"
http://devcentral.f5.com/wiki/default.aspx/iRules/Redirect_non_ssl_requests_on_ssl_vs_rule.html
This didn't work in my setup for some reason. I had to change the service port on the VS to all ports, not 443. Now, with the following iRule all traffic is redirected to https when a connection is made to this VS:
when HTTP_REQUEST {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
I may be missing something here but it works for me, let me know if there are any other suggestions... 
hoolioCirrostratus
The first rule you're testing is used to redirect clients who make an HTTP request to an HTTPS virtual server. That rule should only be used on the HTTPS virtual server.
If you're trying to redirect port 80 traffic to port 443 via HTTPS, you can use the second rule.
If that's not working, can you try adding logging to both virtual servers:Port 80 iRule when CLIENT_ACCEPTED { log local0. "[IP::client_addr]:[TCP::client_port]: Connection to [virtual name] [IP::local_addr]:[TCP::local_port]" } when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]: UA: [HTTP::header User-Agent], [HTTP::host][HTTP::uri]" } when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port]: status: [HTTP::status], Location? \"[HTTP::header Location]\"" } Port 443 iRule when CLIENT_ACCEPTED { log local0. "[IP::client_addr]:[TCP::client_port]: Connection to [virtual name] [IP::local_addr]:[TCP::local_port]" } when CLIENTSSL_HANDSHAKE { log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake complete" } when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]: UA: [HTTP::header User-Agent], [HTTP::host][HTTP::uri]" } when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port]: status: [HTTP::status], Location? \"[HTTP::header Location]\"" }
Aaron- stevelee_88077Aaron
Thanks for your response. Originally I had my VS setup with Service Port 443 (https). I'm guessing the iRule didn't work because the VS isn't allowing Port 80 traffic and therefore never hit the iRule for it to be redirected to 443?
The article I mention doesnt seem to suggest this is the case though and just says to set the Client profile used on the SSL VS to allow "Non-SSL Connections".
All of the iRules I mention work once the VS service port is set to "* All". Now any traffic I send to that VS is redirected to https, which is exactly what I wanted. Just not sure this is the best way to do it?
We've only been using Big-IP for a week but already have a number of sites load balanced. Impressed so far...! - Using * and accepting traffic on all ports isn't best practice... If your goal is to redirect http traffic to https for the application leave your HTTPS vs alone and set it to listen only on 443.
Then create an 80 VS at the same ip, you will not need to set a pool for this vs, Yes it will show blue in the gui (unknown), no big deal, it still accepts traffic and it's just used for the redirect. Then use this simple iRule on the VS.rule myrule { when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } } - stevelee_88077That makes sense and seems to work in our envrionment.
Thanks for the info!
