Forum Discussion
stevelee_88077
Jul 20, 2011Nimbostratus
help with http to https rediect - XenDesktop
Big-IP LTM 1600 10.2.2 (763.3)
Hello
I've been through the setup guide for XenDesktop http://www.f5.com/pdf/deployment-guides/ltm-citrix-xendesktop-dg.pdf
This all went fine and we are offloading SSL at Big-IP. The site loads fine over https, however I want to redirect any client requests from http to https. I've used this forum and added this to my setup: http://devcentral.f5.com/wiki/default.aspx/iRules/Redirect_non_ssl_requests_on_ssl_vs_rule.html
So now I have a VS on 443 (https) with the following iRule:
when HTTP_REQUEST {
Check if the client used an SSL cipher
if {not ([catch {SSL::cipher version} result]) && $result ne "none"}{
Client did use a cipher log local0. "\$result: $result. Allowing encrypted request."
} else {
Client did not use a cipher log local0. "\$result: $result. Redirecting unencrypted request."
HTTP::redirect https://xen.mysite.com } }
I've also changed the SSL Profile (Client) to allow "Non-SSL Connections" as per the above article.
https://xen.mysite.com loads fine and I can see traffic through Big-IP
http://xen.mysite.com does not redirect to https and I get page connot be displayed error. (in Chrome its Error 102 (net::ERR_CONNECTION_REFUSED)
If I take Big-IP out of the equation and go directly to the Cirtix XenDesktop web it works over both 80 and 443. I can also get it to work over 80 via Big-IP if I change the VS to 80.
Is there something wrong with the iRule or have I missed something in the config?
Many thanks in advance for any help you can provide!
- stevelee_88077Nimbostratusfor info, I've also tried these iRules on the https VS without success:
- stevelee_88077NimbostratusI've managed to sort this. Although it may be obvious to other Big-IP users, we've only just started using it here so thought I would post back what the resolution was.
- hooleylistCirrostratusThe first rule you're testing is used to redirect clients who make an HTTP request to an HTTPS virtual server. That rule should only be used on the HTTPS virtual server.
Port 80 iRule when CLIENT_ACCEPTED { log local0. "[IP::client_addr]:[TCP::client_port]: Connection to [virtual name] [IP::local_addr]:[TCP::local_port]" } when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]: UA: [HTTP::header User-Agent], [HTTP::host][HTTP::uri]" } when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port]: status: [HTTP::status], Location? \"[HTTP::header Location]\"" } Port 443 iRule when CLIENT_ACCEPTED { log local0. "[IP::client_addr]:[TCP::client_port]: Connection to [virtual name] [IP::local_addr]:[TCP::local_port]" } when CLIENTSSL_HANDSHAKE { log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake complete" } when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port]: UA: [HTTP::header User-Agent], [HTTP::host][HTTP::uri]" } when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port]: status: [HTTP::status], Location? \"[HTTP::header Location]\"" }
- stevelee_88077NimbostratusAaron
- Using * and accepting traffic on all ports isn't best practice... If your goal is to redirect http traffic to https for the application leave your HTTPS vs alone and set it to listen only on 443.
rule myrule { when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } }
- stevelee_88077NimbostratusThat makes sense and seems to work in our envrionment.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects