Forum Discussion
chuckcald_15879
Nimbostratus
NimbostratusHelp with Irule to redirect url port and pass POST data
Hi all.
Users must use https://sso.domain.com/sp/ACS.saml2 to pass their SSO (Single Sign ON) to our SP servers.
Our SP server listens on port 9031.I need the SSO POST data coming to https://sso.domain.com/sp/ACS.saml2 to be redirected to https://sso.domain.com:9031/sp/ACS.saml2. Traffic to https://sso.domain.com:9031/sp/ACS.saml2 needs to sent to our "SSO" VIP.
The iRule have written doesn't pass the POST data through the redirect. Can anyone be so kind as to review my iRule?
when HTTP_REQUEST {
Check if request was a POST
if { [string tolower [HTTP::method]] eq "post" } {
Check if there is a Content-Length header
if { [HTTP::header exists "Content-Length"] } {
if { [HTTP::header "Content-Length"] > 1048000 }{
Content-Length over 1Mb so collect 1Mb
set content_length 1048000
} else {
Content-Length under 1Mb so collect actual length
set content_length [HTTP::header "Content-Length"]
}
} else {
Response did not have Content-Length header, so use default of 1Mb
set content_length 1048000
}
Don't collect content if Content-Length header value was 0
if { $content_length > 0 } {
HTTP::collect $content_length
}
}
}
when HTTP_REQUEST_DATA {
if {[TCP::local_port] == 443 and [HTTP::uri] contains "/sp/ACS.saml2"}{
HTTP::redirect https://sso.domain.com:9031/sp/ACS.saml2
}
if {[TCP::local_port] == 9031 and [HTTP::uri] contains "/sp/ACS.saml2"}{
virtual SSO_9031
} else {
return
}
}
13 Replies
nitass_89166Noctilucent
I need the SSO POST data coming to https://sso.domain.com/sp/ACS.saml2 to be redirected to https://sso.domain.com:9031/sp/ACS.saml2. Traffic to https://sso.domain.com:9031/sp/ACS.saml2 needs to sent to our "SSO" VIP.
is sso.domain.com:443 virtual server? and what is its pool?
is sso.domain.com:9031 also virtual server? is it same or different sso.domain.com:443 virtual server? and what is its pool?
chuckcald_15879sso.domain.com:443 is a virtual server with a pool named "pool_sso.domain.com_443" sso.domain.com:9031 is a different virtual server named sso_9031 with a pool named "pool_sso_9031"
- nitass
Employee
I need the SSO POST data coming to https://sso.domain.com/sp/ACS.saml2 to be redirected to https://sso.domain.com:9031/sp/ACS.saml2. Traffic to https://sso.domain.com:9031/sp/ACS.saml2 needs to sent to our "SSO" VIP.
is sso.domain.com:443 virtual server? and what is its pool?
is sso.domain.com:9031 also virtual server? is it same or different sso.domain.com:443 virtual server? and what is its pool?
- chuckcald_15879sso.domain.com:443 is a virtual server with a pool named "pool_sso.domain.com_443" sso.domain.com:9031 is a different virtual server named sso_9031 with a pool named "pool_sso_9031"
- nitass
sso.domain.com:9031 is a different virtual server named sso_9031 with a pool named "pool_sso_9031"
can you just use virtual command to forward traffic from sso.domain.com:443 to sso.domain.com:9031?
virtual
https://devcentral.f5.com/wiki/iRules.virtual.ashx- chuckcald_15879We do not want to route all traffic from sso.domain.com:443. Only traffic going to /sp/ACS.saml2. https://sso.domain.com goes to our sso.domain.com:443 virtual server and is needed for normal 443 traffic. https://sso.domain.com/sp/ACS.saml2 needs to be redirected to https://sso.domain.com:9031/sp/ACS.saml2 and sent to virtual server sso_9031 where the SP server is listening only on port 9031. I hope this clarifies more.
- nitass_89166
sso.domain.com:9031 is a different virtual server named sso_9031 with a pool named "pool_sso_9031"
can you just use virtual command to forward traffic from sso.domain.com:443 to sso.domain.com:9031?
virtual
https://devcentral.f5.com/wiki/iRules.virtual.ashx- chuckcald_15879We do not want to route all traffic from sso.domain.com:443. Only traffic going to /sp/ACS.saml2. https://sso.domain.com goes to our sso.domain.com:443 virtual server and is needed for normal 443 traffic. https://sso.domain.com/sp/ACS.saml2 needs to be redirected to https://sso.domain.com:9031/sp/ACS.saml2 and sent to virtual server sso_9031 where the SP server is listening only on port 9031. I hope this clarifies more.
- nitass
isn't it like this?
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar443 ltm virtual bar443 { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 profiles { clientssl { context clientside } http { } serverssl { context serverside } tcp { } } rules { qux } source 0.0.0.0/0 vs-index 36 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { if { [HTTP::path] starts_with "/sp/ACS.saml2" } { virtual bar9031 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar9031 ltm virtual bar9031 { destination 172.28.24.10:9031 ip-protocol tcp mask 255.255.255.255 pool foo profiles { clientssl { context clientside } http { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 37 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } trace [root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 -k /config/ssl/ssl.key/default.key port 443 or port 9031 or port 80 New TCP connection 1: 172.28.24.1(42244) <-> 172.28.24.10(443) 1 1 1401289187.2551 (0.0347) C>S SSLv2 compatible client hello 1 2 1401289187.2552 (0.0000) S>CV3.1(81) Handshake 1 3 1401289187.2552 (0.0000) S>CV3.1(954) Handshake 1 4 1401289187.2552 (0.0000) S>CV3.1(4) Handshake 1 5 1401289187.2598 (0.0045) C>SV3.1(262) Handshake 1 6 1401289187.2598 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 7 1401289187.2598 (0.0000) C>SV3.1(48) Handshake 1 8 1401289187.2672 (0.0074) S>CV3.1(1) ChangeCipherSpec 1 9 1401289187.2672 (0.0000) S>CV3.1(48) Handshake 1 10 1401289187.2696 (0.0024) C>SV3.1(272) application_data --------------------------------------------------------------- POST /sp/ACS.saml2 HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Content-Length: 4 Content-Type: application/x-www-form-urlencoded test--------------------------------------------------------------- New TCP connection 2: 172.28.24.1(9736) <-> 172.28.24.10(9031) 2 1 1401289187.2709 (0.0000) C>SV3.3(109) Handshake 2 2 1401289187.2709 (0.0000) S>CV3.3(81) Handshake 2 3 1401289187.2709 (0.0000) S>CV3.3(954) Handshake 2 4 1401289187.2709 (0.0000) S>CV3.3(4) Handshake 2 5 1401289187.2719 (0.0009) C>SV3.3(262) Handshake 2 6 1401289187.2719 (0.0000) C>SV3.3(1) ChangeCipherSpec 2 7 1401289187.2721 (0.0002) C>SV3.3(80) Handshake 2 8 1401289187.2780 (0.0059) S>CV3.3(1) ChangeCipherSpec 2 9 1401289187.2780 (0.0000) S>CV3.3(80) Handshake 2 10 1401289187.2782 (0.0001) C>SV3.3(288) application_data --------------------------------------------------------------- POST /sp/ACS.saml2 HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Content-Length: 4 Content-Type: application/x-www-form-urlencoded test--------------------------------------------------------------- New TCP connection 3: 200.200.200.14(17839) <-> 200.200.200.101(80) 1401289187.2790 (0.0006) C>S --------------------------------------------------------------- POST /sp/ACS.saml2 HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Content-Length: 4 Content-Type: application/x-www-form-urlencoded test---------------------------------------------------------------- chuckcald_15879When I follow the configuration listed my browser connection gets reset and nothing loads. I noticed that your pool foo is listening on port 80. It should be listening on 9031. I made that change and the browser still get reset.
- nitass_89166
isn't it like this?
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar443 ltm virtual bar443 { destination 172.28.24.10:443 ip-protocol tcp mask 255.255.255.255 profiles { clientssl { context clientside } http { } serverssl { context serverside } tcp { } } rules { qux } source 0.0.0.0/0 vs-index 36 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { if { [HTTP::path] starts_with "/sp/ACS.saml2" } { virtual bar9031 } } } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar9031 ltm virtual bar9031 { destination 172.28.24.10:9031 ip-protocol tcp mask 255.255.255.255 pool foo profiles { clientssl { context clientside } http { } tcp { } } source 0.0.0.0/0 source-address-translation { type automap } vs-index 37 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } trace [root@ve11a:Active:In Sync] config ssldump -Aed -nni 0.0 -k /config/ssl/ssl.key/default.key port 443 or port 9031 or port 80 New TCP connection 1: 172.28.24.1(42244) <-> 172.28.24.10(443) 1 1 1401289187.2551 (0.0347) C>S SSLv2 compatible client hello 1 2 1401289187.2552 (0.0000) S>CV3.1(81) Handshake 1 3 1401289187.2552 (0.0000) S>CV3.1(954) Handshake 1 4 1401289187.2552 (0.0000) S>CV3.1(4) Handshake 1 5 1401289187.2598 (0.0045) C>SV3.1(262) Handshake 1 6 1401289187.2598 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 7 1401289187.2598 (0.0000) C>SV3.1(48) Handshake 1 8 1401289187.2672 (0.0074) S>CV3.1(1) ChangeCipherSpec 1 9 1401289187.2672 (0.0000) S>CV3.1(48) Handshake 1 10 1401289187.2696 (0.0024) C>SV3.1(272) application_data --------------------------------------------------------------- POST /sp/ACS.saml2 HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Content-Length: 4 Content-Type: application/x-www-form-urlencoded test--------------------------------------------------------------- New TCP connection 2: 172.28.24.1(9736) <-> 172.28.24.10(9031) 2 1 1401289187.2709 (0.0000) C>SV3.3(109) Handshake 2 2 1401289187.2709 (0.0000) S>CV3.3(81) Handshake 2 3 1401289187.2709 (0.0000) S>CV3.3(954) Handshake 2 4 1401289187.2709 (0.0000) S>CV3.3(4) Handshake 2 5 1401289187.2719 (0.0009) C>SV3.3(262) Handshake 2 6 1401289187.2719 (0.0000) C>SV3.3(1) ChangeCipherSpec 2 7 1401289187.2721 (0.0002) C>SV3.3(80) Handshake 2 8 1401289187.2780 (0.0059) S>CV3.3(1) ChangeCipherSpec 2 9 1401289187.2780 (0.0000) S>CV3.3(80) Handshake 2 10 1401289187.2782 (0.0001) C>SV3.3(288) application_data --------------------------------------------------------------- POST /sp/ACS.saml2 HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Content-Length: 4 Content-Type: application/x-www-form-urlencoded test--------------------------------------------------------------- New TCP connection 3: 200.200.200.14(17839) <-> 200.200.200.101(80) 1401289187.2790 (0.0006) C>S --------------------------------------------------------------- POST /sp/ACS.saml2 HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Host: 172.28.24.10 Accept: */* Content-Length: 4 Content-Type: application/x-www-form-urlencoded test---------------------------------------------------------------- chuckcald_15879When I follow the configuration listed my browser connection gets reset and nothing loads. I noticed that your pool foo is listening on port 80. It should be listening on 9031. I made that change and the browser still get reset.
- nitass
When I follow the configuration listed my browser connection gets reset and nothing loads.
who sends reset first? if it is bigip, can you try this?
sol13223: Configuring the BIG-IP system to log TCP RST packets
http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html
