HTTP-HTTPS redirection

With the irule when my client goes to www.x.fr/y/z it remains in HTTP thats OK. When accessing www.x.fr/y he is redirected to HTTPS thats OK but when going to www.x.fr/y/z it remains in HTTP whereas it should have been redirected to HTTPS.

This is a little confusing. According to your original statements, "www.x.fr/y/z" should be HTTP. Did you mean that from "www.x.fr/y/" to "www.x.fr/y/z" it should redirect FROM HTTPS to HTTP?

If the above is true, then you need to build your logic from MOST explicit to LEAST explicit. Here's a switch structure that, I think, does essentially what you're asking for.

when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals "test.domain.com" } {
        switch -glob [string tolower [HTTP::uri]] {
            "/y/z*" {
                if { [TCP::local_port] ne "80" } { HTTP::redirect "http://[HTTP::host][HTTP::uri]" }
            }
            "/y/*" {
                if { [TCP::local_port] ne "443" } { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
            }
            "/y*" {
                if { [TCP::local_port] ne "443" } { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
            }
            "/*" {
                if { [TCP::local_port] ne "80" } { HTTP::redirect "http://[HTTP::host][HTTP::uri]" }
             }
            default { drop }
        }
    }
}

I might also add that you can cause havoc in some browsers switching back and forth between HTTP and HTTPS. It may be better to just leave it all HTTPS from the user's perspective.

Hello,

 

 

Thanks for your reply. Well what i mean was the page www.x.fr/y/z should be available in both HTTP and HTTPS. www.x.fr/y* should be redirected to HTTPS. I have to VIP one listening on 80 and the other on 443. Irules applied on the 443 is working fine having problems only for HTTP traffic.

 

 

Thanks.

 

 

Kind regards,

 

Kaviraj

Hello,

 

 

I tested the irule. Here are the effects:

 

www.x.fr/y/z --> is redirected to https whereas it should be available in both HTTP and HTTPS. if someone goes directly to http://www.x.fr/y/z the page should load in HTTP but right now it is being redirected to HTTPS and if someone load the page in https://www.x.fr/y/z the page should load in HTTPS which is working right now.

 

www.x.fr/y --> redirected to HTTPS --> OK

 

www.x.fr/y/* --> Redirected to HTTPS --> OK

 

 

Thanks for your help

 

 

Kind regards,

 

Kaviraj

Try this:

when HTTP_REQUEST {
if { [string tolower [HTTP::host]] equals "test.domain.com" } {
switch -glob [string tolower [HTTP::uri]] {
"/y/z*" {
return
}
"/y/*" {
if { [TCP::local_port] ne "443" } { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
}
"/y*" {
if { [TCP::local_port] ne "443" } { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
}
"/*" {
if { [TCP::local_port] ne "80" } { HTTP::redirect "http://[HTTP::host][HTTP::uri]" }
}
default { drop }
}
}
}

Hello,

 

 

still same effect "www.x.fr/y/z --> is redirected to https whereas it should be available in both HTTP and HTTPS. if someone goes directly to http://www.x.fr/y/z the page should load in HTTP but right now it is being redirected to HTTPS and if someone load the page in https://www.x.fr/y/z the page should load in HTTPS which is working right now. "

 

 

If i use only this part of the irule:

 

when HTTP_REQUEST {

 

if { [string tolower [HTTP::host]] equals "test.domain.com" } {

 

switch -glob [string tolower [HTTP::uri]] {

 

"/y/z*" {

 

return

 

}

 

}

 

}

 

}

 

 

then its OK the page is loading in HTTP but if i add:

 

"/y/*" {

 

if { [TCP::local_port] ne "443" } { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }

 

}

 

the page www.x.fr/y/z is redirected to HTTPS. As if the "return" is not working.

 

 

Kind regards,

 

Kaviraj

Curious. Do you by chance see 30x type redirects coming from the application server? Can you capture the HTTP traffic?

Hello,

 

 

i don't have access to the app server. But the pools are configured in HTTP only. HTTPs traffic is managed by the LB only traffic sent to pools are only in HTTP

 

VIP-HTTPS --> SSL decryption --> Pool_HTTP

 

VIP-HTTP --> Pool_HTTP

 

 

Kind regards,

 

Kaviraj

 

 

I'm not so concerned with the protocol (HTTP vs. HTTPS) but any redirects that may be coming directly from the server. In my Apache lab I noticed 301 redirects coming back for URIs that didn't end with "/". Example:

URI = "/y/z" - redirect to "http://test.domain.com/y/z/"

It was this behind-the-scenes redirect that was throwing things off. So I modified the above iRule slightly:

when HTTP_REQUEST {
if { [string tolower [HTTP::host]] equals "test.domain.com" } {
switch -glob [string tolower [HTTP::uri]] {
"/y/z/*" {
return
}
"/y/z" {
HTTP::uri "[HTTP::uri]/"
return
}
"/y/*" {
if { [TCP::local_port] ne "443" } {HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
}
"/y*" {
if { [TCP::local_port] ne "443" } {HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
}
"/*" {
if { [TCP::local_port] ne "80" } { HTTP::redirect "http://[HTTP::host][HTTP::uri]" }
}
default { 
drop 
}
}
}
}

I'm now accounting for the missing trailing "/" in the request and preventing the server from sending it (erroneously).

====================

...

"/y/z" {

HTTP::uri "[HTTP::uri]/"

return

}

...

====================

Give that a shot.

Can you add some log statements back to the iRule and test again:

when HTTP_REQUEST {
log local0. "uri = [HTTP::uri]:[TCP::local_port]"
if { [string tolower [HTTP::host]] equals "test.domain.com" } {
switch -glob [string tolower [HTTP::uri]] {
"/y/z/*" {
log local0. "y/z/*"
return
}
"/y/z" {
log local0. "y/z"
HTTP::uri "[HTTP::uri]/"
return
}
"/y/*" {
log local0. "/y/*"
if { [TCP::local_port] ne "443" } {HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
}
"/y*" {
log local0. "/y*"
if { [TCP::local_port] ne "443" } {HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
}
"/*" {
log local0. "/*"
if { [TCP::local_port] ne "80" } { HTTP::redirect "http://[HTTP::host][HTTP::uri]" }
}
default { 
log local0. "drop"
drop 
}
}
}
}

Please also use "-Xs0" in your TCPDUMP parameters.