Forum Discussion
scot_hartman_82
Nimbostratus
NimbostratusHTTP redirect based upon URL
I'm fairly new to iRules. I went through examples I've found on the forums but wanted to see if anyone has time to double check my logic/syntax...
I have two VIPs on the same IP. One on 80 and one on 443. The 80 only has an iRule as a resource to redirect to the 443.
I have an existing iRule applied to the VIP listening on port 80 to redirect to https...
when HTTP_REQUEST {
HTTP::redirect https://app.abc.org[HTTP::uri]
}
I was specific about the host so it would match the certificate I have on the SSL VIP.
The VIP on 443 terminates SSL with a cert for "app.abc.org" and has a pool of servers listening on port 80 behind it. There is no iRule currently applied to this VIP.
A new requirement is coming up where several more URLs currently hosted elsewhere will have their DNS updated to use the IP that hosts this VIP.
They will need to be redirected to the "app.abc.org" that matches the SSL cert but with a special path... "https://app.abc.org/new-app/home"
They include...
http://new-app.abc.com
http://new-app.abc.org
http://new-app.abc.net
http://www.new-app.abc.com
http://www.new-app.abc.org
http://www.new-app.abc.net
(as well as the https versions of the above)
So I'm thinking I can set an 'if' to look for "new-app.abc" in the host requested and redirect all the ones that include new-app.abc to the "https://app.abc.org/new/home" and leave the original redirect in as an 'else' for the rest of the requests that may be looking for other uri paths.
I'm guessing I'd also need to add a redirect iRule on the 443 VIP to redirect all the https attempts made to new-app.abc to be "https://app.abc.org/new/home" but without need for the else part
My thoughts
On the 80 VIP...
when HTTP_REQUEST {
if { [HTTP::host] contains "new-app.abc" } {
HTTP::redirect https://app.abc.org/new/home
}
else {
HTTP::redirect https://app.abc.org[HTTP::uri]
}
}
On the 443VIP...
when HTTP_REQUEST {
if { [HTTP::host] contains "new-app.abc" } {
HTTP::redirect https://app.abc.org/new/home
}
}
Any thoughts and insights are appreciated.
Thanks,
Scot
hoolioCirrostratus
Hi Scot,
What you're describing should work fine for the HTTP VIP. You could use a datagroup to define the host the client will request and the corresponding URL you want to redirect to. You could then use findclass (Click here) to check the requested hostname and look up the corresponding redirect. Check the wiki page for a few examples and reply back here if you have any questions.
For the HTTPS VIP, you're limited to supporting one certificate for one VIP. So if clients did make an HTTPS request using a hostname that didn't match the cert, they would get a cert mismatch error before you would be able to redirect them to a new location. You may be able to get a cert valid for all subdomains on your domain (a wildcard cert valid for *.example.com) or you could get a cert valid for multiple hostnames on different domains using subject alternate names (SANs). Try searching the forums here for SAN SSL or subject alternate name for some more information and links.
It would be more ideal to avoid clients making requests via HTTPS to different hostnames that resolve to the same IP address.
Aaron
scot_hartman_82Aaron,
Excellent. Thanks for the review and the heads-up on the SSL cert.
I'll look through the findclass to see if I can refine this.
Thanks much,
Scot