Forum Discussion
Nimbostratushttp redirect to https based on http::uri
I am trying to set up redirection from http to https, and vice versa, based on uris. examples: /login.aspx /dashboard.aspx. If someone went to login.aspx and it should go to https, then if someone click on another link not /login.aspx, it would redirect back to http. I don't want to encrypt everything, just the uris.
when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/login.aspx") or ([HTTP::uri] starts_with "/Dashboard.aspx")} { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } else { use pool POOL_HTTP log local0. "https-redirect [IP::client_addr] [HTTP::host]" } }
I get loops in the redirection.
20 Replies
giltjrO.K. As always test, test and then test more. This is a single iRule that can be applied to both the http and https vs. Will post the logic in just a second.
when CLIENT_ACCEPTED { Check for SSL if {[TCP::local_port] eq 443 } {set SSL 1} else {set SSL 0} } when HTTP_REQUEST { if {[HTTP::cookie exists "SecureStat"] } { set SecureStat [HTTP::cookie "SecureStat"] if {!$SSL } { if {[class match [HTTP::uri] ends_with stage_ssl] } { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } } elseif {!$SecureStat and not [class match [HTTP::uri] starts_with stage_ssl] } { HTTP::redirect "http://[HTTP::host][HTTP::uri]" } } else { set cookie [format "%s=%s; path=/; domain=$HostName" "SecureStat" $SSL] if {!$SSL } { if {[class match [HTTP::uri] ends_with stage_ssl] } { HTTP::respond 302 Location "http://[HTTP::host][HTTP::uri]" "Set-Cookie" $cookie ; return } } elseif {not [class match [HTTP::uri] starts_with stage_ssl] } { HTTP::respond 302 Location "http://[HTTP::host][HTTP::uri]" "Set-Cookie" $cookie ; return } } }- giltjr
Logic to the code:
1) Check to see if cookie SecureStat cookie already exist. This means we have been through here once before and should be matched the majority of the time.
2) If SecureStat cookie is set, are we NOT SSL. If we are NOT SSL check to see if we match your URL's and if so redirect to SSL.
3) If SecureStat cookie is set and we are SSL check to see if the original request was non-SSL ($SecureStat would be false) and if we don't match any of your URLS. If original request was non-SSL and we don't match your URL's redirect to HTTP.
4) If cookie SecureStat was not present, this is first time through. Set variable "cookie" to required values.
5) If we are not SSL, check to see if we match your URL's If we do use HTTP::Repsond with 302 code and new location and set cookie.
6) If we are SSL and we don't match your URI's, HTTP::respond and set cookie.
We need to use HTTP:respond 302 when we want to set the cookie, because the HTTP::redirect does not allow you to set cookies.
I just saw a typo in my code post. On the first HTTP::respond, it should of course be https instead of http in the location.
- giltjr
Corrected code Post
when CLIENT_ACCEPTED { Check for SSL if {[TCP::local_port] eq 443 } {set SSL 1} else {set SSL 0} } when HTTP_REQUEST { if {[HTTP::cookie exists "SecureStat"] } { set SecureStat [HTTP::cookie "SecureStat"] if {!$SSL } { if {[class match [HTTP::uri] ends_with stage_ssl] } { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } } elseif {!$SecureStat and not [class match [HTTP::uri] starts_with stage_ssl] } { HTTP::redirect "http://[HTTP::host][HTTP::uri]" } } else { set cookie [format "%s=%s; path=/; domain=$HostName" "SecureStat" $SSL] if {!$SSL } { if {[class match [HTTP::uri] ends_with stage_ssl] } { HTTP::respond 302 Location "https://[HTTP::host][HTTP::uri]" "Set-Cookie" $cookie ; return } } elseif {not [class match [HTTP::uri] starts_with stage_ssl] } { HTTP::respond 302 Location "http://[HTTP::host][HTTP::uri]" "Set-Cookie" $cookie ; return } } } - cquick11_115408
giltjr, I can't test this irule until Friday, as our stage environment is being used again. I will update you when I get a chance to try this out.
Thanks again for your help.
- cquick11_115408
They gave me an extra day to test, when I apply the cookie rule to http VS, it just resets the connection to the main site. When I apply it to both http and https, it still resets the connection. Not sure why it does this.
- giltjr
A suggestion if you are allowed to do it. Create your own http and https vs's with their own IP addresses that use the same pools as your stage environment. Then you can test without interrupting other testing.
Then add a few log statements in the iRule to see where you are getting.
I'll see if there is a way I can setup a test on my F5, but not sure I can.
Since I don't have classes setup on my F5 I changed the class matches to "[HTTP::uri] ne "/login.jsp"" and it was a valid iRule. I'll walk through the code again to see if I can find where the problem is.
- giltjr
Was there any error messages in /var/log/ltm file?
- cquick11_115408
no errors in the logs, I am going to set up logging in the irule
- giltjr
Thats the problem with trying to pick pieces out of one iRule to give to somebody else. Sorry about that. Change:
set cookie [format "%s=%s; path=/; domain=$HostName" "SecureStat" $SSL]
to
set cookie [format "%s=%s; path=/; domain=[HTTP::host]" "SecureStat" $SSL]
