Forum Discussion
Nimbostratushttp redirect to https based on http::uri
I am trying to set up redirection from http to https, and vice versa, based on uris. examples: /login.aspx /dashboard.aspx. If someone went to login.aspx and it should go to https, then if someone click on another link not /login.aspx, it would redirect back to http. I don't want to encrypt everything, just the uris.
when HTTP_REQUEST { if { ([HTTP::uri] starts_with "/login.aspx") or ([HTTP::uri] starts_with "/Dashboard.aspx")} { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } else { use pool POOL_HTTP log local0. "https-redirect [IP::client_addr] [HTTP::host]" } }
I get loops in the redirection.
20 Replies
giltjrThat is because you are not checking to see if you are already HTTPS. You need to check to see if you are https or not. Something like:
when CLIENT_ACCEPTED { Check for SSL if {[TCP::local_port] eq 443 } {set SSL 1} else {set SSL 0} }
when HTTP_REQUEST { if { !$SSL } { if { [HTTP::uri] starts_with "/login.aspx" or [HTTP::uri] starts_with "/Dashboard.aspx" } { HTTP::redirect https://[HTTP::host][HTTP::uri] ; return } else { use pool POOL_HTTP ; log local0. "https-redirect [IP::client_addr] [HTTP::host]" } } }
when HTTP_REQUEST { if { !$SSL } { if ([HTTP::uri] starts_with "/login.aspx") or ([HTTP::uri] starts_with "/Dashboard.aspx") } { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } elseif { use pool POOL_HTTP log local0. "https-redirect [IP::client_addr] [HTTP::host]" } } }
- cquick11_115408
Thanks for answering, I appreciate it. Your right, it shouldn't be on the HTTPS server and I removed it. For the above rule, I am a bit confused, which part should I apply to the http server, I never seen two http_requests in the same irule.
Thanks in Advance
JGCumulonimbus
Set up another virtual server with the same IP address as the HTTPS server you have already set up, on port 80, choose an http profile, and apply your original irule to it.
- giltjr
Somehow my cut and past did something weird. There should only be one HTTP_REQUEST section.
I did make the assumption that the iRule was being used for both http and https requests. Should just be:
when CLIENT_ACCEPTED { Check for SSL if {[TCP::local_port] eq 443 } {set SSL 1} else {set SSL 0} }
when HTTP_REQUEST { if { !$SSL } { if { [HTTP::uri] starts_with "/login.aspx" or [HTTP::uri] starts_with "/Dashboard.aspx" } { HTTP::redirect https://[HTTP::host][HTTP::uri] ; return } else { use pool POOL_HTTP ; log local0. "https-redirect [IP::client_addr] [HTTP::host]" } } }
- giltjr
Try the below as is. I did not notice that the formatting was getting messed up. In some situation iRules (maybe it TCL) is very sensitive to where line breaks are.
when CLIENT_ACCEPTED { Check for SSL if {[TCP::local_port] eq 443 } {set SSL 1} else {set SSL 0} } when HTTP_REQUEST { if { !$SSL } { if { [HTTP::uri] starts_with "/login.aspx" or [HTTP::uri] starts_with "/Dashboard.aspx" } { HTTP::redirect https://[HTTP::host][HTTP::uri] ; return } else { pool POOL_HTTP ; log local0. "https-redirect [IP::client_addr] [HTTP::host]" } }}
- cquick11_115408
140.0001050000.357690000172.17.0.60172.17.0.34TCP6055227802120x419a (16794)055227 > 80 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
looks like the f5 is sending a rst packet when I apply this rule.
This rule should be applied to the http VS correct? (that's the setting now)
This is just going to the main site.
- cquick11_115408giltjr, seems something happen to your last comment as I only see it in the notification, weird.
- giltjr
Yes it should be on vs that is listening on port 80. I will have to test, but you are telling the browser not to use port 80, but to use port 443. So the connection to port 80 will be terminated.
Logically what are you trying to accomplish? It looks like you want to force logins and dashboard to be SSL, do you want other pages to be non-SSL.
If so, you may need another iRule, or modify this one. Let me know, I have some code that uses cookies to keep track if a user came in originally HTTP or HTTPS and forces logins to occur on HTTPS, but returns the user to HTTP if that is the way they came in originally. I will have modify it a little for your URI's.
- giltjr
Do you have multiple pools that this vs can use? I just wondering why you are using an iRule to assign a pool instead of having a default pool associated with the vs.
- cquick11_115408
when HTTP_REQUEST { if { not [class match [HTTP::uri] starts_with stage_ssl] } { HTTP::redirect "http://[HTTP::host][HTTP::uri]" } } when HTTP_REQUEST { if { [class match [HTTP::uri] ends_with stage_ssl] } { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } }This seems to be working, as I applied the first one the https VS and the other to the http VS. You are correct, I want logins and dashboards to be https and everything else http once on those pages. Please, send me over some of the cookie rules, as I am using that as persistence. Thank you for helping me; much appreciation!!
- giltjr
Let me take what you have in your last post and work out with a cookie. What should end up happening is if a user comes int https, they will stay https for everything. If a user comes in http, they will switch to https for login/dashboard and be flipped back to http for everything else.
I have it in a single iRule that I apply to both the http and https vs, but I have a LOT of other stuff in that single iRule.
