For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

big_9869's avatar
big_9869
Icon for Nimbostratus rankNimbostratus
May 17, 2013

http redirect using tcp

Hi Folks

good morning

I'm new to iRules so I hope I'm not asking something thats been answered previously

I want to do an http redirect but I don't want to use http since the VIP is a general purpose VIP

and not just for http

I want to do the same functionality as this but using tcp and the iRule

this is the http version


when HTTP_REQUEST {
HTTP::redirect "http://www.someplace.com[HTTP::uri]"
}

this is my tcp equivalent

when CLIENT_ACCEPTED {

 TCP::respond "\r\n "

 TCP::close

}

thanks

application delivery
dev
devops
iRules

8 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    May 17, 2013
    Try this: 

    
when CLIENT_ACCEPTED {
  if { ... } {
    TCP::respond "HTTP/1.0 302 Found\r\nServer: BIG-IP\r\nLocation: http://www.someplace.com\r\nConnection: close\r\n\r\n"
    TCP::close
    return
  }
}

    As far as the URI is concerned, if you are not using the HTTP profile, you'll have to do a TCP::collect and pull that out of payload, which will likely be a far greater effort than splitting off a new virtual and using the http profile.
  • big_9869's avatar
    big_9869
    Icon for Nimbostratus rankNimbostratus
    May 20, 2013
    Hi jason

    part of my question got lost!!!

    here is what I want to do if he client connects to the http / https ports. the vip is a general tcp 

    when CLIENT_ACCEPTED {
  
    TCP::respond "   
Where I want you to end up"      \r\n "
    TCP::close
    }
}
  • big_9869's avatar
    big_9869
    Icon for Nimbostratus rankNimbostratus
    May 29, 2013
    Hi Jason

     

     

    I'm not sure I know what you mean by the tcp collect??? I don't care about the payload. Just if there ia a connection to the vip on 80 or 443 blindly send the http redirect over tcp

     

     

    does this make sense?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 30, 2013
    Reference: https://devcentral.f5.com/community/group/aft/2167033/asg/50

    Give this a shot: 

    
when CLIENT_ACCEPTED {
   switch [TCP::local_port] {
      "80" {
         SSL::disable clientside
         TCP::respond "HTTP/1.1 200 OK\r\nConnection: Close\r\n\r\nWhere I want you to end up"
         TCP::close
      }
      "443" {
         return
      }
      default {
         reject
      }
   }
}
when CLIENTSSL_HANDSHAKE {
   SSL::collect
}
when CLIENTSSL_DATA {
   SSL::respond "HTTP/1.1 200 OK\r\nConnection: Close\r\n\r\nWhere I want you to end up"
   TCP::close
}

    I tested this with a wildcard port VIP (IP:0) on 11.3 with an assigned client SSL profile. I had to have a pool assigned for the SSL::respond to work, though I can't remember why.

    So curiously, you'd rather do a meta refresh than just send a 302?

  • big_9869's avatar
    big_9869
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2013
    yes, they want a redirect not a 302.....

     

     

    they want it to redirect to the corporate home page.....

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 03, 2013
    A 302 IS a redirect. A meta refresh and a 302 response do essentially the same thing, but in a different way, and the 302 message is arguably a cleaner and faster way to do it.

     

     

  • big_9869's avatar
    big_9869
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2013
    thanks great

     

     

    I'd be willing to try that .... is there a code sample?