Forum Discussion
Ahmad_03_151082
Nimbostratus
NimbostratusHttp to Https except specific URLs
Dears,
I am facing an issue with iRules i have created below iRule when HTTP_REQUEST { HTTP::redirect https://[getfield [HTTP::host] ":"][HTTP::uri] } to redirect from http://abc.com to https://abc.com now i need to Exclude some URLs like http://abc.com/xyz http://abc.com/example1 http://abc.com/example2
22 Replies
Hannes_RappGood luck 😉
when HTTP_REQUEST { switch [string tolower [HTTP::host][HTTP::path]] { "abc.com/xyz" - "abc.com/example1" - "abc.com/example2" { return do nothing } default { HTTP::respond 302 location "https://[HTTP::host][HTTP::uri]" event disable prevent a possibility of multiple redirect invocations (not needed, if it's your only iRule attached to the VS) TCP::close remove the TCP connection record from the connections table. Needed for some browsers, because if the connections record remains, the same redirect will not work the second time in a different tab. } } }- Hannes_RappIn this case you would want to use the priority function. Add the code "priority 10" (without quotes) to the beginning of the iRule (1st Line). This will ensure the HTTPS redirect iRule is processed before your secondary iRule. Might want to share your other iRule? We should make sure no important functionality loss will occur. Edit: - Also please share your exact request page when testing (e.g. http://abc.com/xyz) - Does the back-end server (pool member) serve more than one vHost via the same VS? I need to know if "abc.com" is the only host served, or are there more?
Hannes_Rapp_162Nacreous
Good luck 😉
when HTTP_REQUEST { switch [string tolower [HTTP::host][HTTP::path]] { "abc.com/xyz" - "abc.com/example1" - "abc.com/example2" { return do nothing } default { HTTP::respond 302 location "https://[HTTP::host][HTTP::uri]" event disable prevent a possibility of multiple redirect invocations (not needed, if it's your only iRule attached to the VS) TCP::close remove the TCP connection record from the connections table. Needed for some browsers, because if the connections record remains, the same redirect will not work the second time in a different tab. } } }- Hannes_Rapp_162In this case you would want to use the priority function. Add the code "priority 10" (without quotes) to the beginning of the iRule (1st Line). This will ensure the HTTPS redirect iRule is processed before your secondary iRule. Might want to share your other iRule? We should make sure no important functionality loss will occur. Edit: - Also please share your exact request page when testing (e.g. http://abc.com/xyz) - Does the back-end server (pool member) serve more than one vHost via the same VS? I need to know if "abc.com" is the only host served, or are there more?
Ahmad_03_151082yes exactly
- Hannes_Rapp
.
- Hannes_Rapp_162
A single iRule on your port 80 Virtual Server will do. Remove everything else, except:
when HTTP_REQUEST { if { (([HTTP::host] == "oservices.bahrain.bh") && ([string tolower[HTTP::path]] == "/pubportal/insurancedetailsuploadws/services/insuranceuploadimpl")) }{ return log local0. "Client: [IP::client_addr]: Requested [HTTP::host][HTTP::uri]. HTTPS redirect omitted" } else { HTTP::respond 302 location "https://[HTTP::host][HTTP::uri]" log local0. "Client: [IP::client_addr]: Requested [HTTP::host][HTTP::uri]. Redirected to HTTPS" TCP::close } }Good luck! PS: Try my iRule with skepticism and preferably do it during a non-peak hour (or during a maintenance window)!
- Hannes_Rapp_162For Further Troubleshooting: In case you're still in the same situation as before, you should make sure the back-end server is not responding back with a redirect which includes reference to HTTP protocol, instead of HTTPS. All server-side hard-coded HTTP protocol redirects are to be adjusted for a migration to HTTPS. From your side, you can verify the redirects. On an UNIX/Linux machine use the cURL program. On a Windows Machine use your web-browser: Firebug AddOn for Mozilla Firefox, or DevTools for Chrome: * Issue a command: "curl -vI http://oservices.bahrain.bh" - This should be redirected to HTTPS. In the response headers section you're expecting to see: Location : https://oservices.bahrain.bh Server : BigIP If so, you will know the F5 iRule does it's job. Now make a second cURL request to track down where https://oservices.bahrain.bh is redirected - does the back-end server redirect to another plain HTTP page?
- Hannes_Rapp
A single iRule on your port 80 Virtual Server will do. Remove everything else, except:
when HTTP_REQUEST { if { (([HTTP::host] == "oservices.bahrain.bh") && ([string tolower[HTTP::path]] == "/pubportal/insurancedetailsuploadws/services/insuranceuploadimpl")) }{ return log local0. "Client: [IP::client_addr]: Requested [HTTP::host][HTTP::uri]. HTTPS redirect omitted" } else { HTTP::respond 302 location "https://[HTTP::host][HTTP::uri]" log local0. "Client: [IP::client_addr]: Requested [HTTP::host][HTTP::uri]. Redirected to HTTPS" TCP::close } }Good luck! PS: Try my iRule with skepticism and preferably do it during a non-peak hour (or during a maintenance window)!
- Hannes_RappFor Further Troubleshooting: In case you're still in the same situation as before, you should make sure the back-end server is not responding back with a redirect which includes reference to HTTP protocol, instead of HTTPS. All server-side hard-coded HTTP protocol redirects are to be adjusted for a migration to HTTPS. From your side, you can verify the redirects. On an UNIX/Linux machine use the cURL program. On a Windows Machine use your web-browser: Firebug AddOn for Mozilla Firefox, or DevTools for Chrome: * Issue a command: "curl -vI http://oservices.bahrain.bh" - This should be redirected to HTTPS. In the response headers section you're expecting to see: Location : https://oservices.bahrain.bh Server : BigIP If so, you will know the F5 iRule does it's job. Now make a second cURL request to track down where https://oservices.bahrain.bh is redirected - does the back-end server redirect to another plain HTTP page?
- Ahmad_03_151082
Hi
We Still face the same issue
- Hannes_RappcURL outputs or anything to show where you're at? We need to make it clear if the problem is at end-server or F5 iRule.
- Hannes_Rapp
Hi Ahmad, I've modified the iRule a bit, this should work across all v11.x versions.
when HTTP_REQUEST { if { ([HTTP::host] equals "oservices.bahrain.bh") && ( [string tolower [HTTP::path]] equals "/pubportal/insurancedetailsuploadws/services/insuranceuploadimpl" ) }{ log local0. "Client: [IP::client_addr]: Requested [HTTP::host][HTTP::uri]. HTTPS redirect omitted" } else { HTTP::respond 302 location "https://[HTTP::host][HTTP::uri]" log local0. "Client: [IP::client_addr]: Requested [HTTP::host][HTTP::uri]. Redirected to HTTPS" TCP::close } }Test with logging enabled: "curl -vI oservices.bahrain.bh/pubportal/InsuranceDetailsUploadWS/services/InsuranceUploadImpl"
Apr 8 12:26:18 bigip1 info tmm1[12385]: Rule /Common/asd : Client: xx.xx.xx.xx: Requested oservices.bahrain.bh/pubportal/InsuranceDetailsUploadWS/services/InsuranceUploadImpl. HTTPS redirect omitted- Hannes_RappHave taken a look at the response header - it appears that something in between modifies the request path and the "/pubportal" substring is eaten up, before the request is even routed to F5 BigIP. Do you have another proxy in between your desktop(test machine) and the F5 BigIP? < location: https://oservices.bahrain.bh/InsuranceDetailsUploadWS/services/InsuranceUploadImpl As a workaround in F5, you can further modify the iRule and replace the conditional IF statement with: if { ([HTTP::host] equals "oservices.bahrain.bh") && ( [string tolower [HTTP::path]] contains "/insurancedetailsuploadws/services/insuranceuploadimpl" ) }{
- nitass
Employee
doesn't it already work? i do see the response is not redirection.
- Hannes_Rapp_162
Hi Ahmad, I've modified the iRule a bit, this should work across all v11.x versions.
when HTTP_REQUEST { if { ([HTTP::host] equals "oservices.bahrain.bh") && ( [string tolower [HTTP::path]] equals "/pubportal/insurancedetailsuploadws/services/insuranceuploadimpl" ) }{ log local0. "Client: [IP::client_addr]: Requested [HTTP::host][HTTP::uri]. HTTPS redirect omitted" } else { HTTP::respond 302 location "https://[HTTP::host][HTTP::uri]" log local0. "Client: [IP::client_addr]: Requested [HTTP::host][HTTP::uri]. Redirected to HTTPS" TCP::close } }Test with logging enabled: "curl -vI oservices.bahrain.bh/pubportal/InsuranceDetailsUploadWS/services/InsuranceUploadImpl"
Apr 8 12:26:18 bigip1 info tmm1[12385]: Rule /Common/asd : Client: xx.xx.xx.xx: Requested oservices.bahrain.bh/pubportal/InsuranceDetailsUploadWS/services/InsuranceUploadImpl. HTTPS redirect omitted- Hannes_Rapp_162Have taken a look at the response header - it appears that something in between modifies the request path and the "/pubportal" substring is eaten up, before the request is even routed to F5 BigIP. Do you have another proxy in between your desktop(test machine) and the F5 BigIP? < location: https://oservices.bahrain.bh/InsuranceDetailsUploadWS/services/InsuranceUploadImpl As a workaround in F5, you can further modify the iRule and replace the conditional IF statement with: if { ([HTTP::host] equals "oservices.bahrain.bh") && ( [string tolower [HTTP::path]] contains "/insurancedetailsuploadws/services/insuranceuploadimpl" ) }{
- nitassdoesn't it already work? i do see the response is not redirection.
nitass_89166Noctilucent
can you please tell me if i want to exclude another URLs how the iRule will be?
e.g.
irule [root@ve11c:Active:In Sync] config tmsh list ltm rule qux ltm rule qux { when HTTP_REQUEST { switch -glob [string tolower [HTTP::host][HTTP::uri]] { "oservices.bahrain.bh/pubportal/insurancedetailsuploadws/services/insuranceuploadimpl*" - "something.domain.com/*" - "somethingelse.somedomain.com/*" { Do nothing } default { HTTP::respond 302 location "https://[HTTP::host][HTTP::uri]" } } } } test [root@ve11c:Active:In Sync] config curl -I http://oservices.bahrain.bh/pubportal/insurancedetailsuploadws/services/insuranceuploadimpl/something HTTP/1.1 404 Not Found Date: Thu, 23 Apr 2015 14:03:31 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sun, 09 Feb 2014 08:39:51 GMT ETag: "41879c-59-2a9c23c0" Accept-Ranges: bytes Content-Length: 89 Content-Type: text/html; charset=UTF-8 [root@ve11c:Active:In Sync] config curl -I http://oservices.bahrain.bh/something HTTP/1.0 302 Found location: https://oservices.bahrain.bh/something Server: BigIP Connection: Keep-Alive Content-Length: 0 [root@ve11c:Active:In Sync] config curl -I http://www.domain.com HTTP/1.0 302 Found location: https://www.domain.com/ Server: BigIP Connection: Keep-Alive Content-Length: 0 [root@ve11c:Active:In Sync] config curl -I http://www.domain.com/something HTTP/1.0 302 Found location: https://www.domain.com/something Server: BigIP Connection: Keep-Alive Content-Length: 0- nitass_89166what do you mean?
