NimbostratusHi,
I have a problem about F5 iRule, i set the irule on F5 "
when_HTTP_REQUEST {
HTTP::host [HTTP::host]:443;
}but when i changed my database from apache to nginx, https is not working. we run nginx as load balance before and set
proxy_set_header Host $host:443;Could anyone give me any suggestions, please?
Maybe you don't even need iRules. If I understand correctly you want the client side to be HTTP and the server side HTTPS?
How does your virtual server look like? Can you share the output of:
tmsh list /ltm virtual
NimbostratusPlease following the configuration :
destination x.x.x.x:httpsip-protocol tcp
mask 255.255.255.255
pool lt-test-pool
profiles {
clientssl-xxxx {
context clientside
}
clientssl-xxxx {
context clientside
}
http { }
tcp-lan-optimized {
context serverside
}
tcp-wan-optimized {
context clientside
}
web_acceleration_2 { }
}
rules {
_http_header
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vlans {
external-1
internal-20
}
vlans-enabled
vs-index 40
}
I notice that you don't use any serverssl profiles. So you're basically doing SSL offloading now. When SSL offloading, I don't understand your iRules which are pointing to HTTPS. When SSL offloading I would expect your pool members to be listening on port 80. Can you tell us more about your setup?
NimbostratusHi Niels van Sluis, You're right, we don't use any serverssl profile, our pool members only listening on port 80, so we need irules to insert host:443, and we'll get the https web. when we changed the web service from apache to nginx, and it's not working. we're wondering if we need to change irules?
The following configuration is our web service and it works well.
destination x.x.x.x:httpsip-protocol tcp
mask 255.255.255.255
pool ltgm_web_pool
profiles {
clientssl-xxxx {
context clientside
}
clientssl-xxxx {
context clientside
}
http { }
http2 { }
oneconnect { }
tcp-lan-optimized {
context serverside
}
tcp-wan-optimized {
context clientside
}
wan-optimized-compression { }
}
rules {
_http_header
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vlans {
external-1
internal-20
}
vlans-enabled
vs-index 63
}
Why do you think you need to insert this particular Host header? It makes no sense to me.
CumulonimbusWhat is your nginx virtual server configuration for this? For that'll give us some clue.
NimbostratusHi Jie
we need host header because we don't use any https on nginx and apache, so we need to insert host:443 on F5, it works for apache server but nginx.
Hi Jie This is what we nginx configuration
server {
listen *:80;
server_name x.x.x.x
access_log /var/log/nginx/xxx_log main;
error_log /var/log/nginx/xxx.err_log error;
access_log off;
proxy_hide_header X-Powered-By;
include 001-share_conf/aio-thread;
include 001-share_conf/ad-rewrite;
location ~ \.php$ {
root /home/xxx;
include 001-share_conf/fastcgi;
include 001-share_conf/uuid/lt/bck-lt/uuid;
include fastcgi.conf;
}
+++++deny access to .htaccess files
location ~ /\.ht {
deny all;
}
error_page 404 /404.html;
redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /etc/nginx/html;
}
}
What was your Apache configuration then?
EmployeeIf you virtual server is listening on port 443 (with clientssl profile) and your ngix server is listening on port 80 then you should configure your pool members on port 80, as simple as that.
The irule does not make any sense to be honest, injecting the port and the end of the hostname is not going to make that request going to the port you need. you pool member configuration will do that.
Nimbostratushi Jie
Thank you for your help.
This is Apache configuration :
ServerName www.xxx.com:80
ServerAlias xxxx.com yyyyy.com www.zzzz.com
DocumentRoot /home/xxx
ErrorLog logs/www.xxx.err_log
CustomLog /var/log/httpd/www.xxx.acs_log combinedio
Include /etc/httpd/conf.d/001-share_conf/aa-directory-parameter
Include /etc/httpd/conf.d/001-share_conf/ad-rewrite
Include /etc/httpd/conf.d/001-share_conf/xxx/uuid