Forum Discussion
Thomas_Bigler_3
Nimbostratus
Nimbostratushttp uploads do not redirect to https
We have a webapplication which handles uploads from LAN different than uploads from the internet. Uploads from internet work, internal uploads fail. The webservers are behind a reverse proxy and a F5 - loadbalancer.
In both cases (external & internal uploads) the application receives an http request and sends back an http Location Header (the application has no understanding of the SSL Offloading). Although the same load balancer and the same web servers are used for internal and external access, the location header is changed when uploading from the internet (443). This is not the case when uploading from the LAN which causes uploads to fail.
Where is this coming from? is this a loadbalancer setting or a reverse proxy issue?
Uploads from Internet
-
Request URL of the Clients: https://test.domain.ch/upload/24805250_7434_4a04_9a53_79d22dc11930 [OK]
-
Request URL wich is transmitted to Tomcat: http://test.domain.ch:443/upload/24805250_7434_4a04_9a53_79d22dc11930 [http - because SSL Offloading in Loadbalancer, but why do we have Port 443 in the URL]
-
Location Header in response: https://test.domain.ch/upload/24805250_7434_4a04_9a53_79d22dc11930 [OK]
Uploads from LAN:
-
Request URL from Clients: https://test.domain.ch/upload/9a2f4f2f_ce92_4954_b73e_6946ec3ea286 [OK]
-
Request URL wich is transmitted to Tomcat:
http://test.domain.ch/upload/9a2f4f2f_ce92_4954_b73e_6946ec3ea286 [http - because SSL Offloading in Loadbalancer]
-
Location Header in response: http://test.domain.ch/upload/9a2f4f2f_ce92_4954_b73e_6946ec3ea286 [NOK]
Any suggestions to solve this?
- Kevin_Stewart
Employee
Do you have any iRule logic applied? Something that may be adding ":443" to the HTTP Host header?
Thomas_Bigler_3Only rule implemented is:
when HTTP_REQUEST { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] }- Kevin_Stewart
There's more pieces to this puzzle. Presumably you're using this iRule on an HTTP VIP to redirect traffic to an HTTPS VIP. You're saying "Location Header", so also guessing you mean a redirect.
If that's all correct, then the difference is in how the backend server responds - which redirect URL it sends back to the client. It could be that the :443 in the Internet request, however they're getting there, are informing the application that SSL offload is happening, and that's why it sends back the correct URL.
So a few additional thoughts.
-
When the LAN clients get the HTTP redirect URL, do they not go to the HTTP URL and get redirected to HTTPS? Or do they go into a redirect loop and fail?
-
Do you have any idea where the :443 is coming from? Could it be coming from the client, or another iRule on the HTTPS VIP?
-
You may also want to try enabling the Redirect Rewrite option in the HTTP profile. This setting enables the F5 to rewrite any HTTP URL redirects to HTTPS. Start with the All setting, and if that works, try the Matching setting.
-
