Forum Discussion
https and http to http http::path redirection not working
i think i got my script partially right, but its not redirecting.
so i got one http VS on port 80. lets call it http://aaa.b.com/test (internal URL used within network)
-using default http class
-no cert/ssl
-nothing listening on 443
-pointing to a single default web pool 6 nodes also just listening on port 80 (iis6)
my client has a external and internal URLs for their traffic.
the external is https://xxx.b.com/test
if they are within the internal network going to xxx.b.com, DNS points you to aaa.b.com address.
my client wanted:
if they goto https://xxx.b.com/test internally, it would be redirected to http://aaa.b.com/test
the irule i created was:
when HTTP_REQUEST {
if { [string tolower [HTTP::host]] equals "xxx.b.com"} {
HTTP::redirect "http:/aaa.b.com/test"
}
}
i did some troubleshooting and threw some logging, but it was no help
log local0. "redirecting from [HTTP::host]"
if a user went to https://xxx.b.com/test, nothing happened no logging user gets page cannot be displayed. i think i may be missing something, do i need to setup a separate vs on https 443?
if a user went to http://xxx.b.com/test, the log does say: "redirecting from xxx.b.com"
but the user is not redirected. so i think i could be missing some setting outside of irules.
any thoughts on this would be appreciated, sorry i am just a new nub 🙂
- nitassEmployeeif a user went to https://xxx.b.com/test, nothing happened no logging user gets page cannot be displayed. i think i may be missing something, do i need to setup a separate vs on https 443?yes since even xxx.b.com is resolved to aaa.b.com but user is still accessing https (443).
[root@ve1023:Active] config b virtual aaa.b.com.80 list virtual aaa.b.com.80 { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 profiles { http {} tcp {} } } [root@ve1023:Active] config b virtual aaa.b.com.443 list virtual aaa.b.com.443 { destination 172.28.19.79:443 ip protocol 6 rules myrule profiles { clientssl { clientside } http {} tcp {} } } [root@ve1023:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { if {[string tolower [HTTP::host]] equals "xxx.b.com"} { HTTP::redirect "http://aaa.b.com[HTTP::uri]" } } } [root@ve1023:Active] config curl -Ik https://xxx.b.com/test HTTP/1.0 302 Found Location: http://aaa.b.com/test Server: BigIP Connection: Keep-Alive Content-Length: 0
- d_n_26439Nimbostratusthanks, i will give that a try.
clientssl is default parent to clientside? under clientside do i need to specify non-ssl connections?
my client is adamant that they do not want users being notified regarding a cert by the browser. do I need a cert for the 443 VS for this to work?
- d_n_26439Nimbostratusok i want to ignore the https part on 443 for now as i am having issues redirecting http://xxx.b.com/test to http://aaa.b.com/test.
- nitassEmployeei can see that you have clientssl and clientside ssl profiles, can you tell me what you specified?clientssl is used to decrypt https traffic. since we want to see http header, i.e. HTTP::host, and do redirection, so clientssl is required. clientside means it is configured on client-side i.e. between client and f5.
[root@ve1023:Active] config b virtual bar list virtual bar { destination 172.28.19.79:80 ip protocol 6 rules myrule profiles { http {} tcp {} } } [root@ve1023:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { if {[string tolower [HTTP::host]] equals "xxx.b.com"} { HTTP::redirect "http://aaa.b.com[HTTP::uri]" } } } [root@ve1023:Active] config curl -I http://xxx.b.com/test HTTP/1.0 302 Found Location: http://aaa.b.com/test Server: BigIP Connection: Keep-Alive Content-Length: 0
- d_n_26439Nimbostratusthey are actually on the same IP address.
- d_n_26439Nimbostratusalright i got it all working, but for https/443 i could only get it working using the default certificate
the real xxx.b.com is pointing to a f5 pair in a dmz location.
i archived the ca-bundle, and certs from the dmz f5.
the cert common name is for xxx.b.com
imported the archive to the f5 pair doing the redirecting internally.
so i put in a cert for xxx.b.com, but the request never goes through and get a page cannot be displayed.
once i update the clientssl profile to use the default cert, i get through and am redirected to http://aaa.b.com/test
so the redirect is working, but i need to look into whats up with the certs... going to https://xxx.b.com/test externally is working no problem going to the dmz f5 with the exact same certs I imported into f5 internally at aaa.b.com.
- nitassEmployeedid you upload both xxx.b.com certificate and private key? both have to be set in clientssl profile.
- d_n_26439Nimbostratusyup, even validated them on source f5 with openssl.
is there any events that i could log with ssl irule event to see where its failing with the certificate.
do you think i could redirect before ssl handshake to avoid use of a cert all together?
- nitassEmployeehave you captured packet? was there anything suspicious there?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com