Forum Discussion

d_n_26439's avatar
d_n_26439
Icon for Nimbostratus rankNimbostratus
Jan 14, 2012

https and http to http http::path redirection not working

so i am new to f5, spent the last week reading irules stuff and the devcentral irules forums.

i think i got my script partially right, but its not redirecting.

so i got one http VS on port 80. lets call it http://aaa.b.com/test (internal URL used within network)

-using default http class

-no cert/ssl

-nothing listening on 443

-pointing to a single default web pool 6 nodes also just listening on port 80 (iis6)

my client has a external and internal URLs for their traffic.

the external is https://xxx.b.com/test

if they are within the internal network going to xxx.b.com, DNS points you to aaa.b.com address.

my client wanted:

if they goto https://xxx.b.com/test internally, it would be redirected to http://aaa.b.com/test

the irule i created was:

when HTTP_REQUEST {
  if { [string tolower [HTTP::host]] equals "xxx.b.com"} {
    HTTP::redirect "http:/aaa.b.com/test"
  }
}

i did some troubleshooting and threw some logging, but it was no help

log local0. "redirecting from [HTTP::host]"

if a user went to https://xxx.b.com/test, nothing happened no logging user gets page cannot be displayed. i think i may be missing something, do i need to setup a separate vs on https 443?

if a user went to http://xxx.b.com/test, the log does say: "redirecting from xxx.b.com"

but the user is not redirected. so i think i could be missing some setting outside of irules.

any thoughts on this would be appreciated, sorry i am just a new nub 🙂

  • if a user went to https://xxx.b.com/test, nothing happened no logging user gets page cannot be displayed. i think i may be missing something, do i need to setup a separate vs on https 443?yes since even xxx.b.com is resolved to aaa.b.com but user is still accessing https (443).

    e.g.

    [root@ve1023:Active] config  b virtual aaa.b.com.80 list
    virtual aaa.b.com.80 {
       snat automap
       pool foo
       destination 172.28.19.79:80
       ip protocol 6
       profiles {
          http {}
          tcp {}
       }
    }
    [root@ve1023:Active] config  b virtual aaa.b.com.443 list
    virtual aaa.b.com.443 {
       destination 172.28.19.79:443
       ip protocol 6
       rules myrule
       profiles {
          clientssl {
             clientside
          }
          http {}
          tcp {}
       }
    }
    [root@ve1023:Active] config  b rule myrule list
    rule myrule {
       when HTTP_REQUEST {
       if {[string tolower [HTTP::host]] equals "xxx.b.com"} {
          HTTP::redirect "http://aaa.b.com[HTTP::uri]"
       }
    }
    }
    
    [root@ve1023:Active] config  curl -Ik https://xxx.b.com/test
    HTTP/1.0 302 Found
    Location: http://aaa.b.com/test
    Server: BigIP
    Connection: Keep-Alive
    Content-Length: 0
    
  • thanks, i will give that a try.

     

     

    i can see that you have clientssl and clientside ssl profiles, can you tell me what you specified?

     

     

    clientssl is default parent to clientside? under clientside do i need to specify non-ssl connections?

     

     

     

    my client is adamant that they do not want users being notified regarding a cert by the browser. do I need a cert for the 443 VS for this to work?

     

     

  • ok i want to ignore the https part on 443 for now as i am having issues redirecting http://xxx.b.com/test to http://aaa.b.com/test.

     

     

    i added the rule exactly as you have it and added it to my aaa.b.com:http VS aswell.

     

     

    i used fidler2 and went to http://xxx.b.com/test

     

    the response URL is: http://xxx.b.com/aaa.b.com/test

     

     

    confused as to whats going on. i added logging to my rule and in the ltm log it seems to be stuck in a loop, keeps posting redircting to http://aaa.b.com/test

     

  • i can see that you have clientssl and clientside ssl profiles, can you tell me what you specified?clientssl is used to decrypt https traffic. since we want to see http header, i.e. HTTP::host, and do redirection, so clientssl is required. clientside means it is configured on client-side i.e. between client and f5.

    sol10167: Overview of the Client SSL profile

    http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167

    under clientside do i need to specify non-ssl connections?no. i do not think you need non-ssl.

    my client is adamant that they do not want users being notified regarding a cert by the browser. do I need a cert for the 443 VS for this to work?yes, you have to import certificate and private of xxx.b.com and set them in clientssl profile.

    as i am having issues redirecting http://xxx.b.com/test to http://aaa.b.com/test.each i.e. xxx.b.com and aaa.b.com, is different in ip and has own virtual server, hasn't it?

    can you try this on xxx.b.com virtual server?

    [root@ve1023:Active] config  b virtual bar list
    virtual bar {
       destination 172.28.19.79:80
       ip protocol 6
       rules myrule
       profiles {
          http {}
          tcp {}
       }
    }
    [root@ve1023:Active] config  b rule myrule list
    rule myrule {
       when HTTP_REQUEST {
       if {[string tolower [HTTP::host]] equals "xxx.b.com"} {
          HTTP::redirect "http://aaa.b.com[HTTP::uri]"
       }
    }
    }
    
    [root@ve1023:Active] config  curl -I http://xxx.b.com/test
    HTTP/1.0 302 Found
    Location: http://aaa.b.com/test
    Server: BigIP
    Connection: Keep-Alive
    Content-Length: 0
    
  • they are actually on the same IP address.

     

     

    when going to xxx.b.com, dns is pointing them to aaa.b.com address which would be the IP of aaa.b.com.

     

     

    i can get it to understand that the request is coming from http::host of xxx.b.com, but still not redirecting.

     

     

    i will give what you have posted a try. thanks for the help
  • alright i got it all working, but for https/443 i could only get it working using the default certificate

     

     

    the real xxx.b.com is pointing to a f5 pair in a dmz location.

     

    i archived the ca-bundle, and certs from the dmz f5.

     

     

     

    the cert common name is for xxx.b.com

     

     

     

    imported the archive to the f5 pair doing the redirecting internally.

     

    so i put in a cert for xxx.b.com, but the request never goes through and get a page cannot be displayed.

     

    once i update the clientssl profile to use the default cert, i get through and am redirected to http://aaa.b.com/test

     

     

     

    so the redirect is working, but i need to look into whats up with the certs... going to https://xxx.b.com/test externally is working no problem going to the dmz f5 with the exact same certs I imported into f5 internally at aaa.b.com.

     

     

     

     

     

     

     

  • did you upload both xxx.b.com certificate and private key? both have to be set in clientssl profile.
  • yup, even validated them on source f5 with openssl.

     

    then validated them on aaa.b.com f5 with openssl. the key and cert are matching pair. md5 hashes match.

     

     

    is there any events that i could log with ssl irule event to see where its failing with the certificate.

     

     

     

    do you think i could redirect before ssl handshake to avoid use of a cert all together?

     

  • have you captured packet? was there anything suspicious there?

     

     

    e.g.

     

     

    tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y

     

    x.x.x.x is virtual ip

     

    y.y.y.y is pool member ip

     

     

    ssldump -Aed -nr /var/tmp/output.pcap -k /config/ssl/ssl.key/zzzz.key

     

    zzzz.key is private key file

     

     

    you are able to decrypt ssl traffic in wireshark.

     

     

    Decrypting SSL traffic with Wireshark, and ways to prevent it

     

    http://wirewatcher.wordpress.com/20...revent-it/