Forum Discussion
aweise_7447
Nimbostratus
NimbostratusHTTPS redirect based on URI
Greetings,
We have a VIP that sends traffic to an SSL VPN appliance. The VIP is running on 443 and has a simple pool applied to it. However, we'd like to be able redirect users to a specific URL if they type in an incorrect URL.
For example, the correct URL is https://www.company.com/vpn. Users are simply forgetting to type in the URI portion so that it ends up being "https://www.company.com/". This causes problems and the users are not able to authenticate to the VPN appliance.
Can we have an iRule that does something like this:
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri]] {
"/" {
HTTP::redirect "https://www.company.com/vpn"
}
But instead does this for HTTPS? The SSL is not terminated on the BigIP - it's done on the VPN appliance.
Thanks!
14 Replies
- Chris_Miller
Altostratus
You'd have to terminate the SSL on the BigIP so it could decrypt the request, see that it contained "/" and redirect it. If you wanted to re-encrypt the traffic on its way to the VPN appliance, that's easy enough.
Just wanted to confirm that this host (www.company.com) isn't doing anything else, but this VPN portal...since we're redirecting all requests for the root directory. - If the SSL is not terminated on the BIG-IP, then you can do absolutely nothing as far as inspection or redirection based on that inspection. SSL is, by definition, intended to stop people from doing exactly what you're trying to do, I.E. packet tampering (inspection, re-writing, etc.).
If you terminate on the BIG-IP then re-encrypt to your VPN solution, would that work for you? You could then inspect and redirect as necessary on the LTM.
Colin 
aweise_7447Posted By Chris Miller on 01/27/2011 07:58 AM
You'd have to terminate the SSL on the BigIP so it could decrypt the request, see that it contained "/" and redirect it. If you wanted to re-encrypt the traffic on its way to the VPN appliance, that's easy enough.
Just wanted to confirm that this host (www.company.com) isn't doing anything else, but this VPN portal...since we're redirecting all requests for the root directory.
Correct - that host is doing nothing else than acting as the VPN portal. There are a handful of URLs that are configured on that appliance:
https://www.company.com/group1
https://www.company.com/group2
https://www.company.com/group3
And so on...this is to support various user groups that have different requirements for VPN access. However, our main issue is that some users are not entering the URI portion at all and failing to reach the correct method for access.- Chris_MillerGotcha,
You can use a different cert between the client and LTM than between LTM and VPN. Why not have a www.company.com cert on LTM and then a self-signed one on the VPNs? - aweise_7447Posted By Chris Miller on 01/27/2011 11:26 AM
Gotcha,
You can use a different cert between the client and LTM than between LTM and VPN. Why not have a www.company.com cert on LTM and then a self-signed one on the VPNs?
Interesting...I didn't think of that for some reason. I'll keep that in mind when the renewal comes up. Since we're just about into full-blown production right now, I'd rather not change too much.
The URL thing didn't come up until we had a few users who forgot about the URI portion.
Thanks again for the help! 
Ashish_Ram_Tak1Dear All,
I Want to achieve below scenario in my environment,
I have four virtual servers A, B, C, D initially all request hit on VS "A" when users typer mbanking.abc.com in their browser then they will hit "A", but if users typer mbanking.abc.com/abc they will redirect to VS "B" and if thy type mbanking.abc.com/pqr the request will redirect to "D"
I hev below iRule with me
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/xyz" } {
virtual server B
} else {
if { [HTTP::uri] starts_with "/pqr" } {
virtual server B
} else {
Virtual server A
}
}
will the above iRule work or-else i have do do modifications in it
Regards,
Ashihs Takawale.
What_Lies_Bene1Cirrostratus
OK, if you want to specify a different virtual server the command is just 'virtual 'name'', not virtual server 'name'.
This approach isn't great, a HTTP redirect to the correct VS would be better.- Ashish_Ram_Tak1Dear Steve,
Thanks for the help, will below work, also could you please explain me how we do a HTTP redirect to the correct VS? DO you have a iRule for the same.....
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/xyz" } {
virtual B
} else {
if { [HTTP::uri] starts_with "/pqr" } {
virtual D
} else {
Virtual server A
}
}
Regards,
Ashish - Ashish_Ram_Tak1Dear Steve,
Thanks for the help, will below work, also could you please explain me how we do a HTTP redirect to the correct VS? DO you have a iRule for the same.....
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/xyz" } {
virtual B
} else {
if { [HTTP::uri] starts_with "/pqr" } {
virtual D
} else {
Virtual server A
}
}
Regards,
Ashish - What_Lies_Bene1Ashish, a few corrections;
when HTTP_REQUEST { if { [HTTP::uri] starts_with "/xyz" } { virtual B } elseif { [HTTP::uri] starts_with "/pqr" } { virtual D } else { Virtual A } }
