Forum Discussion

maher_69299's avatar
maher_69299
Icon for Nimbostratus rankNimbostratus
Mar 01, 2010

HTTPS Redirect

Can you please tell me what is wrong with this IRULE. It works fine for HTTP but I couldn't make it to work for HTTPS.

 

 

 

when HTTPS_REQUEST {

 

 

Check if host header value is not www.xxx.com

 

if {not ([string tolower [HTTPS::host]] eq "www.xxx.com")}{

 

 

Send a 301 redirect

 

HTTPS::respond 301 Location "https://www.xxx.com/"

 

}

 

}

 

 

Here is the error message I get

 

 

01070151:3: Rule [HTTPS-Redirect-Irule] error:

 

line 1: [unknown event (HTTPS_REQUEST)] [when HTTPS_REQUEST {

 

 

Check if host header value is not www.xxx.com

 

if {not ([string tolower [HTTPS::host]] eq "www.xxx.com")}{

 

 

Send a 301 redirect

 

HTTPS::respond 301 Location "http://www.xxx.com/"

 

}

 

}]

 

 

 

Thanks
application delivery
dev
devops
iRules
  • maher_69299's avatar
    maher_69299
    Icon for Nimbostratus rankNimbostratus
    Mar 01, 2010
    When I am trying to accomplish is that when a user types the IP address https://xx.yy.zz.dd he will be redirected to https://www.xxx.com. It works for HTTP but not HTTPS
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Mar 01, 2010
    Hi Maher,

     

    There isn't an event called HTTPS_REQUEST or HTTPS::host or HTTPS::respond

     

     

    In

     

    If you are terminating the SSL certificate on the F5 then you need to use HTTP_REQUEST, HTTP::host and HTTP::respond commands. Basically terminating the SSL Cert on the F5 means that it can be decrypted so that it can process the events and commands.

     

     

     

     

    I help this helps

     

     

    Bhattman

     

     

  • maher_69299's avatar
    maher_69299
    Icon for Nimbostratus rankNimbostratus
    Mar 02, 2010
    Thanks for the reply. We don't terminate SSL on the F5 so is there a way to change the IP to a domain name when the user type HTTPS://xx.xx.xx.xx
  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Mar 02, 2010
    No, if you are not terminating, the BIG-IP has no visibility to the traffic above layer4.
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Mar 02, 2010
    Hi Maher,

     

    I do not believe there is a way for the F5 to do what you ask because it's simply passing the 443 traffic through.

     

     

    Bhattman
  • David_Cheok_205's avatar
    David_Cheok_205
    Icon for Nimbostratus rankNimbostratus
    Mar 03, 2010
    Sorry, I'm trying to do the same, so continuing from this thread. Would this suffice?

     

     

    when CLIENT_ACCEPTED {

     

    SSL::disable

     

    when HTTP_REQUEST {

     

    if {[active_members POOL] < 1 }{

     

     

    HTTP::respond 200 content {

     

     

    Apology Page

     

     

    We are sorry, but the site is temporarily out of service

     

     

     

     

    }

     

    }

     

    }

     

    }
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 03, 2010
    Hi David,

     

     

    If you want to pass through the SSL unencrypted when pool members are available, but terminate the SSL and send an HTTP response if the pool is down, you could import the SSL cert and key, configure them in a client SSL profile, add the client SSL profile and an HTTP profile to the VIP and then use an iRule like this:

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/HTTPS_passthrough_fallback_URL.html

     

     

    Without importing the cert and key, there is no way to inspect or modify the HTTP headers or content.

     

     

    Aaron