Forum Discussion
Chris_Stierle_1
Nimbostratus
Nimbostratushttps://www.a.com/ to https://www.b.com redirect
Is there any way to use an irule to redirect https requests from one url to another in the case of a failure? Added to this is the fact that my ssl certs are on the servers and not on the F5s. I currently do http redirects through a fallback host but this will not work with https.
5 Replies
- Unfortunately this isn't something that can be done due to two things.
1.) v4.x of the BIG-IP systems aren't Bi-directional proxies. This means that the traffic going out from the server to the customer isn't visible to the device.
2.) Even in BIG-IP v9.x, where the traffic coming from the server to the client would be visible, the SSL would have to be terminated on the BIG-IP so that it could read the packet information to determine whether there was a failure on the webserver.
HTH,
-Colin 
Chris_Stierle_1Colin,
thanks for the response. I'm not sure that I completely understand the issue though. In my case I do not want any connection to reach the server behind the F5. I want a re-direct to be sent from the F5 to the client anytime they try to connect to https://www.a.com.
I believe you are correct in that it won't work but I am trying to understand the reason.
Thanks again.- Chris,
if all that you want to achieve is what you've described in your last post (which is a much simpler problem than what you've described in your first post), then the solution is as follows:
- put copy of your private key and certificate for www.a.com on the
BIG-IP,
- configure SSL proxy for IP address to which www.a.com resolves,
- configure the proxy to refer to a virtual server,
- configure the virtual server to use a rule with single "redirect to"
statement.
The configuration may look like this:rule www.a.com-redirect { redirect to "https://www.b.com" } virtual 127.1.1.1:80 { use rule www.a.com-redirect } proxy www.a.com:https { target virtual 127.1.1.1:80 clientssl enable clientssl key www.a.com.key clientssl cert www.a.com.crt }
Notes:
- it is actually better to put IP address as virtual and proxy names
than DNS names, because if DNS resolutions are not available at the
time the machine boots and there is no entry for www.a.com in
/etc/hosts the configuration load will fail,
- you can use unofficial self-signed certificate for the proxy, if you
don't mind that customers will get browser warnings about untrusted
and unverifiable certificate when accessing https://www.a.com. - As mmac has detailed above, your revised request is definitely possible. I was under the impression that you wanted to set up something different involving features that weren't available to you.
-Colin - Chris_Stierle_1mmac and colin,
Thank you both for the explinations and sorry for the confusion. Basically, we have one url that we are no longer going to use and the business unit doesn't want to have to inform people that a new url is available. They just want people that go to the old url to be re-directed. I think it is a bad idea and a waste of resources but I really don't have much of a say at this point.
I figured we could do it if we put the cert on the F5 but I was just wondering if I could do a re-direction without it. My guess was that we could not.
Thanks again for the information.
