irule for http => https redirect

For a generic HTTP -> HTTPS redirect to be invoked from F5, use the system-provided "_sys_https_redirect". Apply the iRule to your TCP port 80 VS.

Hi we already tried the system provided default rule. We have session errors on our application. What should be the customized irule to support JSON.

Thank you

Can you issue a few commands to see what response codes and from where are served? Also note no changes are required for JSON support, the redirect iRule does not care about HTTP payload.

1) "curl -vI http://www.mysite.com"

2) "curl -vI https://www.mysite.com"

Hi Hannes,

Rule we are using: when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }

Responses to commands:

:/S1-green-P:Active:Changes Pending] ~ curl -vl http://10.15.195.68/Logistics/signin.jsp * About to connect() to 10.115.195.168 port 80 (0) * Trying 10.15.195.68... connected * Connected to 10.15.195.68 (10.115.195.168) port 80 (0)

GET /Logistics/signin.jsp HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 Host: 10.15.195.68 Accept: /

• HTTP 1.0, assume close after body < HTTP/1.0 302 Found < Location: https://10.115.195.168/Logistics/signin.jsp < Server: BigIP
• HTTP/1.0 connection set to keep alive! < Connection: Keep-Alive < Content-Length: 0 <
• Connection 0 to host 10.15.195.68 left intact
• Closing connection 0

:/S1-green-P:Active:Changes Pending] ~ curl -vl https://10.15.195.68/Logistics/signin.jsp * About to connect() to 10.15.195.68 port 443 (0) * Trying 10.15.195.68... connected * Connected to 10.15.195.68 (10.15.195.68) port 443 (0) * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection 0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. :/S1-green-P:Active:Changes Pending] ~

It seems like your HTTP to HTTPS iRule works as intended. The SSL error you receive (once already connected to TCP:443 VIP) is not related to a problem with your iRule.

Make sure that the client-side certificate configured matches the domain requested and that the intermediate (CA) is trusted by the client (your cURL PC). Alternatively, you can pass the "-k" flag to cURL to establish a non-trusted SSL handshake.

Please (re)Post the 2. cURL output once you have resolved the SSL handshake problems.

Cheers!

Hi Hannes,

We only have SSL installed on Load Balancer. At the backend servers(2) we do not have SSL installed. We managed the same configuration working on nginx but we have errors with F5.

Thank you

you may try tcpdump/ssldump, http analyzer tool to see if you can find what the wrong is.

HttpFox

sol10209: Overview of packet tracing with the ssldump utility