For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bill_Iselin_986's avatar
Bill_Iselin_986
Icon for Nimbostratus rankNimbostratus
Jul 08, 2016

iRule host redirect not working

when HTTP_REQUEST { set host [string tolower [HTTP::host]] set uri [HTTP::uri] set client [IP::client_addr]

 

if { $host equals "test-dev"} { HTTP::redirect "https://test-dev.corp.test.com/$uri" return}

 

}

 

This isn't working as expected. When I use "http://test-dev/" it redirects me to "https://test-dev" and doesn't redirect me to test-dev.corp.test.com. My default search domain is .corp.just.com. And test-dev.corp.just.com is a cname for test-dev.corp.test.com.

 

I think the issue is with SSL. There is an SSL profile on the virtual server with a cert for test-dev.corp.test.com. And I get a cert error when I get to https://test-dev. But if I push past that cert error I get redirected properly to https://test-dev.corp.test.com and the cert error then goes away as expected.

 

application delivery
iRules
LTM

1 Reply

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jul 08, 2016

    Sorry, but this sounds like more an issue with your expectations than with SSL itself.

     

    I don't believe that the redirect from HTTP to HTTPS is being done by this iRule. It really has to be elsewhere (e.g. an HTTP URL with HTTP to HTTPS system iRule or another simple custom iRule attached?)

     

    Quick hint. Short names are not good. Especially when you're dealing with HTTPS. They're ambiguous and prone to hijack. e.g. if you're on someone else wifi using DHCP.

     

    The name you type in the browser, HAS to agree with the name in the certificate. That's how the basic security checks work. The certificate is 'guaranteeing' that the site you entered in the URL is the site your'e talking to. If the URL has the short-name and you're relying on the DNS library to append the rest of the name to perform the lookup, then the name you typed and the name in the cert don't match. Result is an error/warning from the browser to warn you.

     

    You can mask HALF of this... On the VS that's doing the HTTPS to HTTP redirect, make sure it redirects to the FQDN.

     

    i.e. http://short-name/whetever redirects to https://short-name.domain/whatever

     

    and not just the name entered in the HOST header (Unless you have multiple sites/names on the same IP you won't even have to do a redirect to what's in the HOST header. You can hard-code the redirect to the same name that's in the certificate. if you do then some more logic will be required).

     

    HOWEVER that doesn't stop you from getting an error IF you type https://short-name/ (Sorry, that is a feature of SSL/TLS. name has to match).

     

    Now... The reason your error goes away AFTER the redirect from this iRule is because your iRule is on the HTTPS VS. That means it gets run AFTER The SSL/TLS negotiation. SO you hit the VS once with the 'wrong' name. Get redirected and then hit the 'right' name.