For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dlawke's avatar
dlawke
Icon for Nimbostratus rankNimbostratus
Sep 10, 2024

iRule redirection for VIP on 443

We're migrating from NetScaler, and the one thing that NetScaler was able to do is redirect on a 'downed' VIP as a protection measure.    Basically, an application is migrating to the cloud, and we...
application delivery
Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for Nacreous rankNacreous
Sep 10, 2024

A simple irule with 302 redirect is enough in your case as said.

But there is no way to avoid SSL termination when using https.

 

So if you still have a valid cert for applicationa.contoso.com, just assign the below irule to the VS bind the cert and you should be ok.
It would better also to deassign the pool.

 

when HTTP_REQUEST {
  if { [HTTP::host] equals "applicationa.contoso.com"} {
      HTTP::redirect "https://hosted-applicationa.contoso.com"
  }
}

dlawke's avatar
dlawke
Icon for Nimbostratus rankNimbostratus
Sep 10, 2024

Thanks. That makes sense. I was trying to avoid even having BIG-IP even bothering looking at the packet. I just wanted the traffic to hit the VS and respond by telling them to go to the URL in the iRule. If that is not possible, then that makes sense.

 

On the NetScaler, there were times we had to bind an 'always up' service/node to a VS in order for a feature to function like a responder or rewrite. Is that unnecessary on the F5-side?

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    Sep 11, 2024

    No it's not, a VS can be active even with no pool assigned