Forum Discussion
Fletcher_Cocquy
Nimbostratus
NimbostratusiRule to help WebDAV COPY work through SSL Proxy
We are migrating webdav publishing services to BIG-IP 9.1.2 Build 40.6
We are seeing error 502, on COPY operations and other operations not functioning correctly through the SSL proxied virtual.
It sounds like this is a malfunction of the proxy according to the posts I found from the SVN users list:
http://svn.haxx.se/users/archive-2006-12/0946.shtml
“The proxy only rewrites the request URL, but not the other headers, so the
SVN-Apache (Apache without SSL) receives:
COPY /svn/old/path HTTP/1.1
Host: svn.myserver.tld:10600
Destination: https://myserver.tld/svn/new/path
....
...and immediately recognizes that it is definitely not responsible for
serving https, let alone myserver.tld or even port 443. So it does not show
the the request to SVN, but instead sends back a 502 error.
(I found that with the help of tcpdump, LogLevel debug and a good long look
into the mod_dav sources.) “
Has anyone solved this with an iRule?
I don’t want to hack mod_dav as one user did.
Relevant config:
virtual irt-publish-ssl {
destination a.b.c.d:https
fallback persist source_addr
ip protocol tcp
profile irt-publish sslheader tcp
persist ssl
pool irt-publish
}
profile http sslheader {
defaults from http
header insert "GOHTTPS:1"
redirect rewrite all
insert xforwarded for enable
}
Thanks,
Fletcher.
3 Replies
- From your description above and the snippet of perl code, it sounds like all you need to do is look at the response and check to see if the destination header on any MOVE or COPY responses are written as https. If they are...write them as http.
A rule for that would look something like:when HTTP_RESPONSE { if { ( [HTTP::method] equals "MOVE" ) or ( [HTTP::method] equals "COPY" ) } { if { [HTTP::header Destination] starts_with "https" } { HTTP::header replace Destination "http://[getfield [HTTP::header Destination] '//' 2]" } } }
HTH,
Colin 
Fletcher_CocquyWorks like a charm - thanks to you and Lance @ F5 support for helping solve this
Now all our publishing clients are working perfectly
I'll be posting a summary to the lb-l@vegan list too
thanks again!- Fletcher_CocquyWait, this iRule works when moving files, but fails when copying or moving directories via dav:
dav:/live/fletch/> move prot prot2
Moving `/live/fletch/prot' to `/live/fletch/prot2': redirect to https://irt-publish.stanford.edu/live/fletch/prot/
Any ideas why?
apache logs a redirect:
171.2.1.2 - fcocquyt @ stanford.edu [27/Jun/2007:20:34:36 -0700] "PROPFIND /live/fletch/prot2/ HTTP/1.1" 404 435 "-" "cadaver/0.22.3 neon/0.25.5"
171.2.1.2 - fcocquyt @ stanford.edu [27/Jun/2007:20:34:36 -0700] "MOVE /live/fletch/prot HTTP/1.1" 301 476 "-" "cadaver/0.22.3 neon/0.25.5"
thanks
