For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tom_Farrar_1221's avatar
Tom_Farrar_1221
Icon for Nimbostratus rankNimbostratus
May 20, 2014

iRule to map all and preserve HTTPS

Hi All,

Hope someone can point me in the right direction here!

We've an app being served up by Jetty on 8080/TCP, with a root of /console (so, 192.168.10.1:8080/console/). In from of this we've got an LTM, where we are making this work available and handling SSL offloading.

So we want https://console.demo.com to serve up http://192.168.10.1:8080/console/

I'd hoped that a simple iRule with a string map would do it, but it seems to catch too much/too little and append /console/ to some requests regardless. It also doesn't seem to preserve HTTPS, but instead serves up HTTP pages (which then fail, because the LTM is only open on console.demo.com on HTTPS).

So currently we've got this:

when HTTP_REQUEST { 
if {[HTTP::uri] starts_with "/"} { 
     HTTP::uri [string map {"/" "/console/"} [HTTP::uri]] 
}  }

Essentially I'm looking for something that can map all '/' to '/console/' while being seamless to the user, and preserve HTTPS (maybe the content needs rewriting?).

Thanks,

Tom

application delivery
design
devops
iRules
LTM
management

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 20, 2014

    First, a URI will always start with "/", so it may be more appropriate to say "equals". Then you could perhaps do something like this:

    when HTTP_REQUEST {
    if { [HTTP::uri] equals "/" } {
        HTTP::uri "/console"
    }
}

    There's a good chance, however, that this may not be enough. There's the potential for complexity here, especially if the site returns document object references with the /console URI prefix. Is it absolutely important that you obfuscate the real URI path? If so, you may want to look at the ProxyPass iRule or the rewrite profile in v11.4 and above. Offloading the SSL and replacing the Host header is easy, but remapping the URI can get tricky.

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    May 20, 2014

    Your if statement is always going to match since HTTP::uri will always start with a forward slash. Try modifying it like this:

    when HTTP_REQUEST { 
if { not [HTTP::uri] starts_with "/console" } {
  HTTP::uri "/console[HTTP::uri]"
 }
}
  • Jason_40733's avatar
    Jason_40733
    Icon for Cirrocumulus rankCirrocumulus
    May 20, 2014

    Here's a simple uri substitution we've used successfully. I believe there are better ( less resources ) to do it these days.

    when HTTP_REQUEST {
      if {[HTTP::uri] equals {/}} {
         HTTP::uri {/console/}
      }
   }

    This has worked for catching web servers that respond with an http uri instead of https... 

    when HTTP_RESPONSE {
         if { [HTTP::header Location] contains "http://" } {
            HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]]
      }
   }
  • Tom_Farrar_1221's avatar
    Tom_Farrar_1221
    Icon for Nimbostratus rankNimbostratus
    May 20, 2014

    Thanks for the suggestions all - none of them have been a great success, and I suspect Kevin is right in that it requires either a rewrite policy or ProxyPass. I'll have a play!