Forum Discussion
Fletcher_Cocquy
Nimbostratus
NimbostratusiRule to tack on full domain
Fellow BigIP users,
we are looking for an iRule to rewrite unqualified domain requests to the FQDN.
This is coming from our security folks who would like the HTTPS requests to all be fully qualified to promote SSL cert best practices.
eg https://med requests should be rewritten to https://med.stanford.edu
we have about 50 of these external SSL sites - not all are .stanford.edu - is there a generic rule to key off the SSL cert associated with the profile?
Any examples you can point me to would be great
thanks,
Fletch
3 Replies
hoolioCirrostratus
Hi Fletch,
Are you trying to eliminate the mismatched cert warnings altogether? Or just handle clients who request the unqualified domain (UQDN?) after they accept the mismatched cert?
If the former, you'd have to handle the redirect before they make a request for HTTPS. You could try doing this on an HTTP VIP assuming the clients make a request via HTTP first. You would need to hard code the FQDN that corresponds to each "UQDN" that is requested. This could be done in a datagroup and referenced using the findclass or class command.
For the latter, I don't know of a way to get any details on the cert that LTM uses as a server for the clientside connection. You can get access the client's public cert if the client provides a cert, using SSL::cert (Click here). PROFILE::clientssl would give you details on the client SSL profile currently in use. But the options there are along what you can find by running 'b profile clientssl list all' at the command line. Nothing explicitly tells you the common name of the cert. I don't think you can access LTM's server cert from an iRule.
Maybe someone can suggest a way though. If not, you could hard code the UQDN to FQDN and then redirect the client to the correct domain name.
Aaron
Fletcher_CocquyYes, I realize the any iRule would be applied after the https mismatch - but in the case of UQDN for http, what would the hardcoded iRule look like with datagroups?
I just looking for a starting point
thanks!- hoolioWhich LTM version are you running? You could create a string type datagroup with the UQDNs and FQDNs on a line together. For v9.x, you can use the findclass command (Click here). For v10.x, you could use the new class command (Click here) or findclass to parse the datagroup and look up the requested hostname and get the corresponding FQDN.
Here is an example using a datagroup and the findclass command:Datagroup (aka class in the bigip.conf) Make sure to use lower case for the entries class uqdn_to_fqdn_mapping { "host1 host1.example.com" "host2 host2.sub.example.com" "host3 host3.another.example.com" }when HTTP_REQUEST { Comment out or remove the logging once done testing log local0. "[IP::client_addr]:[TCP::client_port]: New [HTTP::method] request to [HTTP::host][HTTP::uri]" Check if requested host header does not contain at least one period This will also avoid trying to redirect requests to IP addresses if { not ([HTTP::host] contains ".")}{ log local0. "[IP::client_addr]:[TCP::client_port]: Host did not contain a period." Look up the requested host in the datagroup set fqdn [findclass [string tolower [HTTP::host]] $::uqdn_to_fqdn_mapping] log local0. "[IP::client_addr]:[TCP::client_port]: Match? $fqdn" If there was a match, send a 301 redirect to the client, preserving the URI if {$fqdn ne ""}{ log local0. "[IP::client_addr]:[TCP::client_port]: Redirecting client to https://$fqdn[HTTP::uri]" HTTP::respond 301 Location "https://$fqdn[HTTP::uri]" } } }
Note, if you're on 9.4.4 or higher, remove the $:: from the name of the datagroup reference in the iRule (set fqdn [findclass [string tolower [HTTP::host]] uqdn_to_fqdn_mapping]).
Aaron
