Merging iRules to fix a multiple redirect error

when HTTP_REQUEST priority 250 {
  set host [string tolower [HTTP::host]]
  set uri [string tolower [HTTP::uri]]
  set path [string tolower [HTTP::path]]

  if { $uri eq "/powerrangers" } {
    HTTP::redirect "http://powermoves.testciq.com"
    return
  }

  switch -glob $host {
    "www.ourmainsite.com" {
      if {[TCP::local_port] == 80} {
        HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
      } elseif { $uri starts_with "/nukem3d/" } {
        if { $host ne "forums.ourmainsite.com" } {
          HTTP::respond 301 Location "https://forums.ourmainsite.com[HTTP::uri]"
        }
      } elseif { $uri starts_with "/summergames/" || $uri starts_with "/summergames"} {
        HTTP::respond 301 Location "http://summergames.ourmainsite.com"                
      }
    }
    "ourmainsite.com" {
      if { [matchclass $::wwwredirects equals $path] } {
        HTTP::respond 301 Location "https://www.ourmainsite.com[HTTP::uri]"
      } elseif { [TCP::local_port] == 80 } {
        HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
      } elseif { $uri starts_with "/dotaplay/maps/121/" || $uri starts_with "/dotaplay/maps/102/" } {
        HTTP::respond 301 Location "https://www.ourmainsite.com[HTTP::uri]"
      } elseif { $uri starts_with "/supermariobros/" } {
        if { $host ne "forums.ourmainsite.com" } {
          HTTP::respond 301 Location "https://forums.ourmainsite.com[HTTP::uri]"
        }
      } elseif { $uri starts_with "/summergames/" || $uri starts_with "/summergames"} {
        HTTP::respond 301 Location "http://summergames.ourmainsite.com"                
      }
    }
    "*acquired-site" {
      HTTP::redirect "https://www.ourmainsite.com/yadi/yada.aspx"
    }
    default {
      HTTP::redirect "https://www.ourmainsite.com[HTTP::uri]"
    }
  }
}

Hi Nitass, I merged the iRule and tested by configuring my machine's host file and assigning the VIP of our companysite with the domain name of the acquired site. I didn't get the multiple redirect error. So I guess it's working. :)

One thing to note, during my testing, whether I type http or https (http://acquiredsite.com), I'm getting an SSL certificate prompt. The VirtualServer for our company site already has a client SSL set. I was wondering that the SSL cert I'm being prompted is for the domain of the acquired site. If it is, how can I include it on the configuration for our company site when there's already one existing?

If I may add, you're most certainly getting the certificate [error] prompt because the server name you're asking for [the acquired site] is not the x509 subject of the certificate being presented by the VIP [your company site]. Depending on the version of BIG-IP, you have a few options:

1. Wildcard certificate - if both domains share a common second or third-level root [ex. *.something.com], and you can afford it, a wildcard certificate will cover any host name that exists within that domain.

    

2. Subject Alternative Name [SAN] Certificate - a little more restrictive than a wildcard [and significantly cheaper], a SAN certificate can contain multiple subject alternative names.

    

3. Server Name Indicator [SNI] - if you're running BIG-IP v11.0 and higher you can apply multiple client SSL profiles to a VIP, each with its own certificate, and the BIG-IP can "switch" between them based on what the client is asking for. Only clients that support TLS can use this, so no Windows XP.

    

4. If you cannot support any of the above, then the only other option I can think of is to have TWO VIPs, one for the company site and one for the acquired site, and a simple iRule on the acquired site VIP that redirects to the company site VIP.

    

Hi Kevin,

Our BIG-IP version is 10.2.0

Thanks for the explanation. I tried to remove the asterisk () from the line "acquired-site" and didn't get the cert prompt after. Though I don't think wildcard will work after this?

Anyway, more on option 4. I was on the impression that creating another VIP for the acquired site and then redirect it to the company site will pose issues to the main site, no?

I tried to remove the asterisk () from the line "acquired-site" and didn't get the cert prompt after

Not sure exactly what you mean here, but SSL negotiation is going to happen BEFORE HTTP (and the HTTP iRule logic) is processed, so the host evaluation should not affect what you're seeing. Simply put, if you attempt an SSL handshake with a server using a server name that IS NOT the subject - or a subject alternative name - or a wildcard match of the subject - of the certificate that the server presents to the client in that SSL handshake, you're going to get an error.

Option 4 will work because each VIP will have it's own client SSL profile and specific certificates. If, for example, you access the VIP for "www.acquired-site.com" and the cert on that VIP is for "www.acquired-site.com", then you shouldn't get an error. Once you've completed the SSL handshake, an HTTP-based iRule can simply redirect the user to the other VIP:

when HTTP_REQUEST {
    HTTP::redirect "https://www.companysite.com"
}

Because you don't need to process any web server traffic on the acquired site VIP, it doesn't need a pool, and no further iRule logc is required.

Hi Kevin,

I will try the 4th option and let you know how it turns out. Thanks! We would want the redirect to happen for request on sites ending with "acquired site". Will the below work?

when HTTP_REQUEST { if {[string tolower [HTTP::host]] ends_with "acquiredsite.com"} { HTTP::redirect "https://www.companysite.com" } }

Yes it will. However, you may still have the same certificate mismatch problem. For example, let's say you have a certificate on the acquired site VIP with a subject "www.acquiredsite.com". While the HTTP iRule logic will work for everything that ends with "acquiredsite.com", if the user initiates an SSL handshake to "test.acquiredsite.com", they will get a certificate error prompt. In this case, assuming you want all "*.acquiredsite.com" traffic to go to this redirect VIP, you may still need either a wildcard or SAN certiifcate.

Hi Kevin,

If we want to conserve a VIP for this purpose. Would it be possible to share an existing VIP for this requirement? The existing VIP also has an iRule redirect to the same companysite, although to a different page. We have confirmed that this acquired site doesn't need SSL and the existing VIP also doesn't use one.

Will the iRule below work?

when HTTP_REQUEST {

“existingsite.com” {
    if {[string tolower [HTTP::host]] ends_with "existingsite.com"} {
     HTTP::redirect "https://www.companysite.com/home.aspx"
    }
    }

“acquiredsite” {
    if {[string tolower [HTTP::host]] ends_with "acquiredsite"} {
     HTTP::redirect "https://www.companysite.com/home/page1.aspx"
    }
    }

Default {
      HTTP::redirect "https://www.companysite.com[HTTP::uri]"
    }
}