Forum Discussion
Chris_D_15752
Nimbostratus
NimbostratusMobile redirect with forced SSL
Hi guys,
I am faced with dual puzzle for site demending dual function redirect causing some issses.
I need to provide detection process from www.main.com site provide mobile type version/release services.
I establised individual VIP exposed and registered externally with m.main.com. Requests sourcing from mobile devices are detected and redirected to m.version VIP using script I enclosed below. It works well and relatively all devices are detected and rediected properly. All are happy and I still have the job. Problem develops with adding SSL force redirect after mobile deterction takes place. Standard http_https_redirect fails to complete after my first script runs.
Concept is relatively simple. All traffic to standard VIP is redirected to SSL. Same applies to mobile frame devices and they all need to be SSL forced.
Can you please share some light on single or dual step scripts you know work with this requirements?
I appreciate your help .
when HTTP_REQUEST {
switch -glob [string tolower [HTTP::header User-Agent]] {
"*blackberry*" -
"*windows ce*" -
"*palm*" -
"*sonyericsson*" -
"*lg*" -
"*sie*" -
"*up.b*" -
"*up*" -
"*motorola*" -
"*mot-*" -
"*astel;*" -
"*j-phone*" -
"*netfront*" -
"*xiino*" -
"*iphone*" -
"*benq*" -
"*cricket*" -
"*andr*" -
"*htc*" -
"*nokia*" -
"*portalmmm *" -
"*samsung*" -
"*sec*" -
"*vodafone*" -
"*smartphone*" -
"*symbian*" {
HTTP::redirect "]"
return
}
}
if { [string tolower [HTTP::header Accept]] contains "vnd.wap.wml" } {
HTTP::redirect "]"
return
}
if { [HTTP::header exists "MSISDN"] } {
HTTP::redirect "]"
return
}
hooleylistCirrostratus
How many virtual servers do you have for these two hostnames? Do you have an http and https VS for both? Which VS(s) do you want to redirect from http to https?
Aaron
Chris_D_15752I have a single publically available port 80 VS built for “main” site with addition of VS on same IP address providing final target for SSL termination.Mobile devices need to be detected and redirected on the first hit on port 80 to www.main.com site and port 80 VS. Once detected, redirect takes place to m.site.com. M site has same two VIPS as well but is new and can be modified accordingly.When I install redirection script shown, I get redirection working well but SSL redirection with second script fails, regardless where is this applied.I think,It is also safe to say, that m.site needs to respond to port 80 requests as well so it would not be easy to handle SSL requests only on m.site.com VS. M.test.com farm has 4 members in the farm under SSL VIP.Thanks for sharing your thougths -- So basically, if I understand this correctly, you want to redirect all traffic from 80 -> 443, but with any request coming from a mobile device (as defined by your list of Use-Agents) you want to redirect them to https://m.site.com instead of https://site.com?
If that's correct, then your iRule is pretty close, and you could simply modify it to handle both cases:when HTTP_REQUEST { switch -glob [string tolower [HTTP::header User-Agent]] { "*blackberry*" - "*windows ce*" - "*palm*" - "*sonyericsson*" - "*lg*" - "*sie*" - "*up.b*" - "*up*" - "*motorola*" - "*mot-*" - "*astel;*" - "*j-phone*" - "*netfront*" - "*xiino*" - "*iphone*" - "*benq*" - "*cricket*" - "*andr*" - "*htc*" - "*nokia*" - "*portalmmm *" - "*samsung*" - "*sec*" - "*vodafone*" - "*smartphone*" - "*symbian*" { HTTP::redirect "https://msite.web.com[HTTP::uri]" return } } if { [string tolower [HTTP::header Accept]] contains "vnd.wap.wml" } { HTTP::redirect "https://msite.web.com[HTTP::uri]" return } if { [HTTP::header exists "MSISDN"] } { HTTP::redirect "https://msite.web.com[HTTP::uri]" return } if {[TCP::local_port] != 443 }{ HTTP::redirect "https://[HTTP::host][HTTP::uri] }
Since all of your previous logical statements have built in return statements anyway, this final if should only be executed if nothing else fired, and will do the global redirect everything to SSL functionality, so you would disable this in the profile or wherever you're doing it now and let the iRule handle it. That would, I think, solve the problem.
Colin - Chris_D_15752
Hi Colin and and thank you for your help. I tried sligtly modified version you attached and noticed it does not work.
Now, it acts strange with firefox vs IE v 8.x. Firefox actually works well. Using FFX I get redirected. Quick test also shows that mobile devices get detected to m-site, but IE 8.x gets to be detected as a mobile devices.
You are right about extend of redirection. It is okay to redirect mobile gear directly to SSL VIP for m-site. It is one process less for any client to get established SSL to m-site.
Buttom line is a requirement that all mobile devices get redirected and be SSL for all sessions right from very first response.
As I attempt to find out what is causing FFX vs IE 8 issue - do you have other suggestions ?
I appreciate your help
Chris - It sounds like this approach will work well for you then, you just need to get a more specific list of User-Agents. One of the User-Agents in your list must be catching IE8 and redirecting it. Perhaps try removing them one by one and testing to see which it is? My guess would be windows ce, but it's hard to tell.
Colin - hooleylistI'd be concerned with false matching on the really short patterns like these:
"*lg*" -
"*sie*" -
"*up.b*" -
"*up*" -
You might try using another set of matching logic like this:
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=86313&ptarget=86381
Aaron - Agreed that making the matches as unique and detailed as possible is a good thing. The shorter/more ambiguous they are the more chances you have for errors.
Colin - Chris_D_15752
Thanks guys,
I found nice combo set of statements probably capable of taking care of all functionalities but get stuck on syntaxt so further testing is impossible. Can you guys see where I get it wrong. I really appreciate it.
when HTTP_REQUEST {
if {([string tolower [HTTP::host]] contains "nativeweb-site.com")} {
switch -glob [HTTP::header User-Agent] {
"*BlackBerry*"
"*Blackberry*"
"*Blazer*"
"*blazer*"
"*palm*" -
"*Palm*" -
"*SMARTPHONE*" -
"*Smartphone*" -
"*smartphone*" -
"*Danger*" -
"*hiptop*" -
"*MOT-*" -
"*RAZR*" -
"*AUDIOVOX*" -
"*Symbian*" -
"*symbian*" -
"*NOKIA*" -
"*Nokia*" -
"*Sony Ericsson*" -
"*Samsung*" -
"*LG 8*" -
"*Alcatel 735i*" -
"*Nextel*" -
"*Windows CE*" -
"*AUDIOVOX*" -
"*AU-MIC,*" -
"*Alcatel*" -
"*BENQ*" -
"*CASIO*" -
"*CDM-*" -
"*Ericsson*" -
"*EZOS*" -
"*kyok*" -
"*Kyocera*" -
"*LG-*" -
"*LGE-*" -
"*NEC-*" -
"*Nokia*" -
"*nok6*" -
"*NOKIA*" -
"*Mitsu*" -
"*MOT-*" -
"*mot-*" -
"*Motorola*" -
"*Sagem*" -
"*SAGEM*" -
"*Sendo*" -
"*SonyEricsson*" -
"*Panasonic*" -
"*PANTECH*" -
"*QC-*" -
"*PlayStation Portable*" -
"*PHILIPS*" -
"*Samsung*" -
"*SAMSUNG*" -
"*sama*" -
"*SEC-S*" -
"*SEC-s*" -
"*SEC-N*" -
"*Sanyo*" -
"*SHARP*" -
"*Sharp*" -
"*SIE-*" -
"*Sony*" -
"*SymbianOS*" -
"*Symbian OS*" -
"*portalmmm*" -
"*Vodafone/*" -
"*KDDI-*" -
"*J-PHONE*" -
"*Blazer*" -
"*AvantGo*" -
"*avantbrowser.com*" -
"*Danger*" -
"*hiptop*" -
"*ProxyNet*" -
"*IEMobile*" -
"*MobileExplorer*" -
"*.Web*" -
"*Palm*" -
"*Series60*" -
"*PalmSource*" -
"*PalmOS*" -
"*MIDP-2.0*" -
"*MIDP-1.0*" -
"*CLDC-1.0*" -
"*CLDC-1.1*" -
"*Series60*" -
"*Opera Mini*" -
"*MobilePhone*" -
"*NetFront*" -
"*Nitro*" -
"*DoCoMo*" -
"*Obigo*" -
"*PocketPC*" -
"*Pocket PC*" -
"*RegKing*" -
"*Smartphone*" -
"*SmartPhone*" -
"*EPOC*" -
"*Rover*" -
"*iPAQ*" -
"*Jornada*" -
"*iOpus*" -
"*iNASSAP*" -
"*Minimo*" -
"*Plucker*" -
"*ERICY*" -
"*SoftBank*" -
"*WILLCOM*" -
"*YOSPACE*" -
"*TagTag*" -
"*WinWAP*" -
"*UP.Link*" -
"*PDXGW*" -
"*ASTEL*" -
"*WAP1.*" -
"*Xiino*" -
"*UP/4*" -
"*Maemo*" -
"*Windows CE*" -
"*MSPIE*" -
"*Microsoft Pocket Internet Explorer*" -
"*Elaine*" -
"*EudoraWeb*"
"*ReqwirelessWeb*"
"*jBrowser-WAP*"
"*Lenovo*"
"*M3GATE*"
"*Cellphone*"
"*Sony CMD*"
"*wapsilon*"
"*TELME*"
"*Linux armv*"
"*SONY/COM1*"
"*embedix armv5tel*"
"*Xplore G*"
"*mobileOK DDC*"
"*Google WAP Proxy*"
"*Google CHTML Proxy*"
"*NetFront*"
{
HTTP::redirect "]"
return
}
}
if { [string tolower [HTTP::header Accept]] contains "vnd.wap.wml" } {
HTTP::redirect "]"
return
}
if { [TCP::local_port] != 443 }{
HTTP::redirect "]"
}
} - hooleylistA few of the lines in the switch statement were missing the hyphen. I also set the User-Agent string to lower case so you don't have to use multiple patterns to handle mixed cases.
when HTTP_REQUEST { if { [string tolower [HTTP::host]] contains "nativeweb-site.com" } { switch -glob [string tolower [HTTP::header User-Agent]] { "*blackberry*" - "*blazer*" - "*palm*" - "*smartphone*" - "*danger*" - "*hiptop*" - "*mot-*" - "*razr*" - "*audiovox*" - "*symbian*" - "*nokia*" - "*sony ericsson*" - "*samsung*" - "*lg 8*" - "*alcatel 735i*" - "*nextel*" - "*windows ce*" - "*audiovox*" - "*au-mic,*" - "*alcatel*" - "*benq*" - "*casio*" - "*cdm-*" - "*ericsson*" - "*ezos*" - "*kyok*" - "*kyocera*" - "*lg-*" - "*lge-*" - "*nec-*" - "*nokia*" - "*nok6*" - "*nokia*" - "*mitsu*" - "*mot-*" - "*motorola*" - "*sagem*" - "*sagem*" - "*sendo*" - "*sonyericsson*" - "*panasonic*" - "*pantech*" - "*qc-*" - "*playstation portable*" - "*philips*" - "*samsung*" - "*sama*" - "*sec-s*" - "*sec-n*" - "*sanyo*" - "*sharp*" - "*sie-*" - "*sony*" - "*symbianos*" - "*symbian os*" - "*portalmmm*" - "*vodafone/*" - "*kddi-*" - "*j-phone*" - "*blazer*" - "*avantgo*" - "*avantbrowser.com*" - "*danger*" - "*hiptop*" - "*proxynet*" - "*iemobile*" - "*mobileexplorer*" - "*.web*" - "*palm*" - "*series60*" - "*palmsource*" - "*palmos*" - "*midp-2.0*" - "*midp-1.0*" - "*cldc-1.0*" - "*cldc-1.1*" - "*series60*" - "*opera mini*" - "*mobilephone*" - "*netfront*" - "*nitro*" - "*docomo*" - "*obigo*" - "*pocketpc*" - "*pocket pc*" - "*regking*" - "*smartphone*" - "*smartphone*" - "*epoc*" - "*rover*" - "*ipaq*" - "*jornada*" - "*iopus*" - "*inassap*" - "*minimo*" - "*plucker*" - "*ericy*" - "*softbank*" - "*willcom*" - "*yospace*" - "*tagtag*" - "*winwap*" - "*up.link*" - "*pdxgw*" - "*astel*" - "*wap1.*" - "*xiino*" - "*up/4*" - "*maemo*" - "*windows ce*" - "*mspie*" - "*microsoft pocket internet explorer*" - "*elaine*" - "*eudoraweb*" - "*reqwirelessweb*" - "*jbrowser-wap*" - "*lenovo*" - "*m3gate*" - "*cellphone*" - "*sony cmd*" - "*wapsilon*" - "*telme*" - "*linux armv*" - "*sony/com1*" - "*embedix armv5tel*" - "*xplore g*" - "*mobileok ddc*" - "*google wap proxy*" - "*google chtml proxy*" - "*netfront*" { HTTP::redirect "http://mobile.site.com[HTTP::uri]" return } } if { [string tolower [HTTP::header Accept]] contains "vnd.wap.wml" } { HTTP::redirect "http://mobile.site.com[HTTP::uri]" return } if { [TCP::local_port] != 443 }{ HTTP::redirect "https://nativeweb-site.com[HTTP::uri]" } } }
Aaron - Chris_D_15752Hi Aaron,
Quick addon of two more devices and acceptance on the box was flowless.
All working perfect from my point of view. Customer is testing now.
I really appreciate your help on the syntax.
BTW - what would you suggest as a good reference start in case of syntax of the script problems?
