Negating traffic policy rules

Question

Hoping someone can help me out with this. Recently tried deploying a traffic policy to redirect users to https if the URI contains a list of different strings, and to redirect back to http if it does not contain a list of strings. &nbsp;
Logic seemed simple. As an example:&nbsp;
HTTP virtual server: if URI path contains login.php, redirect to the same host/URI over https.&nbsp;
HTTPS virtual server: if URI path NEGATE contains login.php, redirect to same host/URI over http.&nbsp;
The contains works great, but the minute I negate the same rule for my https server, I wind up in a redirect loop. so even if my http request is sent is  I get redirected to http, which in turns redirects me back to https, looping me indefinitely. What I expected to happen was the traffic policy would be evaluated and since I was already using HTTPS and my URI contained login.php, I would not get a 302 redirect.&nbsp;
I can get all this to work by changing my negate rule to use STARTS WITH instead of CONTAINS, however this limits me if I need to specify different URI path's that aren't stored at the root of the web server.&nbsp;
Has anyone run into this or can someone explain the the boolean logic for contains and how it changes when it is negated? It is not working as I would expect.&nbsp;
Thanks all,&nbsp;
-GR&nbsp;

josiah_39459 · Answer

Probably be easiest if you post your irules and/or add logging to them to log the URI they are receiving at each step so you can trace the logic.

old-greg-md · Answer

They're not irules, using traffic policies. I think I can add logging to them, let me check. It just seems fairly simple. Negating a contains value just isn't functioning as I would have thought and I am not sure why.

cjunior · Answer

Hi Greg,&nbsp;
If you still care, it make no sense for me.  &nbsp;
if you "curl" both http and https VS, what Location and Server headers are you getting?  &nbsp;
Maybe the redirect comes from the server instead of the Big-IP, I'm not sure. &nbsp;
Did you change rule condition leading the slash bar when starts-with operator? ("/login.php")   &nbsp;
Maybe with the starts-with operator the rule is not matching.   &nbsp;
Could you send us here the related policy rules? &nbsp;
Regards.&nbsp;

Forum Discussion

Negating traffic policy rules

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Why K8s Egress Traffic Policy Control is Critical to Security Architecture- Part 1

Why K8s Egress Traffic Policy Control is Critical to Security Architecture - Part 2

Auditing Security Policy Updates

Local traffic policies and irules together

Traffic Steering with 3rd party Policy Manager (Layered Architecture with Explicit Proxy)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS