For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sdagar_194989's avatar
sdagar_194989
Icon for Nimbostratus rankNimbostratus
Jul 29, 2015

No HTTP to HTTPS redirection for VPN traffic on basis on client source address also add responed to url if URI not contain any word

Requirment :No HTTP to HTTPS redirection for VPN traffic on basis on client source address also add respond to url if URI not contain any word.

 

In our setup there are 2 VIP's configured with same public IP ,one is HTTP and other is HTTPS ,all traffic redirected towards HTTPS using policy. Now requirement is : If VPN traffic come there would no redirection required to HTTPS ,secondly URL should have response page like client.test.net/xx/yy ,means if VPN client hit page http://client.test.net the response page required would be http://client.test.net/xx/yy

 

and if internet client hit http://client.test.net the response page required would be https://client.test.net/xx/yy

 

design
security
TMOS
TMSH

5 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 29, 2015

    Assuming you can uniquely identify the VPN clients by their lease pool source addresses, you could create an address-based datagroup that contains this subnet. The following iRule would be used in the HTTP VIP:

    when HTTP_REQUEST {
    if { [class match [IP::client_addr] equals my_vpn_datagroup] } {
        if { [HTTP::uri] equals "/" } {
            HTTP::redirect "http://client.test.net/xx/yy"
        }
    } else {
        HTTP::redirect "https://client.test.net/xx/yy"
    }
}
  • sdagar_194989's avatar
    sdagar_194989
    Icon for Nimbostratus rankNimbostratus
    Jul 29, 2015

    when HTTP_REQUEST { set base_pool [LB::server pool] set uri [HTTP::uri] set data_group [HTTP::host]

    if { ( [IP::addr [IP::client_addr] equals 10.10.10.10/29 ] ) and ($uri equals "/" ) }

    { pool $base_pool HTTP::respond 301 Location "http://test.check.net/xx/yy" return

    } else { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }

    }

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 29, 2015

    Okay, so a few comments:

     

    1. You don't need to set all of those variables since you're not using them

       

    2. You don't need to capture the default pool and use the pool command if that's what is configured in the VIP's properties. You're better off not doing pool management from the iRule if you can help it. Having the pool assigned to the VIP, with a appropriate monitor will affect the state of the VIP itself (if for example you're using GTM upstream). If you don't apply the pool to the VIP and you're doing the pool management in an iRule, then a failed pool will not change the state of the VIP.

       

    3. In your code, if a VPN client is accessing the HTTP VIP and not asking for "/", they'll be redirected to the HTTPS VIP fom the else condition. I'm guessing that's not what you want.

       

  • sdagar_194989's avatar
    sdagar_194989
    Icon for Nimbostratus rankNimbostratus
    Jul 29, 2015

    Thank Kevin for your response .. 1.we are not using pool for HTTP VIP 2.if traffic coming from Internet it should be redirected towards HTTPS VIP 3.if URI "/" contains the respond page should be like http://client.test.net/xx/yy for VPN traffic but internet traffic redirected to HTTP as there is another irule configured which will response according to different URI