Forum Discussion
Yiannis_CDJ_F5
Altostratus
AltostratusNode revealed during HTTPS CAS authentication - irule
In F5, on a specific HTTP VIP (eg VIP_TOTO 192.168.1.5), we use an iRule where we redirect several applications through the same hostname. Hostname: hosttest1.mydomain.com, resolves to the same IP as the VIP: 192.168.1.5 Some applications work as a reverse proxy and some others just perform a redirection. The problem occurs on an application that should work as a reverse proxy. Let's say the application is http://hosttest1/toto We use this iRule structure to hide the node behind hosttest1/toto +-------------------------------------------------------------+ when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "hosttest1.mydomain.com" - "hosttest1" { if { ([HTTP::uri] starts_with "/toto") } { pool POOL_toto } if { ([HTTP::uri] starts_with "/example1") } { HTTP::redirect "http://example1.mydomain.com[HTTP::uri]" } etc(other application paths) etc(other application paths) } } when HTTP_RESPONSE { } } +-------------------------------------------------------------+ POOL_toto contains the server "back_end_srv.mydomain.com:7777" which requires HTTPS CAS authentication. The problem is: http://hosttest1/toto >> redirects to HTTPS CAS server then instead of having Response header location: https://cas_server/cas/login=?http://hosttest1/toto we have Response header location: https://cas_server/cas/login=?http://back_end_srv.mydomain.com:7777/toto As you see, the node is revealed in the location header URL and then, as soon as we are authenticated, we are redirected to the server back_end_srv.mydomain.com:7777. This is the only application that is using HTTPS CAS, whereas all the other applications that pass through the same hostname hosttest1, they use HTTP CAS authentication and they hide their nodes correctly(without adding configuration in the HTTP_RESPONSE of the irule). As all the applications pass from the same HTTP VIP we should modify the iRule in a way that doesn't affect the other applications. Why F5 doesn't rewrite the response location behind this HTTP VIP when a node with HTTPS CAS is used, but it is rewriting it when HTTP CAS is used? Thank you in advance.
Yiannis_CDJ_F5Hi! We managed to solve the issue and hide the server behind F5.
We didn't need to specify the connector as "secure". It was prooved that the CAS wasn't containing the correct URL to match the F5. The CAS configuration needed to be updated on both application parameter & application definition in CAS. Thank you for your support.- Yiannis_CDJ_F5
Hello,
JoshBecigneul thanks a lot for your reply. I really appreciate. Leslie_Hubertus I didn't get any feedback yet. As soon as I will get a response on my side, I will update the discussion and verify if this was the correct solution.
You should verify that your CAS configuration is set to mark the connector as "secure". Assuming I have the right resource, the configuration documentation could be here: https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#http-proxying
Also, this is a few years old but it might apply to your situation: https://fawnoos.com/2018/01/05/cas-deployment-with-proxy/
Hope this helps...
JoshHi Yiannis_CDJ_F5 - did JoshBecigneul 's reply help you out? If yes, could you please click the "Accept as Solution" button so future users with the same issue know what the resoution was? If no, maybe giving some more detail would help.
