Forum Discussion

CraigM_17826's avatar
CraigM_17826
Icon for Altocumulus rankAltocumulus
Oct 03, 2007

Odd behaviour with WebSphere Portal

Hi everyone,

 

 

we are experiencing some odd behaviour with some embeded javascript (WebTrends log code) on our WebSphere portal. We are fairly sure it is being caused by the BigIP because if we go direct to the WebSphere nodes we do not have the issue.

 

 

In short, our existing iRule forces a redirect from http to https. This all seemed to be fine until we installed the Javascript from WebTrends. This JavaScript does a http connection to our log server to record various attributes about the current sessions and so on. What is really hapening is that the connection to the log server is being altered to use https and not http. Seeing as we do not have a SSL cert on this log server the javasctipt code was failing to connect. As to why the connection type is being changed to https from http is unkown unless (which I suspect) it has something to do with our iRules. We have since installed a self signed SSL cert but this still causes some issues as some browsers will not establish a SSL connection with an untrusted SSL cert. We are currently waiting on a Verisign SSL cert which should fix the issue.

 

 

My question is, is this normal behaviour? I wouldn't expect so, but I'm fairly new to all of this.

 

 

To expand on the iRule(s) we use, we have two rules and two virtual servers defined. One pair for HTTP connections, the other pair for HTTPS connections. All the HTTP rule does is basically force a redirect to the https virtual server. It does some other URI checking for legacy websites that reside on other (non BigIP load balanced) servers and redirects to those, but apart from that, that's it. The HTTPS rule is used by the HTTPS virtual server. This iRule was based on the F5 WebShphere Deployment Guide and has a few additional tests to suite our site, but nothing major, once again just additional URI tests for specific area's that reside on other non BigIP managed servers.

 

 

As I said, everything seems to be fine except for the fact that the JavaScript http connections are being translated to https.

 

 

I have contacted WebTrends about this but I think given it's more looking to be BigIP related they might not be of much help or reluctant to help.

 

 

I realise it's probably hard to diagnose this without posting our rules, and I am more than happy to, but I don't want to make this post too big, so unless it's requested I wont.

 

 

So if anyone has any suggestions they would be greatly appreciated.

 

 

tia

 

 

Craig
application delivery
dev
devops
iRules
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Oct 05, 2007
    Hi Craig --

     

     

    This JavaScript does a http connection to our log server to record various attributes about the current sessions and so on. What is really hapening is that the connection to the log server is being altered to use https and not http. Seeing as we do not have a SSL cert on this log server the javasctipt code was failing to connect. As to why the connection type is being changed to https from http is unkown unless (which I suspect) it has something to do with our iRules.It sounds like you just need to exclude these calls from your iRule logic.

     

     

    If they are to a different hostname, you can include a condition checking the value of HTTP::host. If it's to a specific URI, you can check HTTP::uri before deciding if a redirect is appropriate.

     

     

    If you need a specific assist with your current iRule, you can post it as an attachment to keep the thread from growing too long.

     

     

    HTH

     

    /deb
  • Rich_79422's avatar
    Rich_79422
    Icon for Nimbostratus rankNimbostratus
    Nov 01, 2010
    Craig,

     

     

    I'm having the exact same issue. Besides getting the Cert have you gotten the Irule to exclude the javascript?

     

     

    Thx

     

    -Rich
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Nov 01, 2010
    Posted By Rich on 11/01/2010 05:08 AM

    Craig,

    I'm having the exact same issue. Besides getting the Cert have you gotten the Irule to exclude the javascript?

    Thx

    -Rich

    Rich - it's easy enough to adjust the iRule so it won't redirect certain requests. You basically just need something like this:

    when HTTP_REQUEST {

    if { !([HTTP::uri] eq "/pathtoexclude}) {

    HTTP::redirect "https://[HTTP::host][HTTP::uri]" } }

    Make sense?

    If you have a ton of requests you want to exclude, I'd suggest using a string type data group...I find those easier to read than a long list of "or" statements but others might suggest something else.

  • Rich_79422's avatar
    Rich_79422
    Icon for Nimbostratus rankNimbostratus
    Nov 01, 2010
    Chris,

     

     

    Yes it makes since but,

     

     

    I have 2 virtual servers one http and all this does is redirect to https, then on the https I have no irule, and this is where the issue is on the https rule. So I'm very green with the Irules so please bear with me.

     

     

    What I believe I need is on the https rule to exclude the javascript code from getting encrypted becase the error I'm getting is http cannot find server. Is there a way to have an Irule that will exculde this code? the uri would be "/wrc/bin/WRCImageMap"?

     

     

    Thx

     

    -Rich
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Nov 01, 2010
    Posted By Rich on 11/01/2010 06:40 AM

     

    Chris,

     

     

    Yes it makes since but,

     

     

    I have 2 virtual servers one http and all this does is redirect to https, then on the https I have no irule, and this is where the issue is on the https rule. So I'm very green with the Irules so please bear with me.

     

     

    What I believe I need is on the https rule to exclude the javascript code from getting encrypted becase the error I'm getting is http cannot find server. Is there a way to have an Irule that will exculde this code? the uri would be "/wrc/bin/WRCImageMap"?

     

     

    Thx

     

    -Rich

     

    Is the javascript coded to request HTTP? If so, that request is hitting your HTTP Virtual Server and is thus being redirected to HTTPS due to the iRule. Can you post your HTTP-to-HTTPS iRule? I'll edit it to include the exception URI.
  • Rich_79422's avatar
    Rich_79422
    Icon for Nimbostratus rankNimbostratus
    Nov 01, 2010
    Folks,

     

     

    Someone I'm not sure who pointed me in the right direction. But the solution is as follows,

     

     

    VS_HTTP this just redirects to https

     

    VS_HTTPS this server I have an Irule to use stream and replace http://www.server.com:80/wrc/fff with https://www.server.com/wrc/fff

     

     

    And all is working.

     

    Thanks for all your help.

     

    -Rich
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 01, 2010
    Hi Rich,

    It would be more efficient to disable the stream profile from an iRule for all but the specific responses you want to rewrite. You can do this using a small iRule: 

    
when HTTP_REQUEST {
    Disable the stream filter for all requests
   STREAM::disable
}
when HTTP_RESPONSE {

    Check if response type is text
   if {[HTTP::header value Content-Type] contains "text"}{

       Replace http://www.server.com:80/wrc/fff with https://www.server.com/wrc/fff 
      STREAM::expression "@http://www.server.com:80/wrc/fff@https://www.server.com/wrc/fff@"

       Enable the stream filter for this response only
      STREAM::enable
   }
}

    Aaron