Forum Discussion
Nimbostratus[Offloading SSL] SOAP Response
Hi all, I would like help with a SOAP response problem.
I have two VIP with the same pool
VIP 1:443 --> Offload SSL --> Pool 8080
VIP 2:8080 --> Pool 8080
These two pools send traffic on a Tomcat 8.
On my VIP 1, I set a X-Forwarded-Proto: HTTPS column in the HTTP Header for the tomcat to answer me in HTTPS.
Here is my test result :
[/home/user]$ curl https://fqdn_of_vip1/cupro-ws-8.0/soap/WSCompte?wsdl |grep location
[/home/user]$ curl -H "Host: fqdn_of_vip1" -H "X-Forwarded-Proto: https" 172.16.105.63:8080/cupro-ws-8.0/soap/WSCompte?wsdl |grep location
As you can see, when I curl on VIP 1, Tomcat send me a response with an soap:address location=http...
But when I curl VIP2 with X-Forwarded-Proto manualy set, response is correct in HTTPS.
I think than when F5 do SSL Offloading.
X-Forwarded-Proto is generate by an irule :
if { [class match [HTTP::uri] starts_with datagrouplist1] and [ class match [IP::client_addr] equals datagrouplist2 ] } {
log local0. "Access 8080 from [IP::client_addr]"
HTTP::header insert X-Forwarded-Proto https
HTTP::header insert x-forwarded-proto https
HTTP::header insert ipis [IP::client_addr]
snat automap
pool mypool
For information, when I uncomment "snat automap", my CURL on VIP1 (HTTPS) send me a response location in HTTPS.
I don't understand why.
Do you have any information ?
Thaks a lot for your answer
PeteWhiteEmployee
Are you confident that your URI and source IP address match against your cURL? I would be inclined to improve the logging ie print out HTTP headers etc. Are you confident that the iRule is on VS1?
Biche_XD_185704Thanks for your reply. Yes, I'm sur for URI and IP Client. (I make log to be sur).
An here is the content of http_header :
: ============================================= Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Client 193.X.X.X:25988 -> myfqdn.com/cupro-ws-8.0/soap/WSCompte?wsdl (request) Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Host: myfqdn.com Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : User-Agent: curl/7.58.0 Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Accept: */* Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : X-Forwarded-Proto: https Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : ============================================= Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : ============================================= Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Client 193.X.X.X:25988 -> myfqdn.com/cupro-ws-8.0/soap/WSCompte?wsdl (response) - status: 200 Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Server: Apache-Coyote/1.1 Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Content-Type: text/xml;charset=UTF-8 Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Transfer-Encoding: chunked Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Date: Tue, 10 Jul 2018 08:39:26 GMT Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : =============================================- PeteWhite
OK, so if X-Forwarded-Proto is already set ( as in the headers ) and the server is sending the wrong response then it's an issue on the server. Are you trying to fix the issue on the server by rewriting the content on the F5?
- Biche_XD_185704
So, I can rewrite the SOAP Response by an irule but for me, this is not the right solution.
For me, this is not a problem on the server, because VIP in tcp/8080, with x-forwarded-proto set in curl : soap address location is in HTTPS.
I've the feeling that problem is in offload SSL. Or maybe in HTTP_profile (I use the default http profile)
- PeteWhite
OK, I think I must be missing something here.
Just to clarify, you want the VIP 1 which is listening on port 443 to have the X-Forwarded-Proto header inserted but not the VIP 2 ( listening on port 8080 ).
To do this you need to create a new HTTP profile as per this link https://support.f5.com/csp/article/K43444200 and assign it to VIP 1. Use the standard http profile for VIP 2.
That should fix the issue.
- Biche_XD_185704
VIP 1 is an evolution.
Originally, all the traffic was sent on VIP 2. But an application manager want to migrate this application on HTTPS. That's why VIP 1 was created.
VIP 2 didn't have X-Forwarded-Proto configured. But we make some test and emulate X-Forwarded-Proto with curl (with -H) on VIP2.
On VIP 1, we already have a HTTP Profile, that's the default HTTP Profile. We have the same HTTP Profile on VIP 2 for other need (redirect fom HTTP:Host)
In conclusion, wa have :
VIP1:443 --> Offload SSL --> X-Forwarded-Proto --> Pool:8080 --> Node:8080 --> VIP we want to redirect production traffic
VIP2:8080 --> Pool:8080 --> Node:8080 --> VIP actually in production
- PeteWhite
Create a new HTTP profile called http_x-forwarded-proto_https which inserts the X-Forwarded-Proto HTTP header as per this link: https://support.f5.com/csp/article/K43444200 and assign it to VIP 1.
Use the standard http profile for VIP 2.