Proper use of http redirect codes for temporary redirects?

Question

Hi,
&nbsp;I'm pretty puzzled by the question on how to correclty(*) redirect on a LTM in case of a temporary disruption of service. In case of planned works as well as in case of something seriously wrong we intend to throw the users off onto another URL, i.e. they'd normally access
&nbsp;https://shop.xyz.com/
&nbsp;and we'd temporarily redirect them to another site&nbsp;https://www.xyz.com/whatever/shopisdown.html&nbsp;
&nbsp;(*)trying to define "correctly": with the least evil effects (caching!) on popular and not so popular browsers or proxys. &nbsp;&nbsp;
&nbsp;The "fallback host" functionality in the http profile uses a 302 redirect when no poolmembers are available, but at least parts of the Internet state that 302 shouldn't be used because it is implemented strangely and was widely abused for somethings.&nbsp;
&nbsp;Triggering http::redirect from an irule throws a 301 which isn't good for the case(caching!).&nbsp;
&nbsp;This would leave a 307. This one is even dubbed "temporary redirect".  We didn't try up to now and I'm somewhat scared because I don't feel that it is widely used and well understood.&nbsp;
&nbsp;Anyone with an opinion there?&nbsp;
&nbsp;Best regards
&nbsp;Me.

hoolio · Answer

Hi, 
&nbsp;  
&nbsp; If you want client's and/or intermediate proxies to cache the redirect, you should use a 301 response code.  If you don't want the redirect cached, then use a 302. 
&nbsp;  
&nbsp; Can you elaborate on this? 
&nbsp;  
&nbsp; ...but at least parts of the Internet state that 302 shouldn't be used because it is implemented strangely and was widely abused for somethings. 
&nbsp;  
&nbsp; I'm not sure what issues you're referring to. 
&nbsp;  
&nbsp; Thanks, Aaron &nbsp;

madeye_80512 · Answer

Hi Aaron,  
&nbsp; thank you for your reply and sorry for me being obscure out of time pressure and for asking not well founded questions.  
&nbsp;  
&nbsp; Diving in deeper into the topic on what may be wrong with a 302 I found it connected to FUD regarding Typosquatting / url-hijacking and search engine providers. This (I'm deeply embarrased) happens mostly in the german version of wikipedia *blush*.  
&nbsp;  
&nbsp; It seems that there were (are?) search engines who if www.something.com did a 302 to www.somethingelse.com then searchengines would conclude that the somethingelse site was only temporary and wouldn't index it, thus allowing someone to kick your site out of the searchengines by just 302ing to it.  
&nbsp; The worst case for us would be if some major search engine would kick our main site out of their index because we're ourselves redirecting our shop to it during server downtime (see my OP, it is near enough to the truth regarding what we'd intend to do). 
&nbsp; You can read the text(s) so that there is common sense on not using 302 any more... but this is very up to interpretional issues. 
&nbsp;  
&nbsp; The other thing is that the http/1.1 RFC2616 itself states things about a 302 being ambiguously implemented so that some browsers would use a GET on the 302s location regardless of the original request method and that this lead to the implementation of 303 (browser should always use a GET on the location) and 307 code (browser should use original method, but verify with the user if method wasn't HEAD or GET). 
&nbsp; And for my eye the RFC is VERY obscure there if you try to assume what arbitrary client browsers would do on any of these codes. 
&nbsp;  
&nbsp; But it's not too relevant for our case because we would want the browser to do a request as a GET regardless on what method it intended beforehand.  
&nbsp; So the question would rather not be if to use a 307 but if a 303 should be used. And here the RFC states that "most browsers react to a 302 as described for 303".  
&nbsp;  
&nbsp; Given the additional bit that a 302 should be understood also by pre http/1.1 browsers, I agree that probably 302 would be the correct choice, if the concern about URL hijacking can be laid down. 
&nbsp;  
&nbsp; It'd be great if you could ease these doubts. 
&nbsp; Best regards and I wish anyone having a great start of a great new year! 
&nbsp; Me.  
&nbsp;  &nbsp;

Forum Discussion

Recent Discussions

Errors with AS3 3.56.0 with F5 17.5.1.6

f5 r5600 appliance issue with adding trunk to vlan

SSL Forward Proxy, iRules and Client Hello

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

Related Content

F5 HTTPS Redirect 2025

Rewriting Redirects

Traffic Management User Interface Vulnerability: The Fix and Temporary Mitigation Options

(HTTP) Redirection via Arbitrary Host Header

Anchor Link Redirect