Forum Discussion
GavinW_29074
Apr 16, 2012Nimbostratus
Random HTTPS Redirects?!?!
Hi there,
I'm starting to configured some services on the F5 which support HTTP. Prior to this, all our services have been over HTTPS.
However I'm having some issues with random HTTPS redirects creeping in, which causes the connection to be rejected.
An example VIP config is:
(/Common)(tmos) list /ltm virtual GABStaging_RPG.app/rpg.go-aheadstaging.card.co.uk_http
ltm virtual X_RPG.app/rpg.x.card.co.uk_http {
app-service /Common/X_RPG.app/X_RPG
destination 172.16.6.115:http
ip-protocol tcp
mask 255.255.255.255
profiles {
Caching_RPG { }
HTTP_Rewrite { }
oneconnect { }
stream { }
tcp {
context clientside
}
tcp-lan-optimized {
context serverside
}
wan-optimized-compression { }
}
rules {
ProxyPass
SplunkHTTP
CacheControl
CatchErrors
HeaderStripping
MaintenancePage
HandleErrors
NameVHost
}
snat automap
vlans-disabled
}
A request to this VIP returns: curl -ik http://postgateway.x.card.co.uk/Gateway-web
HTTP/1.1 301 Moved Permanently
Location: https://postgateway.x.card.co.uk/Gateway-web/
Content-Type: text/html; charset=iso-8859-1
Connection: close
Vary: Accept-Encoding
If I connect directly to the back-end application server I don't get redirected to HTTPS...
So the only place I can think this is being introduced is in the ProxyPass iRule, as that's the main rule that responds to the client...
Any ideas????
Cheers
Gavin
- GavinW_29074NimbostratusJust to add to this, I've started doing some packet captures at various points to be 100% sure that it's not an application/app server issue...
- natheCirrocumulusGav
- GavinW_29074NimbostratusPosted By nathan on 04/16/2012 04:33 AM
- natheCirrocumulusGav
- GavinW_29074NimbostratusAhh, ok... Wasn't aware that that was how the redirect-rewrite functionality worked...
- GavinW_29074NimbostratusOk, think I've got a work-around to this issue...
@@ -474,6 +476,20 @@ log local0. "$log_prefix: Rewriting response content enabled, but disabled on this response." } + Check for Redirect responses + if { [HTTP::is_redirect] } { +if { $static::ProxyPassDebug > 1 } { log local0. "$log_prefix: Response is redirect. Checking Location Header."} + + Get the protocal from the Location header value. +set redirect_proto [string range [HTTP::header "Location"] 0 [expr [string first : [HTTP::header "Location"]] +2]] +if { $static::ProxyPassDebug > 1 } { log local0. "$log_prefix: Redirect Proto is: $redirect_proto." } +if { not ($redirect_proto == $protocol) } { +if { $static::ProxyPassDebug > 1 } { log local0. "$log_prefix: Redirect Proto doesn't match request protocol. Correcting." } +HTTP::header replace Location [string map -nocase "$redirect_proto $protocol" [HTTP::header Location]] +} + + } + Need to explicity disable the stream filter if it's not needed for this response Hide the command from the iRule parser so it won't generate a validation error when not using a stream profile
- Antony_413NimbostratusIs it possible that your back end server contains some hard coded https:// ?
- GavinW_29074NimbostratusCould be useful in some scenarios I think :)
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects