Forum Discussion
meena_60183
Nimbostratus
Nimbostratusredirect after SSL termination
Hi All,
I have a scenario where the webserver only responds if there is a particular URI, say WebEdition. I also have SSL termination configured for this VS. The web server only listens on port 80.
I have the following 4 scenarios
1. http://www.example.com -> redirect to -> https://www.example.com/WebEdition
2. https://www.example.com -> redirect to -> https://www.example.com/WebEdition
3. http://www.example.com/WebEdition redirect to https://www.example.com/WebEdition
4. https://www.example.com/WebEdition (no need for redirection and just decrypt the traffic and send clear text to the server).
I created couple of iRules but nothing seems to work and I always get "page cannot be displayed".
when HTTP_REQUEST {
if { [HTTP::uri] eq "/" } {
HTTP::redirect "https://www.example.com/WebEdition"
}
}
and I applied this to the http traffic.
I also tried
when HTTP_REQUEST {
if {[HTTP::host] equals "www.example.com" } {
HTTP::redirect https://www.example.com/WebEdition
}
}
Both are created after looking at some samples on this forum.
I am not sure how to apply the iRule to the https traffic since it will be encrypted. How can I ensure that it is applied after the decryption?
thanks,
Meena
7 Replies
- Are you terminating SSL on your LTM or on the application server itself?
meena_60183SSL termination is done on the BigIP.- The iRule will automatically be applied after the decryption. The events you're using (HTTP events) are processed after the BIG-IP has already decrypted the traffic.
As far as an iRule to redirect everything coming to www.example.com without the /WebEdition URI, it looks like you want something like:when HTTP_REQUEST { if { [HTTP::host] eq "www.example.com" } { if { (!([HTTP::uri] starts_with "/WebEdition")) or ([TCP::local_port] != 443) } { HTTP::redirect "https://www.example.com/WebEdition" } } }
That should work for both encrypted and plaintext traffic, assuming they're both feeding into the VIP that has this iRule on it.
Colin - meena_60183But this will not redirect https://www.example.com to https://www.example.com/WebEdition. Will it?
- dennypayne
Employee
It will...the ! will make it redirect any URI that does not start with /WebEdition.
Denny - meena_60183I did not see the ! on the first condition and also just noticed that it was "or" for the conditions and not "and".
However, I am moving this site from a Cisco load balancer to the F5. Cutover is tomorrow and I already imported the keys and cert with no problems. Since the site is a production site, I am testing the F5 config by adding an entry in the local hosts file.
When I enter http://www.example.com, it redirects me to https://www.example.com/WebEdition but I get "Redirect Loop" message.
http://www.example.com/WebEdition stays as http://www.example.com/WebEdition and also get a "redirect loop" message.
https://www.example.com brings up https://www.example.com without the /WebEdition with just a default message.
https://www.example.com/WebEdition stays as it is but brings up a "redirect loop" message.
The server guys think it is the BigIP causing the loop since it still works with Cisco.
I am really confused about this.
Any idea?
thanks,
Meena - dennypayneI'm thinking you don't need the TCP::local_port check, since you are decrypting, that is probably evaluating to 80 which would make this loop since it always matches !=443).
Either that or the application is sending back some other string that isn't accounted for in the logic of the rule. You could use Live HTTP Headers (Firefox) or HTTPWatch/Fiddler (IE) to check.
Denny
