Forum Discussion
NimbostratusRedirect HTTP request to HTTPS VS and rewrite new URI
Hi I have a service HTTPS VS with client SSL profile to offload SSL. It has two member server pool running on service tcp 9994. The site is to be accessed either using HTTP or HTTPS by using the VS IP only in the URL, i.e., https://VS-IP or HTTP://VS-IP, hence the user wants the LTM to be able to redirect HTTP traffic to HTTPS. And also we want to rewrite traffic as http://pool-member-ip:9994/xyz-uri when LTM forwards the request to the server pool.
Can anyone help me suggest an irule for this?
Appreciate your support. Ramil
11 Replies
- nitass
Employee
user wants the LTM to be able to redirect HTTP traffic to HTTPS. And also we want to rewrite traffic as http://pool-member-ip:9994/xyz-uri when LTM forwards the request to the server pool.
https virtual server will change vs-ip to pool-member-ip:9994 itself. what you have to do is to redirect from http to https and change uri from / to /xyz-uri.
e.g.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 vs-index 3 } root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_REQUEST { if { [HTTP::uri] eq "/" } { HTTP::redirect "https://[HTTP::host]/xyz-uri" } } } test [root@ve11a:Active:In Sync] config curl -I http://172.28.24.10 HTTP/1.0 302 Found Location: https://172.28.24.10/xyz-uri Server: BigIP Connection: Keep-Alive Content-Length: 0 
Ramil_Ancajas_1Hi Nitass,
thank you for your quick response.
However I tried it and seems still not working. We actually wanted to have the LTM to do the SSL offloading first (terminate the SSL from client request) and then forward the request to pool member with appended URI (/xyz). When I tested your irule, it redirected traffic to the pool member using with HTTPS protocol plus the appended URI. It didnt work because the pool server do not accept HTTPS..
Thanks anyway but I do appreciate anymore suggestion please... Ramil
nitass_89166Noctilucent
When I tested your irule, it redirected traffic to the pool member using with HTTPS protocol plus the appended URI. It didnt work because the pool server do not accept HTTPS..
where did you apply the irule? was it http virtual server (not https virtual server)?
the irule will redirect from http virtual server to https virtual server with appending uri. on the https virtual server, it will offload ssl and send http (not https) to pool member.
- Ramil_Ancajas_1Thank you very much Nitass. I created another HTTP VS and assigned the irule there and it works! Much appreciated. Ramil
chells2_241915Hi, Is not the loadbalancer do application layer first, means.It will first do the SSL termination for https URL and then it will look for irules to redirect right ? I see in your comment, for http traffic from client loadbalancer will check for the irules then it will go with the SSL termination.- Kevin_StewartChells2, you cannot "see" the (application layer) HTTP traffic until you've first terminated the SSL. BIG-IP iRules events work in the same order as OSI layers.
- nitass
When I tested your irule, it redirected traffic to the pool member using with HTTPS protocol plus the appended URI. It didnt work because the pool server do not accept HTTPS..
where did you apply the irule? was it http virtual server (not https virtual server)?
the irule will redirect from http virtual server to https virtual server with appending uri. on the https virtual server, it will offload ssl and send http (not https) to pool member.
- Ramil_Ancajas_1Thank you very much Nitass. I created another HTTP VS and assigned the irule there and it works! Much appreciated. Ramil
- chells2_241915Hi, Is not the loadbalancer do application layer first, means.It will first do the SSL termination for https URL and then it will look for irules to redirect right ? I see in your comment, for http traffic from client loadbalancer will check for the irules then it will go with the SSL termination.
- Kevin_StewartChells2, you cannot "see" the (application layer) HTTP traffic until you've first terminated the SSL. BIG-IP iRules events work in the same order as OSI layers.
midhun_108442Hi,
Yes we are using Redirect Rewrite option in the http profile , This is our setup, Client --> BigIP (443) BigIP --> Webserver (80) We use the http redirect rewrite profile as "All". With this We are able to get our webserver Loging page and able to login successfull , But after that if we click any tab or option on the webpage it again redirect to http,
I had applied default irule "_sys_https_redirect" but here i am not getting the login page itself and verfied the logs no packet has been sent to the pool member.
appreciate your help please.
Regards, Midhun P.K
