Forum Discussion
Brantly_Perry_1
Nimbostratus
NimbostratusRedirect only parially working...
Hello, I'm new to this forum, and also new to iRules. Just wanted to run a rule by some of you more seasoned iRule experts.
when HTTP_REQUEST {
if { [HTTP::path] eq "/" }{
HTTP::redirect "https://www.mynurseonline.com/member/"
} elseif { [HTTP::host] eq "mynurseonline.com" }{
HTTP::redirect "https://www.mynurseonline.com/member/"
}
}
This first part of the iRule works great, but the second part doesn't work at all. The certificate is registered to www.mynurseonline.com. If a user just puts in mynurseonline.com they get a certificate error, so I'm trying to do this redirect. Not sure I'm going about it the right way or not. Like I said, I'm new to iRules! Let me know if you think I could do anything better. Thanks so much!
8 Replies
- Is the redirect actually not working? I.E. they're not getting to www.mynurseonline.com? Or is it just that they're still getting the security error?
There's unfortunately no way for you to avoid them receiving that security error if they type the hostname incorrectly. The BIG-IP has to decrypt the session before it can do any inspection or redirection. At that point the user would have already seen the security notice and accepted the warning.
Colin 
hoolioCirrostratus
You could get a new cert using Subject Alternate Names which is valid for example.com and www.example.com. For more info on this, try searching the 9.x iRules forum for "san cert" or "subject alternate name".
The cert would then be valid for both fully qualified domain names in your rule and the browser would not prompt the user about the hostname mismatch.
Aaron- Brantly_Perry_1Thanks to both of you for your quick responses!
To answer your question Colin, not only does the certificate error occur, but the second redirect doesn't work either. - hoolioDo you get a TCL error in /var/log/ltm when the second redirect doesn't work? What response does the client get from the VIP? Is it a TCP reset or some kind of HTTP response? If you test with Fiddler for IE or LiveHttpHeaders for Firefox, you can see if there is an HTTP response. Also, can you add logging to the rule so you can see if it's being triggered as you expect?
when HTTP_REQUEST { if { [HTTP::path] eq "/" }{ HTTP::redirect "https://www.mynurseonline.com/member/" log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::path] matched path /" } elseif { [HTTP::host] eq "mynurseonline.com" }{ log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::path] matched host: mynurseonline.com" HTTP::redirect "https://www.mynurseonline.com/member/" } }
Aaron - Brantly_Perry_1Thanks Aaron. I'm definitely am doing something wrong. Here's the outpug from logging on the iRule:
Sep 8 12:22:15 tmm tmm[1651]: Rule Production-Mynurseonline-Add-www : 65.207.60.17:46799: / matched host: mynurseonline.com
Sep 8 12:22:15 tmm tmm[1651]: 01220001:3: TCL error: Production-Mynurseonline-Add-www - Operation not supported. Multiple redirect/respond invocations not allowed (line 1) invoked from within "HTTP::redirect "https://www.mynurseonline.com/member/" "
Thanks! - hoolioDo you have another iRule added to the VIP or an HTTP class which is redirecting the client? If so, can you post that rule?
I don't see how both redirects could be triggered from this rule as they're wrapped in an if/else. The log output shows that the first condition isn't being met, so there must be another redirect being issued. If you're stuck, try posting the VIP configuration by running 'b virtual VIRTUAL_NAME list'.
Thanks,
Aaron - Brantly_Perry_1Hi Aaron. I started logging on my DMZ facing BigIP and received a similar error:
Sep 8 13:21:14 tmm tmm[1756]: 01010005:3: Profile Production-Mynurseonline-http, compress_uri_includes error - Operation not supported. Multiple redirect/respond invocations not allowed (line 1) invoked from within "HTTP::redirect "https://www.mynurseonline.com/member/""
Sep 8 13:21:14 tmm tmm[1756]: 01010005:3: Profile Production-Mynurseonline-http, compress_uri_includes error - Operation not supported. Multiple redirect/respond invocations not allowed (line 1) invoked from within "HTTP::redirect "https://www.mynurseonline.com/member/""
Sep 8 13:21:14 tmm tmm[1756]: 01010005:3: Profile Production-Mynurseonline-http, compress_uri_excludes error - Operation not supported. Multiple redirect/respond invocations not allowed (line 1) invoked from within "HTTP::redirect "https://www.mynurseonline.com/member/""
Sep 8 13:21:14 tmm tmm[1756]: 01010005:3: Profile Production-Mynurseonline-http, compress_uri_excludes error - Operation not supported. Multiple redirect/respond invocations not allowed (line 1) invoked from within "HTTP::redirect "https://www.mynurseonline.com/member/""
Here is a copy of the other irule I have associated with that VIP
when HTTP_REQUEST {
if {[HTTP::uri] contains "eb-member-earAdmin"} {
HTTP::respond 404 content "RESOURCE NOT FOUND"
}
}
!
!
!
!
The previous message came off the internet facing BigIP. This VIP had the following other irule associated with it:
when HTTP_REQUEST {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
Thanks so much for your time! - Brantly_Perry_1I don't believe I've seen this error until now:
ep 15 07:29:59 VADC1F5WEST01 mcpd[1723]: 01070151:3: Rule [Production-Mynursonline-Redirect] error: line 1: [wrong args] [HTTP::redirect "https://www.mynurseonline.com/member/" log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::path] matched path /" ] line 1: [Invalid IP address] [log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::path] matched host: mynurseonline.com" HTTP::redirect "https://www.mynurseonline.com/member/" ]
