Forum Discussion
diana_24252
Nimbostratus
NimbostratusRedirect to HTTPS doesn't work properly
Redirect to HTTPS doesn't work properly
Description of the problem:
Web site: testcustompoint.rrd.com (it is a test only site so there is an SSL name error)
The web server redirects you to HTTPS and once the login page opens the browser address changes to:
https://testcustompoint.rrd.com/xs2/prelogin?CMPID=126&qwerty=08050811
At this point if you delete only the letter āsā in the HTTPS and hit Enter the page will load in HTTP and will not redirect to HTTPS. Obviously this is a major security issue.
The web team only wants the login page to be secure and not all the pages.
I setup the following iRule:
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/xs2/prelogin" } {
HTTP::redirect "https://[HTTP::host][HTTP::uri]"
}
}
This iRule did not fix the security issue I described above. I tried a few different modifications of a redirect iRule, but no luck yet.
Any help will be greatly appreciated!
hoolioCirrostratus
Do you have the iRule attached to the HTTP VIP? If so, the rule should not allow an HTTP request to a URI starting with /xs2/prelogin. If you're seeing this, try to add logging to see exactly what's happening:when HTTP_REQUEST { log local0. "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]: new HTTP request to [HTTP::uri]" if { [HTTP::uri] starts_with "/xs2/prelogin" } { log local0. "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]: URI started with /xs2/prelogin, redirecting to https" HTTP::redirect "https://[HTTP::host][HTTP::uri]" } }
The log output is written to /var/log/ltm by default.
Aaron
diana_24252The iRule was and is attached to the VIP. I modified it to log as you advised and I am attaching the log file.
Thank you!- hoolioI don't see any requests in the log which start with /xs2/prelogin. Can you confirm the URI for the login page?
Aaron - diana_24252Welll this is what the developer told me to use for the iRule. Like you say I didn't see that either in the log, but when you open the site it is what is displayed in the address bar. You can test it yourself, the site is available on the Internet.
- hoolioHere are the series of request and responses I saw:
Request to: http://testcustompoint.rrd.com/?___________________________aaron_is_testing - 302 redirect to http://testcustompoint.rrd.com/xs2/?CMPID=126
Request to: http://testcustompoint.rrd.com/xs2/?CMPID=126 - 302 redirect to https://testcustompoint.rrd.com/xs2/prelogin?CMPID=126&qwerty=08050802
Request to: https://testcustompoint.rrd.com/xs2/prelogin?CMPID=126&qwerty=08050802 - 200 OK response
Manually remove the 's' from https:// and made a request to: http://testcustompoint.rrd.com/xs2/prelogin?CMPID=126&qwerty=08050802 - 200 OK response
Can you check what URIs were logged on the BIG-IP for these three HTTP requests? I would think the log should show requests to /xs2 and /xs2/prelogin.
Aaron - diana_24252Im sorry, I had stopped te logging as the file was getting big. I asked the developer to look at it and give me another string.
I enabled the logging again. Can you try that test please?
Thank you! - hoolioI just tried the same sequence. My IP starts with 90.193.139.
Aaron - diana_24252Aaron,
The firewall seems to be NATing all incomming IPs and it all looks like it comes from 1 IP address, but I saved all the loggs since I reenabled the logging and I am attaching it here. - hoolioI don't see any of the HTTP requests I made in the iRule's entries in LTM log file. Are you sure the iRule is attached to the VIP which requests to testcustompoint.rrd.com is NAT'd to?
Here are a list of the non-image objects that were listed in the ltm loig file:
/style/3880.css
/xs2/campaigns/managecampaigns
/xs2/global/javascript/common.js
/xs2/items/itemdetails
/xs2/items/itemhome
/xs2/items/itemmaintenance
I would have expected to see two requests with "aaron" in the URI. I didn't see that. Nor were there any requests to /xs2/prelogin. So there weren't any HTTP requests which were redirected to HTTPS.
I would guess the iRule isn't attached to the correct VIP or the firewall is NATing the requests directly to a webserver.
Aaron