redirect to https multiple uri's while letting others pass through

I did try to update the iRule, but it wouldn't pass the syntax check, so I canceled out of it. No changes have been made since this morning when I added the -glob statement back in.

What are you seeing in the logs now that we're logging 403s?

Hi Deni,

 

The -glob statement specifically allows you to use wildcards and look for patterns

 

 

For example in the switch statement you have

 

"/applications/dp42launchpad*"

 

 

The -glob statement allows you to use "?" and "*"

 

 

Bhattman

The iRule has the 403 logging but when I try the pages, only the https pages come up. The http pages give me a page cannot be displayed.

 

 

Tue Jan 11 06:47:58 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_REQUEST: User went to http://appsf5.sd.gov/applications/HC70SBI/default.asp

 

Tue Jan 11 06:47:58 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_RESPONSE: 403 for /applications/HC70SBI/default.asp

 

Tue Jan 11 06:47:58 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_REQUEST: User went to http://appsf5.sd.gov/applications/HC54ApprovedProducts/Main.asp

 

Tue Jan 11 06:47:58 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_RESPONSE: 403 for /applications/HC54ApprovedProducts/Main.asp

 

Tue Jan 11 06:48:06 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_REQUEST: User went to http://appsf5.sd.gov/applications/hc54contractoraccess/Logon.asp

 

Tue Jan 11 06:48:06 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_RESPONSE: 403 for /applications/hc54contractoraccess/Logon.asp

 

Tue Jan 11 06:48:09 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_REQUEST: User went to http://appsf5.sd.gov/applications/HC70SBI/default.asp

 

Tue Jan 11 06:48:09 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_RESPONSE: 403 for /applications/HC70SBI/default.asp

 

Tue Jan 11 06:48:14 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_REQUEST: User went to http://appsf5.sd.gov/applications/gf82/login.asp

 

Tue Jan 11 06:48:14 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_REQUEST: Requested http://appsf5.sd.gov/applications/gf82/login.asp and was redirected to https://appsf5.sd.gov/applications/gf82/login.asp

 

Tue Jan 11 06:48:18 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_REQUEST: User went to http://appsf5.sd.gov/applications/gf82/login.asp

 

Tue Jan 11 06:48:18 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_REQUEST: Requested http://appsf5.sd.gov/applications/gf82/login.asp and was redirected to https://appsf5.sd.gov/applications/gf82/login.asp

 

Tue Jan 11 06:55:07 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_REQUEST: User went to http://appsf5.sd.gov/applications/HC54ApprovedProducts/Main.asp

 

Tue Jan 11 06:55:07 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_RESPONSE: 403 for /applications/HC54ApprovedProducts/Main.asp

 

Tue Jan 11 06:55:08 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_REQUEST: User went to http://appsf5.sd.gov/applications/HC54ApprovedProducts/Main.asp

 

Tue Jan 11 06:55:08 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_RESPONSE: 403 for /applications/HC54ApprovedProducts/Main.asp

 

Tue Jan 11 06:55:09 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_REQUEST: User went to http://appsf5.sd.gov/applications/HC54ApprovedProducts/Main.asp

 

Tue Jan 11 06:55:09 CST 2011 tmm tmm[2048] Rule apps_withssl HTTP_RESPONSE: 403 for /applications/HC54ApprovedProducts/Main.asp

 

 

iRule looks like this

 

when HTTP_REQUEST { if { [HTTP::host] equals "appsf5.sd.gov" } { log local0. "User went to http://[HTTP::host][HTTP::uri]" set site [HTTP::uri] switch -glob [string tolower [HTTP::uri]] { "/applications/dp42launchpad*" { HTTP::redirect "https://[HTTP::host]/applications/dp42launchpad/logon.aspx" log local0. "Requested http://[HTTP::host][HTTP::uri] and was redirected to https://[HTTP::host]/applications/dp42launchpad/logon.aspx" } "/applications/st01fastfile*" { HTTP::redirect "https://[HTTP::host]/applications/st01fastfile/login.asp" log local0. "Requested http://[HTTP::host][HTTP::uri] and was redirected to https://[HTTP::host]/applications/st01fastfile/login.asp" } "/applications/gf79biggame*" { HTTP::redirect "https://[HTTP::host]/applications/gf79biggame/login.asp" log local0. "Requested http://[HTTP::host][HTTP::uri] and was redirected to https://[HTTP::host]/applications/gf79biggame/login.asp" } "/applications/gf82*" { HTTP::redirect "https://[HTTP::host][HTTP::uri]" log local0. "Requested http://[HTTP::host][HTTP::uri] and was redirected to https://[HTTP::host][HTTP::uri]" } } } } when HTTP_RESPONSE { if { [HTTP::status] eq "403" } { log local0. "403 for $site" }}

The fact that this is occasionally working concerns me. I can't understand why an iRule would cause an IIS box to send a 403. Can you confirm again that there's nothing in the Security or IIS logs on these servers? IIS is very noisy with logs and should definitely alert if it's throwing 403s.

 

 

http://appsf5.sd.gov/applications/gf82/login.asp is properly redirected and loads for me right now. 5 minutes ago, it redirected but gave me a 403. The iRule shouldn't have anything to do with that which makes me wonder whether something else is going on in the background that the IIS boxes don't like. If you've got Microsoft support, I'd recommend starting a support case with them as well and just explain that you're randomly throwing 403s.

 

 

Right now, every link above works fine. The ones that should redirect do redirect and load over HTTPS. The ones that shouldn't redirect don't, and load fine over HTTP. If the past few days is any indication, that'll likely change soon. :-P

We've had a lot of changes today to change different Virtual Servers, so I'm sure it will change. I looked at the event viewer for both IIS servers behind the F5. I could find nothing in the event viewer under application or security or system that show for these applications at all. I also looked at the log files for today on both servers and I could see the page hits in the log files, but there was no other information in those log files.