Forum Discussion
Dbow_21284
Nimbostratus
NimbostratusRedirecting back and forth between HTTP and HTTPS virtual servers for the same site
Hello,
I have a site that we are about to use F5 Big-IP LTM to load balance. I am a little green though and I need some assistance with creating iRULES to redirect back and forth between the Virtual Servers (one is port 80 and one is 443).
Our site is mostly port 80, http://mysite.com and all that traffic is fine initially going through the load balancer. This has been tested. However, there is a login component that switches the url to https://mysite.com/default_ssl.aspx and I need to get this traffic redirected to the 443 VS ... right? I haven't been able to find any examples code or criteria that I need to base the redirect on.
Also, after the user logins, they can click on other areas of the site that go back to port 80. So likewise, I need to be able to redirect the traffic via an iRULE back to the http VS too right?
1) Can anyone shed some light on this and verify that I am going in the right direction with this?
2) Does anyone have any ideas on sample iRULE code that I can use/build upon?
3) Should my web developers know what the triggers should be to redirect? ... I am assuming so.
I appreciate your help!
Dbow!
hoolioCirrostratus
You could create a string datagroup (in the GUI under Local Traffic >> iRules >> Datagroup tab) containing the full paths you want accessed only via HTTPS. Then for the HTTP virtual server, use a rule to redirect all requests to these paths to HTTPS. If you only wanted to allow HTTPS requests to the HTTPS VIPs for those paths, you could redirect all others to HTTP using a second rule on the HTTPS VIP.
Datagroup (called a class in the bigip.conf):
secure_paths_datagrup:
/path/to/file.ext
/path/to/another.file.ext
/path/to/someother.file.ext
HTTP rule:when HTTP_REQUEST { Check if request is to a secure URI if {[matchclass [HTTP::path] equals $::secure_paths_datagroup]}{ Redirect request via HTTPS HTTP::redirect https://[HTTP::host][HTTP::uri] } }
HTTPS rule:when HTTP_REQUEST { Check if request is not to a secure URI if {not ([matchclass [HTTP::path] equals $::secure_paths_datagroup])}{ Redirect request via HTTP HTTP::redirect http://[HTTP::host][HTTP::uri] } }
Aaron- dennypayne
Employee
I'm not clear on what exactly is meant by the "login component" but if the HTML that the server sends back to the client contains the https://mysite.com/default_ssl.aspx link, if the user clicks on that the browser will request the content over 443 by default. The LTM will simply answer from the 443 VS. Likewise for any http links that are embedded in the HTML coming from the https connection. You don't need any redirects for default browser behavior.
One caveat here is if you are using persistence and you want to make sure that sessions over port 80 and sessions over port 443 are load-balanced to the same server, you need to make sure your persistence profile has the "Match across services" option enabled. Otherwise connections to port 80 and connections to port 443 will be handled independently.
Denny 
Dbow_21284I figured out that the issue I was having was a simple one.
I wrote a long reply ... then realized half way through. My POOL for the SSL VS ... I choose port 80 for the nodes. DUH! Yes I am a noob. Jokes are accepted at this time.
Anyway, thanks for the reply guys!
Payne,
Our web developers should be able to tell me whether or not I should base the persistence on cookie, correct? THis persistence will not ensure that the user stays n the same node when they switch from 80 to 443?
When you mentioned, checking "Matching across services", that was in SA persistence right?
Thanks- dennypayne"Match across" is available in source_addr or cookie persistence. The default cookie persistence without the "match across" option enabled will *not* ensure that the user stays on the same node from 80 to 443.
Denny - hoolioI missed that the app was handling the redirects. I thought you were looking to handle the redirects in a rule on the BIG-IP.
Denny's suggestion should work. Though the match across functionality was removed in 9.4, so source address persistence might be the best option.
Aaron - Dbow_21284Yeah, I was on the wrong track to begin with when I ran it by F5 Support. They told me I would require an iRULE to redirect 80 and 443 traffic between VS's even if they are on the same site. ... I probably didnt explain it very clearly though.
Hoolio,
This is what i found too for the persistence. I am running 9.4.2. I only saw this is SA_Affinity. From you guys experience, should this work ok? We use cookie persistence for all our other sites, but all are just simple port 80 sites with one VS.
Your input is really helping me and I appreciate it! - hoolioSource address persistence with match across virtuals and services enabled should work fine for this. If you test, you can check the persistence records by running 'b persist all show all' via the command line or by checking Statistics >> Persistence in the GUI.
Aaron
