For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_DiPietro_'s avatar
Chris_DiPietro_
Icon for Nimbostratus rankNimbostratus
Mar 08, 2012

redirecting urls to add www to the host if it does not exists

I have two VSs one responds to port 80 but redirects to https and one responds to HTTPS, but I want to make sure anyone trying to get to sample.com gets redirected to www.sample.com so the SSL cert matches correctly

 

 

I wrote the following iRules based on what I have found in other posts and I just want to make sure these are correct

 

 

For the port 80 VS

 

 

when HTTP_REQUEST {

 

if {[string tolower [HTTP::host]] starts_with "www"} {

 

HTTP::respond 301 Location ""

 

} else {

 

HTTP::respond 301 Location "":" 1][HTTP::uri]"

 

}

 

}

 

 

 

 

 

for the port 443 VS

 

 

when HTTP_REQUEST {

 

if { not ([string tolower [HTTP::host]] starts_with "www") } {

 

HTTP::respond 301 Location "":" 1][HTTP::uri]"

 

}

 

}

 

 

 

If this is wrong or there is a cleaner/better way to do this please let me know

 

Thanks

 

 

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 08, 2012
    If your cert is only valid for www.sample.com, why not redirect all HTTP requests to https://www.sample.com? 

    
when HTTP_REQUEST {
   HTTP::redirect "https://www.sample.com[HTTP::uri]"
}

    Also, it's too late to bother with the HTTP hostname on the HTTPS VS as the client would have already gotten a mismatched cert warning by the time the HTTP traffic was parsed. It would be simplest to get a cert which is valid for www.sample.com and sample.com.

    Else, if you have two separate certs for www.sample.com and sample.com you could use the new TLS SNI support in LTM to send the correct cert based on the server name indication in the SSL handshake. Note that some older browser don't support this though:

    http://en.wikipedia.org/wiki/Server_Name_Indication

    Aaron
  • Chris_DiPietro_'s avatar
    Chris_DiPietro_
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2012
    The only reason I didn't just redirect all requests to the actual domain was a case where a developer had typed in the IP address and was trying to test it directly so that it would preserve the IP when it redirected.

     

     

    TLS SNI looks very interesting, but I think i will just deal with the occurrence of someone typeing in https and leaving off the www

     

     

     

    Is there any way to use the GTM that is responding to the DNS to redirect any simple.com to www.simple.com? Right now I plan to just cname it , but that leaves me with an HTTPS VS that will get a cert error if it reaches there without the www.

     

     

     

    I know google does this somehow if you go to https//:google.com it redirects to https://www.google.com, however I noticed amazon does not do that.

     

     

     

     

    Thank you very much for your reply.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 09, 2012
    If you want to avoid redirecting IP addresses with www. prepended, you could use something like this: 

    
when HTTP_REQUEST {
 Check if Host header starts with a digit (is an IP address)
if {[string match {[0-9]*]} [HTTP::host]}{
HTTP::redirect "https://[HTTP::host][HTTP::uri]"
} else {
HTTP::redirect "https://www.sample.com[HTTP::uri]"
}
}

    Aaron