Forum Discussion
gGnome_32510
Nimbostratus
NimbostratusRedirection
We are new to F5, tcl, iRules... the works, so I apologize if this is an easy one. I have several SSL sites (F5 is the endpoint) that are secured with *.domain.com cerfificates, and an iRule that redirects http requests to https. I now have marketing complaining because a cerficate error is generated whenever someone leaves out the hostname (as in http://domain.com). I need to create an iRule that will catch this scenario and cause the browser to reissue the request as http://site.domain.com. I would appreciate any help.
hoolioCirrostratus
How about this?when HTTP_REQUEST { Check the requested host header switch -glob [string tolower [HTTP::host]] { "*.example.com" { Redirect *.example.com to the same host and URI via HTTPS HTTP::redirect "https://[HTTP::host][HTTP::uri]" } default { Redirect all else to www.example.com host and original URI via HTTPS HTTP::redirect "https://www.example.com[HTTP::uri]" } } }
Aaron
gGnome_32510Hi Aaron. Thanks for the quick reply. In my SSL certificates, the asterisk is a wildcard (i.e any host in the domain). Unless I am misunderstanding your post, you are treating the "*" as a literal. I need to catch the case where the hostname is null, and force the browser to request a valid hostname (maybe a 301 redirect?). Am I misunderstanding your iRule?- hoolioWith the -glob flag, the switch command performs a wildcard match in the same manner as 'string match *.example.com $string'. So *.example.com would match any number (including 0) of characters followed by the literal string .example.com. The default case would handle any other value for the HTTP host header (including no host header value).
Aaron - gGnome_32510Thank you for clarifying that. Now I am receiving an Invalid number of Arguments error for the second redirect. Any thoughts??
- hoolioSorry, I'd left out the closing double quote on the second redirect when I first replied. I fixed it shortly afterward. Can you make sure you have a closing " on this line:
HTTP::redirect "https://www.example.com[HTTP::uri]"
Thanks,
Aaron - gGnome_32510I'm still getting the invalid Args error. I do notice that there appears to be a mismatch in the number of braces... could that be the issue?
- hoolioAh... there was also a missing open curly brace after the word 'default'. I edited it again. Can you give it another try?
Aaron - gGnome_32510OK... it took that one. I will have to build a test case around it to prove it works as desired (though I have faith that it will). If it's not too much to ask, I would like to push this one step further. I have around 10 of these sites. I could install 10 different iterations of this iRule and attach one to each virtual server, but I'm betting there's a far more elegant way to accomplish this. Can we easily replace *.example.com with a list??
- hoolioThat might be possible. Is there a way to logically determine how to correlate the VIP name or IP address:port to a hostname (ie 1.1.1.1 = example1.com, 1.1.1.3 = example2.com, etc)? Or would you be able to use create a datagroup to map this?
Also, which LTM version are you running? The way to reference classes has changed in recent versions.
Aaron - gGnome_32510Our BigIP is sitting in the dmz, so until now I was using one iRule to route the traffic based on the target IP coming from the firewall, and a second iRule to redirect the http requests to https:
iRule_1
=======
when HTTP_REQUEST { if { [IP::addr [IP::remote_addr] equals 1.1.1.1] }
{ HTTP::redirect "http://host.example.com" }
elseif { [IP::addr [IP::remote_addr] equals 1.1.1.2] }
{ HTTP::redirect "http://host.another.com" }
elseif { [IP::addr [IP::remote_addr] equals 1.1.1.3] }
{ HTTP::redirect "http://host.yetanother.com" }
}
____________________________________________
iRule_2
========
when HTTP_REQUEST {
HTTP::redirect "https://[HTTP::host][HTTP::uri]"
}
The LTM is BIG-IP 9.3.1 Build 37.1