For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gGnome_32510's avatar
gGnome_32510
Icon for Nimbostratus rankNimbostratus
Jan 13, 2010

Redirection

We are new to F5, tcl, iRules... the works, so I apologize if this is an easy one. I have several SSL sites (F5 is the endpoint) that are secured with *.domain.com cerfificates, and an iRule that red...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 14, 2010
Here's a version with logging. Can you reproduce the issue and post anonymized logs from /var/log/ltm for a failure?

 

 

   
  when HTTP_REQUEST {   
     
     log local0. "[IP::client_addr]:[TCP::client_port]: [HTTP::method] request\   
        to [IP::local_addr] [HTTP::host][HTTP::uri]"   
     
      Check if the host header has at least three fields (anything.example.com)   
      This would also match an IP address, but that seems like a use case   
      where the client would expect a cert mismatch error when requested via HTTPS   
     if {[string match "*.*.*" [HTTP::host]]}{   
     
        log local0. "[IP::client_addr]:[TCP::client_port]: Passed domain check."   
     
         Assume the client has requested a valid domain (*.example.com)   
         where the domain of the host header is what the SSL cert on the HTTPS VIP is issued for   
        HTTP::redirect "https://[HTTP::host][HTTP::uri]"   
     
     } else {   
     
        log local0. "[IP::client_addr]:[TCP::client_port]: Two domain fields or less"   
     
         Look up the correct domain for this request   
         using the VIP address in the ip_to_hostname_class datagroup   
        set hostname [findclass [IP::local_addr] $::ip_to_hostname_class]   
     
        log local0. "[IP::client_addr]:[TCP::client_port]: Parsed $hostname from class $::ip_to_hostname_class"   
     
        if {$hostname eq ""}{   
            Should there ever be a VIP IP which doesn't have a corresponding class entry??   
    You could hard code a default redirect here if you want   
           HTTP::redirect "https://www.example.com[HTTP::uri]"   
           log local0. "[IP::client_addr]:[TCP::client_port]: No hostname parsed. Using default hostname"   
        } else {   
            Parse the last two parts of the hostname (returns example.com from www.example.com   
           log local0. "[IP::client_addr]:[TCP::client_port]: Redirectting to https://www.[domain $hostname 2][HTTP::uri]"   
           HTTP::redirect "https://www.[domain $hostname 2][HTTP::uri]"   
        }   
     }   
  }

 

 

 

If the user types https://example.com, that VS never runs so the redirect never occurs. I tried adding the same iRule to the https VS for the same site, and it doesn't work there. Can you tell me why?

 

 

 

 

A request directly to https://example.com cannot work without a cert mismatch error using the existing *.example.com cert. Trying to redirect the HTTPS request won't help, as the cert warning occurs during the SSL handshake before any HTTP headers are sent or received. If this is really a problem, you could add a new DNS A record to point example.com to a different IP than www.example.com, or get a new cert which is valid for *.example.com and example.com.

 

 

Aaron