Redirection

Do you want them combined?

 

 

Bhattman

Okay, so if you had a datagroup (class) which maps the VIP address to a hostname:

   
   class ip_to_hosthame {   
      "1.1.1.1 host.example.com"   
      "1.1.1.2 host.another.com"   
      "1.1.1.3 host.yetanother.com"   
   }   
   

...would you want to check the requested host name to see if it ends with the domain from the class? If so, redirect to https://[HTTP::host][HTTP::uri]. If not, then redirect to https://www.$hostname_from_class[HTTP::uri] where the virtual server address is used to get the host name from the class?

Aaron

Hi Bhattman,

 

Combining the rules is not one of my goals, and currently I believe the iRule that hoolio posted above will replace iRule_2. In my mind it is easier to keep them separate since they perform different functions (I use iRule_2 on a few sites that are not included in iRule_1). That said, I am not opposed to combining the rules if there is a reason to do so.

@Aaron,

 

Maybe... [so sayeth the n00b]. Would that replace both of the existing iRules, or would that just be a supplement to the one we have been working on?

I'm a bit confused by iRule_1? What VIP is it enabled on? It looks like you're checking the source IP (IP::remote_addr) and redirecting to a new host based on the source IP. Are the dummy 1.1.1.x IP's in iRule_1 the LTM VIP addresses? If so, how can they be the source address on a request to a second VIP?

 

 

Aaron

You are correct. They are not the VIPs, they are the live IP's coming into the DMZ via rules in the firewall. At that point I am not sure whether the URL from the original request is even available. That rule was put in place as part of the implementation (i.e. longer than I have been involved with the F5) so I can't say for certain, but I have always assumed that the ip to site URL mapping in that rule was necessary in order to use the F5 as the SSL endpoint.

Well, here are two options assuming I understand the scenario. You should only need to use one of these rules to replace your existing iRule_2.

 

 

This also assumes you've mapped each virtual server address to a host name in a datagroup named ip_to_hostname_class:

 

 

  
  class ip_to_hostname_class {  
     "1.1.1.1 host.example.com"  
     "1.1.1.2 host.another.com"  
     "1.1.1.3 host.yetanother.com"  
  }  
  

 

 

 

This example assumes that any host name which resolves to the VIP address has a domain which matches the SSL cert's domain on the corresponding HTTPS VIP.

 

 

  
  when HTTP_REQUEST {  
    
      Check if the host header has at least three fields (anything.example.com)  
      This would also match an IP address, but that seems like a use case  
      where the client would expect a cert mismatch error when requested via HTTPS  
     if {[string match "*.*.*" [HTTP::host]]}{  
    
         Assume the client has requested a valid domain (*.example.com)  
         where the domain of the host header is what the SSL cert on the HTTPS VIP is issued for  
        HTTP::redirect "https://[HTTP::host][HTTP::uri]"  
    
     } else {  
    
         Look up the correct domain for this request  
         using the VIP address in the ip_to_hostname_class datagroup  
        set hostname [findclass [IP::local_addr] $::ip_to_hostname_class]  
        if {$hostname eq ""}{  
            Should there ever be a VIP IP which doesn't have a corresponding class entry??  
    You could hard code a default redirect here if you want  
           HTTP::redirect "https://www.example.com[HTTP::uri]"  
        } else {  
            Parse the last two parts of the hostname (returns example.com from www.example.com  
           HTTP::redirect "https://www.[domain $hostname 2][HTTP::uri]"  
        }  
     }  
  }  
  

 

 

This example is less efficient in that the VIP's host name is looked up in the class on every TCP connection. The domain of the VIP's host name is checked against the requested host header. If they don't match, then the request is redirected to www.example.com where example.com is the domain of the VIP's host name.

 

 

  
  when CLIENT_ACCEPTED {  
    
      Look up the VIP address in the ip_to_hostname_class datagroup  
      Use this event to avoid the lookup for every HTTP request  
     set hostname [findclass [IP::local_addr] $::ip_to_hostname_class]  
     if {$hostname eq ""}{  
         Should there ever be a VIP IP which doesn't have a corresponding class entry??  
         If this does happen, you can hard code a default domain to use in the redirect  
        set hostname "example.com"  
     }  
  }  
  when HTTP_REQUEST {  
    
      Check the requested host header  
     switch -glob [string tolower [HTTP::host]] {  
        "*.$hostname" {  
            Redirect *.example.com to the same host and URI via HTTPS  
           HTTP::redirect "https://[HTTP::host][HTTP::uri]"  
        }  
        default {  
            Redirect all else to www.example.com host and original URI via HTTPS where   
            example.com is the last two parts of the hostname (example.com from www.example.com)  
           HTTP::redirect "https://www.[domain $hostname 2][HTTP::uri]"  
        }  
     }  
  }  
  

 

 

If the logic or implementation for either of these is wrong, let me know. If the logic looks right, but the iRule doesn't work, can you add logging to the rule and reply with the logs/description of what actually happens and what you want to happen?

 

 

Thanks,

 

Aaron

Wow... I really appreciate all the effort. Let me play with these a bit and I will post in the morning. BTW: I tested out the rule from earlier today... works like a champ. You rock!!

 

 

Just to clarify: the addresses in the ip_to_hostname_class represent the ip of the target virtual server... NOT the external IP in the headers from the firewall... correct??

The IP addresses in the class need to be the actual LTM virtual server IP addresses that the rule would be used on.

 

 

Aaron

Aaron,

 

Sorry it has taken me so long to get back to this... putting out fires all day. As time permits I have been working with the first of your rules, and it appears that the initial case

if {[domain [HTTP::host] 3] ne ""}

 

works as planned, but I can't seem to get the else condition to execute properly. I tried adding some inline log statements to help with troubleshooting, but they didn't execute either (I probably didn't code the statements correctly).

 

 

I also have another semi-related question with regard to your original iRule at the top of this thread. When I use it on the VS that listens for http (port 80), it works properly. If the user types https://example.com, that VS never runs so the redirect never occurs. I tried adding the same iRule to the https VS for the same site, and it doesn't work there. Can you tell me why?