Forum Discussion
jeebustrain_421
Nimbostratus
Nimbostratusrewrite http hyperlinks as https inside SharePoint
Hi,
This is my first post here, so my apologies if this is something that has been covered ad-nauseum (I couldn't find anything using search). I'll also start out by saying that I am not an F5 expert (I am more on the application side of things), but I am comfortable with scripting and I just don't understand all of the power and capabilities of the iRule. Here's my situation:
We are currently building out a SharePoint environment. In this environment, we are placing each web application (there are 5) behind it's own pool in our F5 LTM (9.4.3). We are also planning on terminating all SSL for the apps on the F5 as well. Also, for our external customers, we are using a pair of MS ISA Server 2007 appliances (behind their own F5 pool as well), which authenticate the users using Forms based auth and redirect them to the appropriate F5 pool for whatever web app they are trying to reach.
I am in the midst of baking out the SSL part of all of this. Now due to budget constraints, we were unfortunately unable to secure an F5 for our lab, so I had to mock up the SSL termination on our lab ISA Server. It works great... actually, too great. I turned on the URL direct feature and it not only redirected all requests to https, it also went the extra step of rewriting all of the referenced hostnames inside the html itself as https. That's pretty cool, but unfortunately since our ISA Server will not be terminating SSL in production (other than being used as an SSL bridge just to authenticate), this will be creating some inconsistencies between our lab and production. If I can't figure out a way to replicate this in production, it's going to make testing a nightmare, as there are all sorts of add-in apps that this might cause issues for.
What I'd like to do is figure out a way to write an irule (if it's possible) to rewrite all of the hyperlinks (and text) of, say http://app1.intranet.com to https://app1.intranet.com.
This seems like something that someone has needed to do before. Does anyone have a good direction for me to follow? Let me know if anymore information is needed.
thanks in advance,
-brian
6 Replies
- The_BhattmanHi Brian,
Sounds like the quickest and simplest way is to apply the STREAM Profile
Check out this article. It explains the stream profile especially how it's used.
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=101
I hope this helps,
CB 
jeebustrain_421this is fantastic. Sweet, I can even use regular expressions. I'll be trying this today and I'll let you know what I find.
One more question though - is it possible to have 2 expressions inside of an iRule? As in, could I stick your standard https redirect iRule at the top and put a stream replacement right below it? Or will I have to combine the logic into a single conditional?- jeebustrain_421nm - I think I figured it out. For what I want, I don't even need to use an iRule at all, I should be able to fix it by just creating a custom Stream Profile.
hoolioCirrostratus
If you enable a stream profile on the virtual server without an iRule, LTM will apply the stream filter to both requests and responses. This includes client POST requests (which you probably don't want to rewrite) as well as binary response content (which probably won't match the find string but can consume a lot of extra LTM resources).
There is an existing Request For Enhancement (RFE) open with F5 Support which requests F5 provide a GUI option for enabling the stream profile on requests and/or responses. It would also be ideal if they allowed you to configure a filter on the Content-Type value as well.
Until the GUI options are improved, you would be much better off using an iRule with STREAM::expression (Click here) to configure the stream profile dynamically per request. There are some fairly detailed examples on how to do this on the wiki page.
That said, you could probably avoid any configuration changes on LTM by properly configuring Sharepoint to use HTTPS references to itself using Alternate Access Mappings. Check this post for some related info:
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3352955976
Aaron
Sly_85819Just FYI.. we have seen issues in our environment even with alternate access mapping configured on Sharepoint. In our case, LTM is doing SSL offload and the server is configured to listen on 80. The sharepoint has access mapping configured which changes http to https. We also have HTTP -> HTTPS redirection set on LTM. Even after having this we have seen requests breaking. One of the example is List view. The response shows "http" url embedded instead of https.- hoolioIf there are issues with the Alternate Access Mapping, you could potentially fix them with an iRule and stream profile, but it would be ideal to investigate the problem with Microsoft Support too.
Aaron
