For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

pekl_152973's avatar
pekl_152973
Icon for Nimbostratus rankNimbostratus
May 22, 2014

rewrite http to https and replace external/internal hostname?

Hi,

 

We trying to rewrite and replace http headers with irules in F5. The scenario is that we have several external hostname that should be rewritten to one and the same internal hostname and the application also do redirect from http://hostname:8080....(jboss) to https://hostname:19443....(openam) example: msv1-c1 -> msv1, msv1-c2 -> msv1, msv1-c3 -> msv1

 

We have two irules that worked before when the application used http for both port 8080 and 19443, but now our application has changed the openam port 19443 to use https! And the irules we have is for each external hostname-c1, hostname-c2...etc

 

Irule for openam(port 19443):

when HTTP_REQUEST { HTTP::uri [string map {"msv1-c2" "msv1"} [HTTP::uri] ] log local0. "http uri: [HTTP::uri]" HTTP::header replace Host [string map { "msv1-c2" "msv1" } [HTTP::header Host]] HTTP::header replace Host [string map -nocase [list msv1-c2 msv1] [HTTP::header Host]]

 

}

 

when HTTP_RESPONSE { HTTP::header replace Location [string map -nocase [list msv1 msv1-c2] [HTTP::header Location]] }

 

Irule for jboss(port 8080):

when HTTP_REQUEST { log local0. "http host: [HTTP::host]" if { [HTTP::host] eq "msv1-c2.ete.ka.sw.ericsson.se:8080" } { log local0. "will replace host header in req" HTTP::header replace Host "msv1.ete.ka.sw.ericsson.se:8080" } }

 

when HTTP_RESPONSE { set begin_header "https://msv" log local0. "response" if { [HTTP::is_redirect] } { log local0. "Redirect" set orig_header [HTTP::header value Location] log local0. "Original Location: [HTTP::header value Location]" switch -glob [string tolower [HTTP::header value Location]] { log local0. "Original Location header value: [HTTP::header value Location], updated: [string map -nocase [list msv1 msv1-c2] [HTTP::header value Location]]" HTTP::header replace Location [string map -nocase [list msv1 msv1-c2] [HTTP::header value Location]] HTTP::header replace Location $replace_header log local0. "Rewritten Location: $replace_header" } }

 

Do You have an example of irules that both could be general for all external hostnames and also redirect the http/https that could work for us? We have tried some of the example that is described in DevCentral!

Thanks BR Per

 

application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
LTM
security
virtualization

2 Replies

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    May 22, 2014

    You need to terminate SSL on F5 for your iRules to examine the HTTP traffic on SSL virtual servers (create/assign clientssl profile with correct certificates/keys)