Forum Discussion

Jan_T_104445's avatar
Jan_T_104445
Icon for Nimbostratus rankNimbostratus
Aug 06, 2007

Rewriting HTTP redirection with HTTPS->HTTPS (SSL-to-Server feature) does not func.

Topic was wrongly opened in the "iRules - v9.x" forum.

 

 

The answers so far:

 

 

08/01/2007 7:40 PM by ellmau:

 

Dear Developers and Dear Community,

 

 

I've read many topics in the forum concerning the "rewrite HTTP redirection" feature - always reflecting the "HTTP redirect to HTTPS" case.

 

 

None is saying anything about the "HTTPS redirect to HTTPS" case.

 

 

I have redirection problems within our websphere application servers, 'cause they are always using the appserver port and never the origin Big-IP SSL proxy port, when sending out redirects.

 

 

I know that in other environments/setups, e.g. if using IBM HTTP Server with WebSphere plugin in front ionstead of F5 to achieve lookalike functionallity as Big-IP load-balancing, session stickiness, etc., they have some variables that can influence the appservers behavior:

 

 

E.g. WebSphere plugin ->

 

AppServerPortPreference

 

 

Specifies which port number the Application Server should

 

use to build URIs for a sendRedirect.

 

This field also specifies where to retrieve the value for

 

HttpServletRequest.getServerPort().

 

 

The following values can be specified:

 

 

"hostHeader" if the port number from the host header of the

 

HTTP request coming in is to be used.

 

"webserverPort" if the port number on which the Web server

 

received the request is to be used.

 

 

So, my question is, how can I do this with Big-IP?

 

 

In my setup the following, which is a webapp request for form-based authentication (j_security_check is doing a sendRedirect() call), has to be solved:

 

 

Request/Response Flow:

 

 

1.) Client requests https://a.b.c/login.html -> Big-IP SSL Proxy -> webapp_https Pool (SSL-to-Server feature) -> sends to https://a.b.c:9443/login.html

 

 

2.) Appserver receives the request + does a "sendredirect()" which leads to a "302" with HTTP LOCATION Header https://a.b.c:9443 wich is unfort. send out to the client.

 

 

Any ideas or thoughts are very welcome.

 

 

Thanks.

 

Jan

 

 

 

hoolio

 

Posts:750

 

 

08/03/2007 3:26 PM Quote ReplyAlert

 

Can you try enabling rewrite redirects on the HTTP profile? Try searching for 'rewrite redirect' on AskF5 for more information on this feature.

 

 

Aaron

 

 

 

ellmau

 

Posts:2

 

 

08/06/2007 12:56 PM Edit Quote ReplyAlert

 

Thanks for the information.

 

 

But we already tried the "Rewriting HTTP redirecct" option for the SSL proxy configuration (Big-IP Vers. 4.6.2).

 

 

Unfort. we had no luck to get it work.

 

 

Maybe it has something to do with ->, that the SSL proxy is not able to do the "rewrite redirect" for SSL (HTTPS) delivered responses. We tried it in many ways, but the "LOCATION" header has always been delivered to the client with the WebSphere Appserver port information and port was not "stripped out" as it should with the "rewriting HTTP reditrect" option enabled.

 

 

The doccumentation, concerning the "Rewriting HTTP redirection", is only talking about redirects for:

 

 

1.) Incoming HTTPS traffic which flows to appserver as HTTP, and resulting HTTP response would be redirect as HTTPS to the client.

 

 

Question:

 

Can the same work for HTTPS <-> HTTPS - only stripping out the port information inserted by the appserver (..or could it not work by design)?

 

 

Can somebody give an example of an working example configuration (Steps for SSL-Proxy, virt. Server/IP, HTTPS Pool)?

 

 

Any thoughts are very welcome :-)

 

 

Best regards,

 

Jan

 

 

 

hoolio

 

Posts:750

 

 

08/06/2007 1:09 PM Quote ReplyAlert

 

Can you confirm which version of BIG-IP are you running? If 4.x, you should post in the 4.x iRules forum (Click here).

 

 

Aaron

 

 

Sorry, you are right. We are running BIG-IP Vers. 4.5.x., so I reopend the subject in this forum.

 

 

Do think it's possible to do the HTTPS <-> HTTPS rewrite redirection with stripping out the appserver port from LOCATION header with that version?

 

 

Or do we have to wait for iRules - Vers. 9.x to e.g. replace the LOCATION header from the appserver response accordingly?

 

 

Best regards,

 

Jan

 

 

application delivery
dev
devops
iRules
v4
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Aug 06, 2007
    Unfortunately BIG-IP 4.x iRules do not have the ability to do anything with the server response, they can only manipulate incoming requests. And as you surmised Rewrite Redirects only looks for http to rewrite to https.

    I think you are going to have to wait for 9.x iRules in order to be able to strip the 9443 port out of the server response.

    In the meantime, you could create a virtual server listening on 9443 that had a rule redirecting everything to 443, kinda kludgy but it would at least end up with the clients back on 443 where they belong. Just a one-liner would work:

    
redirect to "https://%h/%u/"

    where %h is the current host and %u is the current URI.

    Or even:

    
redirect to "https://a.b.c/%u/"

    to ensure use of the host you want.

    Denny