Selective HTTPS redirection

You need a space between matchclass and [IP::client_addr]

Thanks. I fixed it. Now i am getting the webpage however it is not getting redirected to HTTPS my machine. My machine's ip is different that what is mentioned in "fmw_nodes". I am seeing my machines ip in the log.

Hmm,

 

 

Can you do the following?

 

 

when HTTP_REQUEST

 

{

 

log local0. "Client IP is: [IP::client_addr]"

 

if{[matchclass [IP::client_addr] equals $::fmw_nodes]}

 

{

 

log local0. "SNAT activated ..."

 

snat 192.168.253.250

 

}

 

else

 

{

 

log local0. "Redirecting ..."

 

HTTP::redirect https://[HTTP::host][HTTP::uri]

 

}

 

}

 

 

And please show us the log created this way.

 

 

It's in /var/log/ltm

The redirection is working however the server ip shown in logs is the snat ip. My machine ip is different 137.72.226.151

 

 

Mar 3 12:07:45 tmm tmm[1089]: Rule fmw-test2 : Redirecting ...

 

Mar 3 12:07:51 tmm tmm[1089]: Rule fmw-test2 : Client IP is: 192.168.253.250

 

Mar 3 12:07:51 tmm tmm[1089]: Rule fmw-test2 : Redirecting ...

 

Mar 3 12:07:55 tmm tmm[1089]: Rule fmw-test2 : Client IP is: 192.168.253.250

 

Mar 3 12:07:55 tmm tmm[1089]: Rule fmw-test2 : Redirecting ...

 

Mar 3 12:08:01 tmm tmm[1089]: Rule fmw-test2 : Client IP is: 192.168.253.250

 

Mar 3 12:08:01 tmm tmm[1089]: Rule fmw-test2 : Redirecting ...

 

Mar 3 12:08:05 tmm tmm[1089]: Rule fmw-test2 : Client IP is: 192.168.253.250

 

Mar 3 12:08:05 tmm tmm[1089]: Rule fmw-test2 : Redirecting ...

Please note that i want to snat the "fmw_nodes" and make sure that these nodes doesnt redirect to HTTPS. All other requests should redirect from http -> https.

 

 

Q. When the fmw_nodes condition matches in the first part then it doesnt fall through the "else" part right?

yes you're right about your question

 

 

In your iRule, use [IP::remote_addr] instead of [IP::client_addr]

Sorry i didnt get it. Where do you want me to use remote_addr? in the "if" condition?

yes replace [IP::client_addr] by [IP::remote_addr] everywhere

I have tried with remote_addr... Please find the below logs. Looks like the remote addr given is the ip address of the pool servers. I am trying from a machine which is having ip different than "fmw_nodes"... why is "if" condition i.e. snat taking place? My web browser is taking me to the https page.. is that something we can change in the iRule?

 

 

Mar 4 07:45:08 tmm tmm[1089]: Rule fmw-test3 : Client IP is: 192.168.253.110

 

Mar 4 07:45:08 tmm tmm[1089]: Rule fmw-test3 : SNAT activated ...

 

Mar 4 07:45:11 tmm tmm[1089]: Rule fmw-test3 : Client IP is: 192.168.253.111

 

Mar 4 07:45:11 tmm tmm[1089]: Rule fmw-test3 : SNAT activated ...

 

Mar 4 07:45:18 tmm tmm[1089]: Rule fmw-test3 : Client IP is: 192.168.253.110

 

Mar 4 07:45:18 tmm tmm[1089]: Rule fmw-test3 : SNAT activated ...

 

Mar 4 07:45:21 tmm tmm[1089]: Rule fmw-test3 : Client IP is: 192.168.253.111

 

Mar 4 07:45:21 tmm tmm[1089]: Rule fmw-test3 : SNAT activated ...

 

Mar 4 07:45:28 tmm tmm[1089]: Rule fmw-test3 : Client IP is: 192.168.253.110

 

Mar 4 07:45:28 tmm tmm[1089]: Rule fmw-test3 : SNAT activated ...

 

Mar 4 07:45:31 tmm tmm[1089]: Rule fmw-test3 : Client IP is: 192.168.253.111

 

Mar 4 07:45:31 tmm tmm[1089]: Rule fmw-test3 : SNAT activated ...

 

Mar 4 07:45:38 tmm tmm[1089]: Rule fmw-test3 : Client IP is: 192.168.253.110

 

Mar 4 07:45:38 tmm tmm[1089]: Rule fmw-test3 : SNAT activated

That's really strange it should be a client side context and then give you the IP address of the client ...

 

 

to force the BIGIP to give you the client ip address you can use this then

 

[clientside {IP::remote_addr}] instead of [IP::remote_addr].

 

 

but if 192.168.253.110 is not in your class and it activates SNAT it's weird Oo

 

 

if i have some time i'll check it in my lab