Forum Discussion
PacketHead_4009
Nimbostratus
NimbostratusSimple Redirect iRule
Hello,
I need some quick help on how to create a basic redirect iRule. What I am trying to do is redirect any HTTP and HTTPS requests to mysite.web.com to .
The website mysite.web.com has two VIPs on the F5, one to accept HTTP requests and redirect to https://dev.fojo.com and the other to accept HTTPS requests and redirect them to the same site.
The HTTP redirect seems to work fine but the HTTPS VIP does not, it just seems to timeout. Can I accomplish this with one iRule or do I need to create a seperate iRule for HTTP and HTTPS?
It seems simple overall but I can't get HTTPS to HTTPS redirects working right.
Any help or info would be appreciated.
Regards,
James
7 Replies
- The_BhattmanHi James,
does the https VIP have ssl terminated to it?
Bhattman 
PacketHead_4009Hello Bhattman,
How do I tell if the VIP has SSL terminated on it? If there is an SSL profile bound to the VIP?
Thanks,
James- Chris_Miller
Altostratus
If it has an SSL profile (with proper cert) and is also listening on port 443. - PacketHead_4009Chris,
Do you mean that on my port 443 VIP for mysite.web.com that I need to have an SSL profile as well as a cert for mysite.web.com in order to redirect it to any other SSL site? Even though I never plan to host anything on the F5 on port 443 for mysite.web.com?
Thanks,
James - Chris_MillerIf a user tries to hit your VIP over port 443, you either need to send traffic to pool members listening on 443 that have certs, or your VIP needs to have a cert. A user is hitting your VIP with https://mysite.web.com so your VIP has to be setup properly to terminate that before the redirect can even work. Are your pool members for the https VIP listening on 443 or 80?
- PacketHead_4009I think I just picked port 80 pool members; I didn't think I need to have port 443 pool members since I was just doing a basic redirect.
So if I gather this correctly I will either need port 443 pool memebers to terminate the initial SSL request before I can redirect it to another SSL site .... or ... I can have a VIP listening on port 443 with an SSL profile that has the cert for mysite.web.com correct?
In the first scenario do the backend port 443 pool members need to host the mysite.web.com site or can they be any backend servers listening on port 443?
- James - Chris_MillerSince the initial request is coming in over https and is destined for mysite.web.com, you need to terminate it like any other https traffic. You can either do it at the F5 (throw a clientssl profile on the VIP) or create a pool of servers listening on 443 and throw the cert on them. The user has to complete the SSL exchange before they'll continue.
