Forum Discussion
kfriend_50715
Nimbostratus
NimbostratusSSL offload on Apache/Tomcat persistance and append issues
Hello all.
I'm not much of an ace when it comes to the F5 LTM's. I'm running version 10.something and I've been trying to get an application called "UNANET" (online time cards) functioning behind the load balancer.
I followed the Tomcat/Apache deployment manuals and it's a pretty straightforward setup. I have two virtual servers, one is an http that redirects to the https. I have an append rule that adds the complete path to the base url. (i.e. myserver - append /somedir/login)
My initial setup, which I believe had COOKIE as persistance, resulted in the login appearing not to work. If you typed the correct password, the application would just clear out the username and password fields but it would not display an error. Oddly, we discovered if you typed in the right FOLLOWED BY THE WRONG password suddenly the menu options for the application became available. I continued to toy around with different persistance options and I was unable to fix this.
I believe I changed the persistance option to universal and at that point upon logging in, the URL would change as if it were trying to authenticate the user,however the page would not load. If you clicked BACK and hit refresh, again the menu options would appear for the application.
My best guess here is that my append rule is not playing well with the paths of this application. I'm not sure if I need a more complex append irule to direct the client depending on the situation. Actually I'm pretty lossed.
Any insight you can provide would be greatly appreciated.
Thanks.
Ken
23 Replies
kfriend_50715Nitass! Genius!! but I don't know how to fix this problem.
I notice in the httpFox that when I click submit for authentication that I get a 302 / redirect to httP://myserver-nlb/unanet/action/login/validate instead of https.
The same thing is happening when I try to bring up the time sheet. It should be going through https but on those two actions it's going
302
redirect to HTTP://myserver-nlb/blah blah blah
Any guesses?- nitass
Employee
can you try to set "Redirect Rewrite" to "All" in http profile? - kfriend_50715I'm not sure if this is noteworthy but in my local traffic logs I'm seeing:
Packet rejected remote ME port 57551 local MYSERVER port 80 proto TCP: Destination VIP disabled. - nitassthis is an explanation.
sol8009: Change in Behavior: The bigpipe db TM.ContinueMatching variable is now set to false
http://support.f5.com/kb/en-us/solutions/public/8000/000/sol8009.html
anyway, should all traffic be sent to https virtual? or should it be authentication traffic only?
in case there are http and https virtuals and you want to persist to same pool member. match across option may be needed.
sol5837: Match Across options for session persistence
http://support.f5.com/kb/en-us/solutions/public/5000/800/sol5837.html - kfriend_50715Forgive me, like I said I'm not an ace with this stuff.
The plan is to https to the LTM and LTM http to apache/tomcat server, so basically SSL offload. ALL traffic to LTM virtual server should be HTTPS.
There is currently only one member in the pool. I did stumble upon the TM.continuematching variable thing, but I wasn't sure if it was applicable. I'll take a look at sol5837. I'm still confused why it appears that arbitrary links are going to HTTP instead of HTTPS. - nitassplease let us know if setting "Redirect Rewrite" to "All" in http profile does not help.
- kfriend_50715Nitass,
Are you referring to the http virtual server irule to redirect http requests to https?when HTTP_REQUEST { set host [HTTP::host] HTTP::respond 302 Location "https://$host/" }
if so, how should this be modified?
Of note-I had the HTTP virtual server disabled, I enabled it and the site is responding closer to how it should. The only hang-up is that now the timecards do not display at all. The request is made, but it's almost like the JS is being supressed. - nitassAre you referring to the http virtual server irule to redirect http requests to https?no, i think you may have assigned http profile to https virtual server. so, i am wondering what happens if we set "Redirect Rewrite" setting in the http profile to "All".
- kfriend_50715you are the man.
Once I figured out what you were referring to--
I went into the HTTP virtual server and set the generic TOMCAT-APP-OPT profile to redirect all. I bound this HTTP profile to the HTTP virtual server and re-instated the http_to_https irule.
I went into the HTTPS virtual server and set the HTTP profile to NONE...and my preliminary tests show that it's working correctly.
I really appreciate the assistance on this. I'm going to play with it some more to make sure it's good. This thing has been a thorn because of my ignorance. - kfriend_50715One minor thing that would be extremely helpful to me here...if I could trouble you one last time on this matter.
I get a cert error if clients don't use a FQDN, which I handled on the http_to_https rule pretty easily, but I'm a gimp and I need to add it to my append rule also. (myserver.mydomain.com) How could I do this?
when HTTP_REQUEST {
if { [HTTP::path] equals "/" } {
HTTP::redirect "/unanet"
}
}
