ssl redirect not working

dupe

What response does the client get when you test the rule with a request to https://oursite.com? I'd expect a cert mismatch error because the cert is for www.oursite.com.

 

 

In order to avoid a cert mismatch error, you would need a cert which is valid for oursite.com and www.oursite.com. In your original version, you didn't specify the protocol of https:// in the redirect. Browsers would interpret a redirect location of www.oursite.com (without the protocol) as a local URI which it would append to the previously requested protocol, domain and path (https://oursite.com/www.oursite.com).

 

 

With the current rule, you could remove the check of the URI and just redirect to "https://www.oursite.com[HTTP::uri]". For a requested URI of / the redirect will still be valid.

 

 

Aaron

Yep - we get a cert mismatch which is the reason why we need this redirect from https://oursite.com to https://www.oursite.com

 

 

There are three ways to fix this issue:

 

 

Redirect users to www.oursite.com before they access oursite.com via HTTPS. You could try to do this on the HTTP VIP. But with a cert which is only valid for www.oursite.com, a direct request to https://oursite.com will trigger an mismatched SSL cert warning.

 

 

Change the DNS record for oursite.com or www.oursite.com so they resolve to separate IP addresses. You could then use a separate VIP and SSL cert for oursite.com.

 

 

Buy a single cert which is valid for oursite.com and www.oursite.com (sometimes called a Unified Communications Cert). With this, you could accept requests for both hostnames on the same VIP without a mismatched cert warning or redirects.

 

 

Aaron

Thanks for your help - I don't think this is going to help us though.

 

 

We have decided to use a certificate for https://oursite.com. If a user hits our SSL VIP (VIP-oursite-443) directly by typing in https://oursite.com or https://www.oursite.com I need to force that traffic to https://oursite.com

 

 

I've created an iRule and applied it to the SSL VIP using port 443, but it doesn't seem to want to work.

 

 

This code both does NOT strip the www, and breaks SSL completely:

 

 

  
  when HTTP_REQUEST {  
     HTTP::redirect https://oursite.org[HTTP::uri]  
  }  
  

 

 

I also tried this, does not break SSL but does not strip the www

 

 

 
 when HTTP_REQUEST {  
     if { ([HTTP::host] eq "www.oursite.org") } {  
         switch -glob [HTTP::uri] {  
              "/" { HTTP::redirect "https://oursite.org" }  
              default {  HTTP::redirect "https://oursite.org[HTTP::uri]" } 
         }  
     }  
 } 
 

HTTP_REQUEST comes after the handshake is completed. Client would receive cert mismatch error before LTM returns redirect.

As Moo suggests, that can't work to avoid a cert mismatch error. Here are three options to resolve this:

 

 

Redirect users to www.oursite.com before they access oursite.com via HTTPS. You could try to do this on the HTTP VIP. But with a cert which is only valid for www.oursite.com, a direct request to https://oursite.com will trigger an mismatched SSL cert warning.

 

 

Change the DNS record for oursite.com or www.oursite.com so they resolve to separate IP addresses. You could then use a separate VIP and SSL cert for oursite.com.

 

 

Buy a single cert which is valid for oursite.com and www.oursite.com (sometimes called a Unified Communications Cert). With this, you could accept requests for both hostnames on the same VIP without a mismatched cert warning or redirects.

 

 

Aaron