Forum Discussion

Cindy_127211's avatar
Cindy_127211
Icon for Nimbostratus rankNimbostratus
Feb 13, 2006

SSL Redirect Rule results in unlimited GETS occurring

I am using the following redirect rule to detect SSL certificate version and number of encryption bits. The match seems to work as expected; however, the results are not at all what I would expect. I can see in the HTTP log and via a tcpdump that instead of one GET to the page, the same 'GET' occurs unlimited number of times (and, doesn't stop until I close the browser. Following is the rule that I am using:

 

 

rule SSLV2_Encrypt_ACS_sbox {

 

when HTTP_REQUEST {

 

HTTP::header insert "Custom" "amc:443"

 

HTTP::header insert "CipherVersion" [SSL::cipher version]

 

HTTP::header insert "CipherBits" [SSL::cipher bits]

 

if { ![matchclass [SSL::cipher version] equals $::CipherVersion] and [SSL::ciphe

 

r bits] > 127 } {

 

use pool acs80sbox

 

} elseif { [HTTP::uri] starts_with "/encryptcode/" }

 

{

 

pool acs80sbox }

 

else {

 

HTTP::redirect https://[HTTP::host]/encryptcode/encryption_notice.jsp}

 

}

 

}

 

 

For instance, if I enter the following command:

 

 

https://www.sbox.americancentury.com/login/LoginServlet

 

 

All I see in the HTTP logs is multiple 'GETS' to the LoginServlet page. What am I doing wrong here?

 

application delivery
dev
devops
iRules
  • Cindy_127211's avatar
    Cindy_127211
    Icon for Nimbostratus rankNimbostratus
    Feb 13, 2006
    I can see in the HTTP Logs that the 'Get' is responding with a 301 status code. This probably has something to do with the problem I'm experiencing, but I don't know what and what I should do about it.

     

     

    10.173.40.211 - - [13/Feb/2006:12:15:54 -0600] "GET /login/LoginServlet HTTP/1.1" 301 271 "http://www.sbox.americancentury.com/index.jsp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" "PERSID=19290df1%3A10956c58658%3A-8000; count=11; BIP=384806154.20480.0000; s_cc=true; s_sq=amcentmain%3D%2526pid%253Dhttp%25253A//www.sbox.americancentury.com/index.jsp%2526oid%253Dhttp%25253A//www.sbox.americancentury.com/images/log_in_bttn.gif%2526ot%253DIMAGE%2526oi%253D77" "-"

     

    10.173.40.211 - - [13/Feb/2006:12:15:54 -0600] "GET /login/LoginServlet HTTP/1.1" 301 271 "http://www.sbox.americancentury.com/index.jsp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" "PERSID=19290df1%3A10956c58658%3A-8000; count=11; BIP=384806154.20480.0000; s_cc=true; s_sq=amcentmain%3D%2526pid%253Dhttp%25253A//www.sbox.americancentury.com/index.jsp%2526oid%253Dhttp%25253A//www.sbox.americancentury.com/images/log_in_bttn.gif%2526ot%253DIMAGE%2526oi%253D77" "-"

     

    10.173.40.211 - - [13/Feb/2006:12:15:55 -0600] "GET /login/LoginServlet HTTP/1.1" 301 271 "http://www.sbox.americancentury.com/index.jsp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" "PERSID=19290df1%3A10956c58658%3A-8000; count=11; BIP=384806154.20480.0000; s_cc=true; s_sq=amcentmain%3D%2526pid%253Dhttp%25253A//www.sbox.americancentury.com/index.jsp%2526oid%253Dhttp%25253A//www.sbox.americancentury.com/images/log_in_bttn.gif%2526ot%253DIMAGE%2526oi%253D77" "-"

     

    10.173.40.211 - - [13/Feb/2006:12:15:55 -0600] "GET /login/LoginServlet HTTP/1.1" 301 271 "http://www.sbox.americancentury.com/index.jsp" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" "PERSID=19290df1%3A10956c58658%3A-8000; count=11; BIP=384806154.20480.0000; s_cc=true; s_sq=amcentmain%3D%2526pid%253Dhttp%25253A//www.sbox.americancentury.com/index.jsp%2526oid%253Dhttp%25253A//www.sbox.americancentury.com/images/log_in_bttn.gif%2526ot%253DIMAGE%2526oi%253D77" "-"

     

  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Mar 02, 2006
    Looks like you have a redirect loop. Could it be that your server is redirecting to /images/log_in_bttn.gif but then your iRule is redirecting back to /encrpytcode/encryption_notice.jsp??