Forum Discussion
Shawn_Puckett_8
Nimbostratus
NimbostratusSSL Soap and Redirects
Current traffic flow:
Client to F5 on SSL
F5 to Server on 8080
IIS responds to 8080 back to F5
F5 to Client on SSL
Problem:
We have a .Net application (complied) that reads the requested URL and puts it back in HTML code to be sent back to the client. The issue is that the imbedded links are in this format http://xxx.xxx.com:8080/somepic.gif but no 8080 traffic is allowed inbound so they are dropped and the user does not see the somepic.gif. I thought I could fix this buy writing an iRule to redirect all 8080 requests to HTTPS but it doesn't seem to work.
I created a virtual server for 8080 with this iRule:
when HTTP_REQUEST {
if {[TCP::local_port] == "8080"}
{HTTP::redirect https://[HTTP::host][HTTP::uri]}
}
What am I missing?
NOTE: I used a .gif example above but most of the links back are SOAP/XML related so I’m not sure how the F5 handles them, but since they are still HTTP protocol I would think it is the same process in iRules.
Thanks,
Shawn
- The iControl forum is for questions related to our Management API. This question should be posted to the iRules forum.
With that being said, before you forward over there, you can take a look at my blog posting about this exact subject:
http://devcentral.f5.com/weblogs/joe/archive/2005/07/27/1398.aspx
Click here
Also you can check out the forum thread that this post was originated from:
http://devcentral.f5.com/default.aspx?tabid=53&view=topic&forumid=5&postid=3410
Click here
And, I believe the reason why the redirect isn't working is that the SOAP toolkit you are using isn't honoring the redirect as a browser would.
-Joe 
Shawn_Puckett_8Thanks for the quick response!
Let me make sure I understand, you are saying that since the html content has SOAP links and the client side SOAP app (MSXML3/4) does not honor redirects the data is not retrieved. But if the content was pure HTML then IE would have no issue with the iRule I created, correct?
Hence this iRule that will look through all of outbound HTTP traffic and change any URL but keep the URI unchanged, correct?
How much extra load does this put on the F5? The content we are passing is a database driven and the pages are sometimes massive with large data grids that gather their data from SOAP connections. We are also looking to update the code on the server to punch in the https:// when needed but that might be sometime coming.
Thanks,
Shawn- The redirect is a special HTTP response code that the client can choose to interpret or not. As far as I know, the most common toolkits out there don't support HTTP redirects. But, this is standard in all browsers so your rule should work with HTTP based browser requests.
As for the load on the device, that is always an issue. If you have the opportunity to modify the url's on the outbound traffic before it hits the device that is the best case. With that being said, the overhead will depend on the payload size and the amount of modifications. Since changing "http" to "https" will require additional memory, you can't get away with a simple memory overwrite, but you'll have to trigger extra re-allocations of the payload to modify the content. For very large payloads this may become an issue for very high levels of traffic. But that should only matter when your device is maxed out connection wise.
I would apply the rule and do some tests to determine the overhead for your self and then try to get the backend server code to change it's references if you find that the overhead is unacceptable.
-Joe
