Forum Discussion

Kenny_Van_73892's avatar
Kenny_Van_73892
Icon for Nimbostratus rankNimbostratus
Feb 12, 2009

strip away www. and redirect to https:// without cert mismatch error

I need some help to clear my mind.

 

 

I need to strip away www. from host either on port 80 or 443 and redirect to https://. For instance, if user enters http or https://www.sub.mycompany.com then it must get stripped away www. and redirects to https://sub.mycompany.com, if user enters http or https://sub.mycompany.com then it just redirects to https://sub.mycompany.com.

 

I came up with this, but couldn't get it to work the way I wanted and got certificate error because the host didn't match with registered SSL host as sub.mycompany.com.

 

if {[HTTP::host] starts_with "www." and [TCP::local_port] eq 80 or [TCP::local_port] eq 443} {

 

HTTP::redirect https://www.sub.mycompany.com [string range [HTTP::host] 4 end][HTTP::uri]

 

} elseif { [TCP::local_port] eq 80 } {

 

HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

 

}

 

So, how do I strip the www. away and cert won't complain mismatch?

 

Thanks in advance.
application delivery
dev
devops
iRules

12 Replies

Show More
  • Russell_E_Glaue's avatar
    Russell_E_Glaue
    Icon for Nimbostratus rankNimbostratus
    Feb 19, 2009

    Posted By rglaue on 02/19/2009 9:51 AM

     

    Do note, however, that each SSL Cert and matching domain must be assigned to, and responding on, two different IP numbers

     

    So, sub.mydomain.com must be assigned to one IP number in DNS

     

    And, www.sub.mydomain.com must be assigned to another IP in DNS

     

    This will be two different Virtual Servers on the BigIP.

     

    -RG

     

     

     

     

    I should note that this is if you get two different SSL Certs, one for each of the two domains that will be accessed via "https://...".

     

     

    If you get a wildcard ssl cert, or the SAN cert, all the matching domains can be assigned to one DNS IP and thus one Virtual Server.

     

     

    So it is not really one domain per IP, as it is one SSL Cert per IP.

     

    The reason is that the Web Browser is connecting to a IP number and performing the SSL handshake.

     

     

    The Web Server (or BigIP in this case) does not know what domain the Web Browser is trying to access because the SSL Connection has not been established at that point.

     

     

    So the SSL Certificate is assigned to an IP number, so the Web Server (BigIP) has the one SSL Cert to use for any connection. That one SSL Cert is sent to the Web Browser which matches the SSL Cert's common name with the domain name it will then send on in the HTTP 1.1 packet.

     

     

    If the common name of the SSL Cert does not match the domain name ("Host" header) the Web Browser is going to send in the HTTP 1.1 packet, the Web Browser spits out a Mismatch error to the browser user.

     

     

    -RG

     

  • Kenny_Van_73892's avatar
    Kenny_Van_73892
    Icon for Nimbostratus rankNimbostratus
    Feb 19, 2009
    I will take a look at the wildcard cert and I think this is a good way to go as it saves $ as well. At this moment, my boss wants to ahead with another cert and eventually I will burn one more IP and have irules to re direct from 80 to 443. Thanks.