Forum Discussion
winddlover_9858
Nimbostratus
NimbostratusURL Redirection Issue
I have setup load blance mechanism for Firepass behind BigIP.
There is standard iRule in the F5 guideline to do SSL offload for Firepass and it is working well for me.
SSL Offload iRule (iRule B)
when RULE_INIT {
set ssl_handshake 0
}
when CLIENTSSL_HANDSHAKE {
set ssl_handshake 1
if { [SSL::cert count] > 0 } {
session add ssl [SSL::sessionid] [SSL::cert 0]
}
}
when CLIENTSSL_CLIENTCERT {
set ssl_handshake 1
if { [SSL::cert count] > 0 } {
session add ssl [SSL::sessionid] [SSL::cert 0]
}
}
when HTTP_REQUEST {
set http_disable 0
if { $ssl_handshake == 1 } {
HTTP::header replace "BIGIP" "on"
HTTP::header replace "BIGIP_SSL_CIPHER" "[SSL::cipher name]"
HTTP::header replace "BIGIP_SSL_CIPHER_USEKEYSIZE" "[SSL::cipher bits]"
HTTP::header replace "BIGIP_SSL_PROTOCOL" "[SSL::cipher version]"
set client_cert [session lookup ssl [SSL::sessionid]]
if { $client_cert ne "" } {
HTTP::header replace "BIGIP_SSL_CLIENT_S_DN" "[X509::subject $client_cert]"
HTTP::header replace "BIGIP_SSL_CLIENT_I_DN" "[X509::issuer $client_cert]"
HTTP::header replace "BIGIP_SSL_CLIENT_M_SERIAL" "[string map [list ":" ""] [string toupper [X509::serial_number $client_cert]]]"
HTTP::header replace "BIGIP_SSL_CLIENT_M_VERSION" "[X509::version $client_cert]"
HTTP::header replace "BIGIP_SSL_CLIENT_CERT" "[b64encode [X509::whole $client_cert]]"
HTTP::header replace "BIGIP_SSL_CLIENT_VERIFY" "SUCCESS"
}
set ssl_handshake 0
}
if { [HTTP::uri] starts_with "/myvpn" } {
set http_disable 1
}
if { [HTTP::uri] starts_with "/tunnel" } {
set http_disable 1
}
}
when HTTP_REQUEST_SEND {
if { $http_disable != 0 } {
HTTP::disable
}
}
In addition, I want to setup seperate irule to append particular URI, that is
when user enter URL ex: https://mycompany.com/, it will redirect to https://mycompnay.com/test
Here is iRule I created:
URL redirection (iRule A)
when HTTP_REQUEST {
if {[HTTP::uri] eq "/"}{
HTTP::uri "/test"
}
}
What I did is to applied two irule (A & B) and configured URI redirection as top irule which is supposed to
enforce first, for some reasons, once Rule A was in place, I can't access Firepass any more.
If I removed the iRule A, and only left the SSL offload iRule in place, instead of doing redirection,
enter URL https://mycompany.com/test, it is no problem.
No idea why it stop to work after associating URL redirection iRule above the SSL offload iRule.
Much appreciate if any enlighten
- Interesting. I don't see any reason that the iRules you've listed shouldn't work together. Are you seeing error messages in your /var/log/ltm file after applying the second rule?
Colin 
winddlover_9858There is no error message in LTM file. Do I need to enable debug of iRule in order to show the error message?
Not sure if it is relevant, I have http profile associated to Firepass VP. (Standard setting when implement load Firepass behind BigIP.
If I enable URL redirection only, how I can verify URL redirection is working or not?- winddlover_9858No error in the ltm file. Do I need to enable debug of iRule in order to show the error log?
Not sure if it is relevant, I have http profile and SSL client profile associated to the Firepass VP which is standard setting by following the Firepass deployment guideline.
If I enabled URL redirection inclusively, is there any way to verify if it is working proprelly? - iRule A is not a redirection. It changes the URI.
There is no such thing as enabling debugging on iRule. Any iRule errors will be set to /var/log/ltm.
