Forum Discussion
sparky_86686
Nimbostratus
NimbostratusUsing "matching" on Rewrite Redirects
In post 13907 Deb mentions that for the Rewrite Redirects functionality in the http profile:
* Matching: Specifies that the system rewrites the scheme to HTTPS in any HTTP redirect responses in which the hostname matches that of the request.
Is this accurate? I see other docs that only mention:
Use "Matching" to rewrite only courtesy redirects intended to append a missing trailing slash to a directory request.
Using this functionality, assuming that Deb's comments are correct, I would think the below test should work?
Background:
I am coming in on an F5 SSL terminated connection with the F5 going back to a http listener on the webserver.
The webserver (Sun) has NSAPI code that does a redirect based on a cookie (since moving SSL to the F5 ALL redirects are going http).
This redirect needs to be changed to https when the connection is https at the F5 and the hostname matches.
GET / HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: TEST=.tI%3EJYrYfb4bhrqub..
HTTP/1.x 302 Moved Temporarily
Server: ""
Date: Wed, 19 Nov 2008 19:52:11 GMT
Content-Type: text/html
Location: http://www.example.com/noauth/servlet/example?redirectPage=/
Content-Encoding: gzip
Transfer-Encoding: chunked
----------------------------------------------------------
http://www.example.com/noauth/servlet/example?redirectPage=/
GET /noauth/servlet/example?redirectPage=/ HTTP/1.1
...
Yet it goes to http.
Any clues?
2 Replies
hoolioCirrostratus
Hi there,
I think that's a slight mis-statement. I'm pretty sure the host in the redirect location is not checked against the request. The 9.4.5 and 9.3.1 online help shows:
Redirect Rewrite
Specifies whether the system rewrites the URIs that are part of HTTP redirect (3XX) responses. The default is None.
* None: Specifies that the system does not rewrite the URI in any HTTP redirect responses.
* All: Specifies that the system rewrites the URI in all HTTP redirect responses.
* Matching: Specifies that the system the URI in any HTTP redirect responses that match the request URI.
* Nodes: Specifies that if the URI contains a node IP address instead of a host name, the system changes it to the virtual server address.
If you want to rewrite the redirect to https if the host in the Location header matches a predefined host you could hardcode it like this:when HTTP_RESPONSE { Check if response is a redirect if {[HTTP::is_redirect]}{ Rewrite the location header if it matches a hardcoded host value HTTP::header replace Location [string map -nocase "http://www.example.com https://www.example.com" [HTTP::header value Location]] } }
A more general (but less efficient) option would be to save the Host header value on every request and check if the Location header starts with it:when HTTP_REQUEST { Save host header in lower case set host [string tolower [HTTP::host]] } when HTTP_RESPONSE { Check if response is a redirect if {[HTTP::is_redirect] and [string tolower [HTTP::header value Location]] starts_with "http://$host"}{ Rewrite the location header if it matches a hardcoded host value HTTP::header replace Location [string map -nocase "http:// https://" [HTTP::header value Location]] } }
Aaron
sparky_86686Thanks. Used the generic one so I can apply this on different VIPs if needed. Performs well for our amount of traffic.
