Forum Discussion
MSK_222682
Nimbostratus
Nimbostratusw3c iRule logging for Virtual Servers having http to https redirection iRule
Hi,
I have been asked to verify the VS without w3c iRule in our LTMs and attach this iRule to them. Now, I have many VS in LTMs which have http to https redirection iRule attached to them and w3c iRule attached to VS listening on https.
Could anyone of you please confirm whether I have to attach w3c iRule to both VS listening on http and https or would it suffice if I only attach it to VS with https as requests to http would be redirected to https VS. If I add w3c to both of the VS (http & https) would this create redundant logs as traffic to VS:http are redirected to VS:https.
Can I have some clarification on this.
Thanks in advance, MSK
nitass_89166Noctilucent
Could anyone of you please confirm whether I have to attach w3c iRule to both VS listening on http and https or would it suffice if I only attach it to VS with https as requests to http would be redirected to https VS. If I add w3c to both of the VS (http & https) would this create redundant logs as traffic to VS:http are redirected to VS:https.
i think only https virtual server. i understand HTTP_RESPONSE is not triggered by HTTP::redirect command.
e.g.
[root@ve11c:Active:In Sync] config tmsh list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 profiles { http { } tcp { } } rules { _sys_https_redirect qux } source 0.0.0.0/0 vs-index 8 } [root@ve11c:Active:In Sync] config tmsh list ltm rule qux ltm rule qux { when HTTP_REQUEST { log local0. "" } when HTTP_RESPONSE { log local0. "" } } [root@ve11c:Active:In Sync] config [root@ve11c:Active:In Sync] config curl -i http://172.28.24.10 HTTP/1.0 302 Found Location: https://172.28.24.10/ Server: BigIP Connection: Keep-Alive Content-Length: 0 [root@ve11c:Active:In Sync] config cat /var/log/ltm Mar 6 11:19:34 ve11c info tmm[14163]: Rule /Common/qux : [root@ve11c:Active:In Sync] config
MSK_222682Hi nitass, thanks for the quick response. I have the redirection rule as : when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }- MSK_222682when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
- MSK_222682okay. So is it sufficient if we attach w3c iRule only to VS:https instead of both VS:https & VS:http ???
nitassEmployee
Could anyone of you please confirm whether I have to attach w3c iRule to both VS listening on http and https or would it suffice if I only attach it to VS with https as requests to http would be redirected to https VS. If I add w3c to both of the VS (http & https) would this create redundant logs as traffic to VS:http are redirected to VS:https.
i think only https virtual server. i understand HTTP_RESPONSE is not triggered by HTTP::redirect command.
e.g.
[root@ve11c:Active:In Sync] config tmsh list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 profiles { http { } tcp { } } rules { _sys_https_redirect qux } source 0.0.0.0/0 vs-index 8 } [root@ve11c:Active:In Sync] config tmsh list ltm rule qux ltm rule qux { when HTTP_REQUEST { log local0. "" } when HTTP_RESPONSE { log local0. "" } } [root@ve11c:Active:In Sync] config [root@ve11c:Active:In Sync] config curl -i http://172.28.24.10 HTTP/1.0 302 Found Location: https://172.28.24.10/ Server: BigIP Connection: Keep-Alive Content-Length: 0 [root@ve11c:Active:In Sync] config cat /var/log/ltm Mar 6 11:19:34 ve11c info tmm[14163]: Rule /Common/qux : [root@ve11c:Active:In Sync] config- MSK_222682Hi nitass, thanks for the quick response. I have the redirection rule as : when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
- MSK_222682when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
- MSK_222682okay. So is it sufficient if we attach w3c iRule only to VS:https instead of both VS:https & VS:http ???
- nitass
I have the redirection rule as :
when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }you see both (your irule and _sys_https_redirect) use HTTP::redirect command to redirect.
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule _sys_https_redirect ltm rule _sys_https_redirect { nodelete nowrite when HTTP_REQUEST { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } definition-signature mwyl4XlRKRMQc0prWs7RtpgPcNfocOKb+MaFwAnQgAuUZZyG68OaGZsOCN3poUOFdHOc6fk2XAdGRmTRiP/7BCT7thsOX5zLFzA1N1wcr57KWVzEZt3ezxVXn2Z974OmbWm7P5Lclcr7N3adrLJMWfyfPPVF1tUYn0IQPD2QNMmfbcbr1oCuO93n/5dn0s6/EacHZGG53hVibW7xQuJXdMtoQ6ArSZ4U3n4vCDTb6NLYbAj6PirVzKY2pcsWFHFUSVrphSFwERc8+0XGHUE6Cb3ihzygoZc2cQ5jk3frFY70MkDluPTShFRbHd7PlMPRezrfkVZVeUHA/iBPcYcD+w== verification-status signature-verified }- MSK_222682okay. So its enough if we attach w3c iRule only to VS:https instead of both VS:https & VS:http ??
- nitass_89166
I have the redirection rule as :
when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }you see both (your irule and _sys_https_redirect) use HTTP::redirect command to redirect.
root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule _sys_https_redirect ltm rule _sys_https_redirect { nodelete nowrite when HTTP_REQUEST { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] } definition-signature mwyl4XlRKRMQc0prWs7RtpgPcNfocOKb+MaFwAnQgAuUZZyG68OaGZsOCN3poUOFdHOc6fk2XAdGRmTRiP/7BCT7thsOX5zLFzA1N1wcr57KWVzEZt3ezxVXn2Z974OmbWm7P5Lclcr7N3adrLJMWfyfPPVF1tUYn0IQPD2QNMmfbcbr1oCuO93n/5dn0s6/EacHZGG53hVibW7xQuJXdMtoQ6ArSZ4U3n4vCDTb6NLYbAj6PirVzKY2pcsWFHFUSVrphSFwERc8+0XGHUE6Cb3ihzygoZc2cQ5jk3frFY70MkDluPTShFRbHd7PlMPRezrfkVZVeUHA/iBPcYcD+w== verification-status signature-verified }- MSK_222682okay. So its enough if we attach w3c iRule only to VS:https instead of both VS:https & VS:http ??
- nitass_89166
So its enough if we attach w3c iRule only to VS:https instead of both VS:https & VS:http ??
i think so.
- MSK_222682In which case, how we going to log the http traffic coming to the VS ??? As per my understanding the http requests would be forward to VS:https via http:redirect command and then would logged as the VS:https would have the w3c iRule. So, wondering how to log the VS:http traffic.
- nitass
So its enough if we attach w3c iRule only to VS:https instead of both VS:https & VS:http ??
i think so.
- MSK_222682In which case, how we going to log the http traffic coming to the VS ??? As per my understanding the http requests would be forward to VS:https via http:redirect command and then would logged as the VS:https would have the w3c iRule. So, wondering how to log the VS:http traffic.
- nitass
In which case, how we going to log the http traffic coming to the VS ???
if you put log command in HTTP_REQUEST, you will get log when client hits http virtual server.
- MSK_222682Hi nitass, sorry I didnt get you ?? Can you please elaborate on it. Requirement is to log all the web traffic on our internet facing BIG IP, which is achieved by attaching w3c iRule but I'm confused for the VS which have both http & https wherein the http VS have https redirection rule.
- MSK_222682Also, can anyone let me know if there would be any impact on the VS properties when w3c iRule is attached ????
- nitass_89166
In which case, how we going to log the http traffic coming to the VS ???
if you put log command in HTTP_REQUEST, you will get log when client hits http virtual server.
- MSK_222682Hi nitass, sorry I didnt get you ?? Can you please elaborate on it. Requirement is to log all the web traffic on our internet facing BIG IP, which is achieved by attaching w3c iRule but I'm confused for the VS which have both http & https wherein the http VS have https redirection rule.
- MSK_222682Also, can anyone let me know if there would be any impact on the VS properties when w3c iRule is attached ????