Forum Discussion

Mike_Richards_6's avatar
Icon for Nimbostratus rankNimbostratus
Mar 01, 2011

WL-Proxy-SSL HTTP header is not working in WebLogic 10.3.4 with F5 Big-IP load balancer

I have submitted this issue to Oracle Support because I believe the problem is on the WebLogic side, but I wanted to post it here in case any iRules experts have any suggestions. I will keep this post updated with my findings from Oracle Support.



Here is the contents of the support request I sent to Oracle:





Problem Description: WL-Proxy-SSL HTTP header is not working in WebLogic 10.3.4 with F5 Big-IP load balancer. We are off-loading the SSL for WebLogic and Oracle SOA Suite to the Big-IP hardware. Setting the WL-Proxy-SSL header worked with WebLogic 10.3.3 but does not appear to be working with 10.3.4.



1) Processor Spec's


64-bit Intel



2) Describe the Oracle environment


FMW home with Oracle SOA Suite installed. The AdminServer is running the WebLogic Console and EM Fusion Middleware Control.



3) Describe your question or issue in detail


Here is the network trace provided by our F5 Big-IP network administrator:





This is the conversation between the F5 and the server of me hitting



GET /console HTTP/1.1


Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/, application/xaml+xml, application/, application/, application/msword, */*


Accept-Language: en-us


User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)




Connection: Keep-Alive


Cookie: __utma=105458178.438694096.1294338702.1297090301.1297117932.6;|utmccn=(referral)|utmcmd=referral|utmcct=/; s_pers=%20s_nr%3D1298411690215-Repeat%7C1301003690215%3B%20s_prop18_persist%3DDirect%7C1298498090418%3B; BIGipServersoa-test1_tcp7101_pool=470164234.48411.0000; ADMINCONSOLESESSION=7zbLNl9Qgnv4Bln17Tp33ZWMrGTX240CC3yQ2DJT1yrLQpQ65vqs!-481033609


WL-Proxy-SSL: true



HTTP/1.1 302 Moved Temporarily


Date: Wed, 23 Feb 2011 22:07:23 GMT


Transfer-Encoding: chunked




X-Powered-By: Servlet/2.5 JSP/2.1





302 Moved Temporarily



This document you requested has moved temporarily.



It's now at







Notice that "WL-Proxy-SSL: true" is present in the HTTP request headers, but WebLogic is still returning a redirect to the HTTP version of the page.



As mentioned earlier, we used an identical load-balancer configuration with FMW and WebLogic 10.3.3 with success.



4) List any documentation or notes you are following


I followed the steps in this document and it did not resolve the issue:


E-WL: How to Configure WebLogic 10.3 Admin Server Behind Load Balancer? [ID 1127517.1]



Perhaps this is a regression of bug 8254839 "In WebLogic Server 10.3.0, the WL-Proxy-SSL header is not recognized by the server."



I have reviewed and performed the steps in Doc ID 1127517.1. I have confirmed that "-Dweblogic.http.isWLProxyHeadersAccessible=true" appears on the command line for the WebLogic java process. The network capture I included in the SR shows that the "WL-Proxy-SSL: true" header is being set at the load balancer.




10 Replies

  • Interesting. I leverage this header as well but we're not on that late of a WL version.



    You could use "redirect rewrite" in an HTTP Class to rewrite these redirects until it gets working.
  • As Chris says, you should be able to use 'redirect rewrites' on a custom HTTP profile. You might also need to update the response content to rewrite http:// to https://. If that's required, you could use a stream profile and STREAM::expression based iRule:





    But the best option is to get a fix to the application if/when that's available as that lowers the complexity of the LTM config.



  • Aaron,



    Should he be contacting support on this too? Am just curious whether F5's Application Vendor Management teams get involved with stuff like this? Since this is a documented method of offloading SSL from WebLogic, I'd like to think people at F5 are testing these upgrade scenarios before they're released, especially given how big the Oracle Partnership is.





    Also, I noticed today that when using the WebLogic templates to create Virtual Servers, the auto-created HTTP profile doesn't contain the header insertion when doing SSL Offload. Is that a CR or support case? I'm fine with doing that one. Just curious.
  • Hi Chris,



    Good points. Two cases with F5 Support on this would be great.



  • I created a support case on the template. I don't have a WL lab to test upgrades so hopefully Mike feels comfortable doing a case.
  • Thanks for all the great suggestions everyone. I received an update from Oracle Support that has made great progress in correcting this issue:



    Generic Note




    Hello Micheal,



    I am currently going through the SR notes and analysing the information provided.



    However I would wish to know the outcome of enabling the Weblogic Plugin Enabled parameter from the Domain_Name --> Configuration Tab --> Web Applications Sub Tab



    You will need to check the Weblogic Plugin Enabled option.



    Best Regards,


    Shrikant Rajappan


    Software Engineer


    Global Customer Support - Application Server Team





    MICHAEL.RICHARDS@PAETEC.COM - March 1, 2011 4:04:09 PM GMT-05:00 [Update from Customer]





    Hi Shrikant,



    I made the setting change you recommended and restarted the AdminServer. It appears that WebLogic server is now recognizing the WL-Proxy-SSL header from the F5 and behaving accordingly.



    I have tested the WebLogic Admin Console and it seems to be working as expected.



    I am still having some issues with the Fusion Middleware Control (EM) application over https (it works correctly over http through the load-balancer). Some elements of the Fusion Middleware Control UI are not rendering correctly or behaving correctly.



    I will continue to troubleshoot and post another update.






    Here is the additional follow that I sent to Oracle Support today:





    The WebLogic Admin Console seems to be functioning correctly over HTTPS on our soa-test1 domain with this change in place.



    However, the Oracle EM application is not working completely over HTTPS.




    The first problem is that the loading page hangs indefinitely instead of redirecting to the login page. You can usually get around this by reloading the page and the login screen will come up. However, sometimes the login screen will work fine, and sometimes it will not work at all (pressing the Login button will have no effect).



    I can reproduce these issues with some inconsistency. Sometimes one browser will work while another will not (Firefox 3.6 vs. IE 8), and sometimes clearing the cache and restarting the browser will help (and sometimes it won’t).



    We do not experience these problems when accessing EM (Fusion Middleware Control) over the plain HTTP protocol through the F5/Big-IP.


  • After further investigation, we have determined that disabling compression on the https profile on the F5 has resolved the remaining issues https issues with SOA Suite 11g.
  • So what's the verdict here? Does the WL-Proxy-SSL header work on the new WebLogic version without any manual intervention? Or do WebLogic changes need to be made? Sounds like the Plugin Enabled button needs to be checked?
  • Hi Chris,



    The final result for us was that WebLogic 10.3.4 would not recognize the WL-Proxy-SSL header until we enabled the "Weblogic Plugin Enabled" option in the WebLogic Admin Console. Once we enabled that option the SSL off-loading worked as expected.



    The second issue we were experiencing was that some applications in the new version of Oracle SOA Suite 11g were not working correctly over HTTPS through the F5. Some of the large javascript files were intermittently failing to be loaded through the F5. Our network engineer disabled compression on the https profile and that resolved the issue.