Forum Discussion

bdo_isd_28658's avatar
bdo_isd_28658
Icon for Nimbostratus rankNimbostratus
Feb 14, 2007

working http redirect rule, needed to be modifiled for https use

Hello DevGurus,

 

 

i am far from an iRule expert, but have a rather urgent need (by 11am GMT 15/2 - tomorrow!) to get one of our existing HTTP redirect iRules, modified and working for the HTTPS protocol.

 

 

The working (HTTP) one is listed below....

 

 

When i try to apply this to a HTTPS VIP (with some obvious modifications e changing http:// to https://, it first (understandably) complains that the HTTP profile must be first set to either "HTTP" or "FAST HTTP" in order to recognise the "HTTP_REQUEST" event mentioned in the iRule.

 

 

OK, so rather counter intuitively i do this and set the HTTP profile = HTTP on a HTTPS VIP. Now the VIP breaks.

 

 

im clearly out of my depth here so anyone willing to help by rewriting the iRule, telling me what events to use, and/or teling me what (if any) profiles need to be set, it would be most apprecieated.

 

 

many thanks

 

Keiran. (keiran.harris@bdo.co.uk)

 

 

 

 

when HTTP_REQUEST {

 

if { ([HTTP::host] starts_with "client") and ([HTTP::uri] equals "/") } {

 

HTTP::redirect "http://[HTTP::host]/ext/myportal/client"

 

} elseif { [HTTP::host] starts_with "alumni" and [HTTP::uri] equals "/"} {

 

HTTP::redirect "http://[HTTP::host]/auth/myportal/alumni"

 

} elseif { [HTTP::host] starts_with "author" and [HTTP::uri] equals "/"} {

 

HTTP::redirect "http://[HTTP::host]/auth/myportal/author"

 

}

 

return

 

}
application delivery
dev
devops
iRules
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Feb 14, 2007
    He may not be able to set an http profile if the https vip is not doing SSL offload. Are you passing thru the SSL all the way to the servers (ie, is the pool on 443 as well)? If so, you're going to have to use a clientside ssl profile to decrypt, so you can apply the http profile and do the redirect, and then use a serverssl profile to re-encrypt the traffic to the servers. If you are passing thru SSL all the way to the servers without having BIG-IP do the decryption, the http profile will break the vip (and you can't do anything with HTTP events in iRules).

     

     

    Denny
  • bdo_isd_28658's avatar
    bdo_isd_28658
    Icon for Nimbostratus rankNimbostratus
    Feb 15, 2007
    Thanks Denny, you are right, this VIP is not (yet) doing the SSL termination so we are passing it stright through to the real server to terminate. I understand your suggestion so thnks a million. Ill give that a stab this morning.

     

    Cheers.

     

    Keiran.