Forum Discussion

dlogsdonmd's avatar
dlogsdonmd
Icon for Nimbostratus rankNimbostratus
Sep 21, 2018

iRule Construct and Cleanup

Hello, this is long so I can provide the details, I hope I don't lose your interest.

One of our staff (not with the organization now) created a general VIP with a few DNS CNAMES that point to that VIP and then iRules to direct traffic. I need to modify one of the iRules to ensure traffic to three URLs are all redirected to HTTPS. I thought we had the rule configured properly in our tests, but applying it to the live site had mixed results, partially due to HTTPS not allowed through firewall and partially one URL pointing to IP of different VIP. That said, we are missing one of the URLs in the iRule so I want to be sure we're including that and the rule still wasn't delivering the right response for internal tests. I am hoping someone can help me re-write the iRule so I can better understand it and have it properly redirect the traffic.

The below URLs all have CNAME DNS entries (internal and external) pointing to the IP of the generic VIP: 199.74.213.48 (this is the outside/nat IP used also for internal DNS. VIP IP is the inside address.

  • DHA.acc.org
  • deputyheatattack.acc.org
  • deputyheartattack.org

Original iRule: With this iRule in place, traffic is as follows:

  1. dha.acc.org - redirects to HTTPS internally, remains HTTP externally - no HTTP allowed through firewall
  2. deputyheartattack.acc.org - remains HTTP internally, redirects to HTTPS externally - had pointed to a different (but wrong) VIP that was allowing HTTPS through the firewall
  3. deputyheartattack.org - remains HTTP internally and externally - no HTTP allowed through firewall

    when HTTP_REQUEST {

    set my_uri [HTTP::uri]
    if {[string tolower [HTTP::host]] contains "www.deputyheartattack.org" } {
    set host [string map -nocase {"www.deputyheartattack.org" "dha.acc.org"} [HTTP::host]]  
    HTTP::redirect "http://$host$my_uri"
    

    } }

I'm not familiar with the "set my_uri [HTTP::uri] part of the above iRule and not sure it's necessary for what we need the iRule to do. I'd like to see more explicit language so it's clear what URLs/URIs we're managing and I don't think we're managing URIs in this rule since we want the entire URL to be redirected to HTTPs.

New iRule With the new iRule in place, traffic is as follows:

  1. dha.acc.org - successfully redirects to HTTPS internally, won't resolve externally - firewall blocking HTTPS but didn't make sense we suddenly couldn't resolve at all
  2. deputyheartattack.acc.org - remains HTTP internally, redirects to HTTPS externally - was pointing to the wrong VIP that did allow HTTPS.
  3. deputyheartattack.org - remains HTTP internally and externally, firewall blocking HTTPS.

    when HTTP_REQUEST {

    set my_uri [HTTP::uri] if {[string tolower [HTTP::host]] contains "dha.acc.org"} { set host [string map -nocase {"; "dha.acc.org"} [HTTP::host]] HTTP::redirect "https://$host$my_uri"} if {[string tolower [HTTP::host]] contains ";} { set host [string map -nocase {"; "dha.acc.org"} [HTTP::host]] HTTP::redirect "https://$host$my_uri" } }

I feel both rules are overly complex for basic intercept and redirect to HTTPS, but I'm still learning the TCL format/language. I hope the above makes sense. I'm happy to completely rewrite the iRule.

Thanks in advance!

Diane

1 Reply

  • Diane,

    Unless you have specific requests going to the port 80 virtual server that you don't want redirected, I would suggest using the built in _sys_https_redirect irule, replicated here:

    when HTTP_REQUEST {
       HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
    }