Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

Node revealed during HTTPS CAS authentication - irule

Yiannis_CDJ_F5
Altostratus
Altostratus
In F5, on a specific HTTP VIP (eg VIP_TOTO 192.168.1.5), we use an iRule where we redirect several applications through the same hostname. Hostname: hosttest1.mydomain.com, resolves to the same IP as the VIP: 192.168.1.5 Some applications work as a reverse proxy and some others just perform a redirection. The problem occurs on an application that should work as a reverse proxy. Let's say the application is http://hosttest1/toto We use this iRule structure to hide the node behind hosttest1/toto +-------------------------------------------------------------+ when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "hosttest1.mydomain.com" - "hosttest1" { if { ([HTTP::uri] starts_with "/toto") } { pool POOL_toto } if { ([HTTP::uri] starts_with "/example1") } { HTTP::redirect "http://example1.mydomain.com[HTTP::uri]" } etc(other application paths) etc(other application paths) } } when HTTP_RESPONSE { } } +-------------------------------------------------------------+ POOL_toto contains the server "back_end_srv.mydomain.com:7777" which requires HTTPS CAS authentication. The problem is: http://hosttest1/toto >> redirects to HTTPS CAS server then instead of having Response header location: https://cas_server/cas/login=?http://hosttest1/toto we have Response header location: https://cas_server/cas/login=?http://back_end_srv.mydomain.com:7777/toto As you see, the node is revealed in the location header URL and then, as soon as we are authenticated, we are redirected to the server back_end_srv.mydomain.com:7777. This is the only application that is using HTTPS CAS, whereas all the other applications that pass through the same hostname hosttest1, they use HTTP CAS authentication and they hide their nodes correctly(without adding configuration in the HTTP_RESPONSE of the irule). As all the applications pass from the same HTTP VIP we should modify the iRule in a way that doesn't affect the other applications. Why F5 doesn't rewrite the response location behind this HTTP VIP when a node with HTTPS CAS is used, but it is rewriting it when HTTP CAS is used? Thank you in advance.
4 REPLIES 4

Hi @Yiannis_CDJ_F5 

You should verify that your CAS configuration is set to mark the connector as "secure". Assuming I have the right resource, the configuration documentation could be here: https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#http-proxying 

Also, this is a few years old but it might apply to your situation: https://fawnoos.com/2018/01/05/cas-deployment-with-proxy/

Hope this helps...
Josh

Leslie_Hubertus
Community Manager
Community Manager

Hi @Yiannis_CDJ_F5 - did @JoshBecigneul 's reply help you out? If yes, could you please click the "Accept as Solution" button so future users with the same issue know what the resoution was? If no, maybe giving some more detail would help. 

Yiannis_CDJ_F5
Altostratus
Altostratus

Hello,

@JoshBecigneul thanks a lot for your reply. I really appreciate. @Leslie_Hubertus I didn't get any feedback yet. As soon as I will get a response on my side, I will update the discussion and verify if this was the correct solution. 

Yiannis_CDJ_F5
Altostratus
Altostratus

Hi! We managed to solve the issue and hide the server behind F5.
We didn't need to specify the connector as "secure". It was prooved that the CAS wasn't containing the correct URL to match the F5. The CAS configuration needed to be updated on both application parameter & application definition in CAS. Thank you for your support.