Forum Discussion
Mike_Richards_6
Mar 01, 2011Nimbostratus
WL-Proxy-SSL HTTP header is not working in WebLogic 10.3.4 with F5 Big-IP load balancer
I have submitted this issue to Oracle Support because I believe the problem is on the WebLogic side, but I wanted to post it here in case any iRules experts have any suggestions. I will keep this post updated with my findings from Oracle Support.
Here is the contents of the support request I sent to Oracle:
---------------
Problem Description: WL-Proxy-SSL HTTP header is not working in WebLogic 10.3.4 with F5 Big-IP load balancer. We are off-loading the SSL for WebLogic and Oracle SOA Suite to the Big-IP hardware. Setting the WL-Proxy-SSL header worked with WebLogic 10.3.3 but does not appear to be working with 10.3.4.
1) Processor Spec's
64-bit Intel
2) Describe the Oracle environment
FMW 11.1.1.4 home with Oracle SOA Suite installed. The AdminServer is running the WebLogic Console and EM Fusion Middleware Control.
3) Describe your question or issue in detail
Here is the network trace provided by our F5 Big-IP network administrator:
----------------------------------------
This is the conversation between the F5 and the server of me hitting https://soa-test1.corp.paetec.com/console:
GET /console HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MS-RTC LM 8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: soa-test1.corp.paetec.com
Connection: Keep-Alive
Cookie: __utma=105458178.438694096.1294338702.1297090301.1297117932.6; __utmz=105458178.1294338702.1.1.utmcsr=insight.paetec.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_pers=%20s_nr%3D1298411690215-Repeat%7C1301003690215%3B%20s_prop18_persist%3DDirect%7C1298498090418%3B; BIGipServersoa-test1_tcp7101_pool=470164234.48411.0000; ADMINCONSOLESESSION=7zbLNl9Qgnv4Bln17Tp33ZWMrGTX240CC3yQ2DJT1yrLQpQ65vqs!-481033609
WL-Proxy-SSL: true
HTTP/1.1 302 Moved Temporarily
Date: Wed, 23 Feb 2011 22:07:23 GMT
Transfer-Encoding: chunked
Location: http://soa-test1.corp.paetec.com/console/
X-Powered-By: Servlet/2.5 JSP/2.1
0115
302 Moved Temporarily
This document you requested has moved temporarily.
It's now at http://soa-test1.corp.paetec.com/console/.
----------------------------------------
Notice that "WL-Proxy-SSL: true" is present in the HTTP request headers, but WebLogic is still returning a redirect to the HTTP version of the page.
As mentioned earlier, we used an identical load-balancer configuration with FMW 11.1.1.3 and WebLogic 10.3.3 with success.
4) List any documentation or notes you are following
I followed the steps in this document and it did not resolve the issue:
E-WL: How to Configure WebLogic 10.3 Admin Server Behind Load Balancer? [ID 1127517.1]
Perhaps this is a regression of bug 8254839 "In WebLogic Server 10.3.0, the WL-Proxy-SSL header is not recognized by the server."
I have reviewed and performed the steps in Doc ID 1127517.1. I have confirmed that "-Dweblogic.http.isWLProxyHeadersAccessible=true" appears on the command line for the WebLogic java process. The network capture I included in the SR shows that the "WL-Proxy-SSL: true" header is being set at the load balancer.
---------------
- Chris_MillerAltostratusInteresting. I leverage this header as well but we're not on that late of a WL version.
- hooleylistCirrostratusAs Chris says, you should be able to use 'redirect rewrites' on a custom HTTP profile. You might also need to update the response content to rewrite http:// to https://. If that's required, you could use a stream profile and STREAM::expression based iRule:
- Chris_MillerAltostratusAaron,
- hooleylistCirrostratusHi Chris,
- Chris_MillerAltostratusI created a support case on the template. I don't have a WL lab to test upgrades so hopefully Mike feels comfortable doing a case.
- Mike_Richards_6NimbostratusThanks for all the great suggestions everyone. I received an update from Oracle Support that has made great progress in correcting this issue:
- Mike_Richards_6Nimbostratus
- Mike_Richards_6NimbostratusAfter further investigation, we have determined that disabling compression on the https profile on the F5 has resolved the remaining issues https issues with SOA Suite 11g.
- Chris_MillerAltostratusSo what's the verdict here? Does the WL-Proxy-SSL header work on the new WebLogic version without any manual intervention? Or do WebLogic changes need to be made? Sounds like the Plugin Enabled button needs to be checked?
- Mike_Richards_6NimbostratusHi Chris,
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects