iRule HTTP::Redirect not working on some URLs (aborting connection)
Hi all, I'm a bit stumped.... class SharePoint-Redirect_Urls_Old_Path_To_New_Path_DataGroup { { "/ALL_ENTRIES_MUST_BE" { "LOWER_CASE_TO_MATCH" } "/cop/da-apt" { "/co/da-apt" } "/cop/hrp-prh" { "/co/hrp-prh" } "/cop/knowledge" { "/co/knowledge" } "/cop/ypn-rjp" { "/co/ypn-rjp" } "/projects-projets" { "/pj" } "/governance-gouvernance" { "/gv" } "/communities-communautes" { "/co" } "/search/" { "/search-recherche/" } } } rule SharePoint-Redirect_Urls_Old_Path_To_New_Path { when RULE_INIT { Set this option to 1 to log messages (to /var/log/ltm by default) set static::log_old_to_new_path_redir 1 } when CLIENT_ACCEPTED { if {[TCP::local_port] eq 443} { set CLIENT_HTTP_TYPE "https" } else { set CLIENT_HTTP_TYPE "http" } } when HTTP_REQUEST { set MATCH_FOUND [class match [string tolower [HTTP::path]] starts_with SharePoint-Redirect_Urls_Old_Path_To_New_Path_DataGroup] if {($static::log_old_to_new_path_redir) && ($MATCH_FOUND)}{ set CLIENT_ADDR [IP::client_addr] set XFF [HTTP::header X-Forwarded-For] set ID "[TCP::local_port][expr { int(100000000 * rand()) }]" seconds from epoch + random number set ID "[TCP::local_port]-[clock seconds]-[expr { int(100000000 * rand()) }]" set REQUEST_RECEIVE [clock clicks -milliseconds] set HTTP_LPATH [string tolower [HTTP::path]] } if {$MATCH_FOUND} { set KEY [class match -name $HTTP_LPATH starts_with SharePoint-Redirect_Urls_Old_Path_To_New_Path_DataGroup] set VAL [class match -value $HTTP_LPATH starts_with SharePoint-Redirect_Urls_Old_Path_To_New_Path_DataGroup] set REPLACED_PATH [string map -nocase [list $KEY $VAL] [HTTP::uri]] set REDIRECT_URL "$CLIENT_HTTP_TYPE://[HTTP::host]$REPLACED_PATH" if {($static::log_old_to_new_path_redir) && ($MATCH_FOUND)}{ log local0.info "URI_PATH:[HTTP::path] || KEY:$KEY || VAL:$VAL || REPLACED_PATH:$REPLACED_PATH || REDIRECT_URL:$REDIRECT_URL - SRC:$CLIENT_ADDR ID:$ID" } HTTP::redirect $REDIRECT_URL } } when HTTP_REQUEST_SEND { if {($static::log_old_to_new_path_redir) && ($MATCH_FOUND)}{ set REQUEST_SEND [clock clicks -milliseconds] set REQUEST_WAIT [expr {$REQUEST_SEND - $REQUEST_RECEIVE}] log local0. "URI PATH: $HTTP_LPATH - SRC:$CLIENT_ADDR ID:$ID" } } when HTTP_RESPONSE { if {($static::log_old_to_new_path_redir) && ($MATCH_FOUND)}{ set RESPONSE_TIME [expr {[clock clicks -milliseconds] - $REQUEST_SEND}] log local0. "URI PATH: $HTTP_LPATH - HTTP[HTTP::status] $RESPONSE_TIME\ms/$REQUEST_WAIT\ms [LB::server addr] - SRC:$CLIENT_ADDR ID:$ID" } } } The lines entries for projects to search in the data group all fail to redirect... I get a browser aborted. However, the log entries show up as successful.... DOES actually redirect: Rule SharePoint-Redirect_Urls_Old_Path_To_New_Path : URI_PATH:/cop/ypn-rjp/ || KEY:/cop/ypn-rjp || VAL:/co/ypn-rjp || REPLACED_PATH:/co/ypn-rjp/ || REDIRECT_URL:https://collab.MY_DOMAIN_HERE/co/ypn-rjp/ - SRC:10.128.42.207 ID:1458297076443-20424180 DOES NOT actually redirect (aborted) Rule SharePoint-Redirect_Urls_Old_Path_To_New_Path : URI_PATH:/communities-communautes/cts-cst/ || KEY:/communities-communautes/cts-cst || VAL:/co/cts-cst || REPLACED_PATH:/co/cts-cst/ || REDIRECT_URL:https://collab.MY_DOMAIN_HERE/co/cts-cst/ - SRC:10.128.42.207 ID:1458297033443-17874026 The events HTTP_REQUEST_SEND and HTTP_RESPONSE never fire (no logging) which makes sense if the redirect is happening in the HTTP_REQUEST. I added them in to ensure that nothing was actually being sent to the back-end servers. Do any of you have any insight as to why this would happen? Cheers!
Connection terminates/closes with Server SSL Profile --> Server Authentication --> Server Certificate parameter set to require
I have one F5 LTM and one server in its pool. Connection is encrypted end-to-end. Client to F5 is 443. And F5 LTM to server is 443. F5, subsequently, has Client SSL Profile and Server SSL Profile enabled. For reference to Server SSL Profile, please see the Overview of the Server SSL profile article. I observed that F5 LTM was not validating the server certificate. I can choose any server certificate on server-side, no problem. I ran a Wireshark trace on the server to confirm and observed, yes, F5 accepts the server certificate. Was able to confirm F5 is configured with default Server SSL Profile settings, which means Server Certificate parameter (under Server Authentication section), is set to Ignore, since that is the default. (An aside to the main topic is why would Ignore be the default or even an option? Why wouldn't you want to close a security loophole, however low risk it must be? What is a legitimate purpose for ignoring server certificate validation, aside from things like dev work, testing, and troubleshooting?) Set the Server Certificate to Require and website could not load. HTTP 500 error. Connection was terminated reset/closed). From the Wireshark trace on the server side, it appears the SSL handshake completes but then the connection closes, e.g. [FIN, ACK]. Not precisely sure why this one configuration change causes the connection to terminate. To my recollection, Authenticate Name is currently blank. Of course, if this problem can be solved, that parameter will be set to the server's FQDN. I'd be most grateful for any help on what I may be missing or doing incorrectly. Thank you for your time.