url rewrite
7 TopicsSSL Bridging with URL Rewrite
I need to terminate SSL, rewrite the URL and URI, then send to the new destination server with SSL. I have this working, but the SSL session resumption is failing so I have to re-handshake for every call. For a 20 millisecond server call, 80 milliseconds of handshaking is a non-starter. What am I doing wrong? when HTTP_REQUEST { #log local0. "host: [HTTP::host], uri: [HTTP::uri]" switch -glob [string tolower [HTTP::host]] { "apps.svr1.oscplatform.site" - "apps.svr2.oscplatform.site" - "apps.svr3.oscplatform.site" { # Example rewrite URL: # apps.svr1.oscplatform.site/rerwite/example-service/blah # Result after rule: # example-service.apps.svr1.oscplatform.site/blah # Removed the /rewrite/ set svc_uri [substr [HTTP::uri] 9] #log local0. "svc_uri: $svc_uri" # Splits the remaining URI into service name and original URI. # 'example-service/blah' becomes 'example-service' and '/blah' set part_count [scan $svc_uri {%[^?/#]%s} svc uri] # If there was no original URI update it to blank. if { $part_count == 1 } { set uri "" } #log local0. "host: $svc.[HTTP::host] uri: '$uri'" # Set the new host value. HTTP::host "$svc.[HTTP::host]" # Update URI to the correct value. HTTP::uri "$uri" } } # Set the value used in the SNI extension record. # This is used in the SSL handshake to the destination server. # This is how we implement SSL Bridging with a possible URL rewrite in the middle. set sni_value [HTTP::host] } when SERVERSSL_CLIENTHELLO_SEND { #log local0. "sni_value: $sni_value" # SNI extension record as defined in RFC 3546/3.1 # # - TLS Extension Type = int16( 0 = SNI ) # - TLS Extension Length = int16( $sni_length + 5 byte ) # - SNI Record Length = int16( $sni_length + 3 byte) # - SNI Record Type = int8( 0 = HOST ) # - SNI Record Value Length = int16( $sni_length ) # - SNI Record Value = str( $sni_value ) # # Calculate the length of the SNI value, Compute the SNI Record / TLS extension fields and add the result to the SERVERSSL_CLIENTHELLO SSL::extensions insert [binary format SSScSa* 0 [expr { [set sni_length [string length $sni_value]] + 5 }] [expr { $sni_length + 3 }] 0 $sni_length $sni_value] }686Views0likes2CommentsURL redirection with retaining the original on browsers
Hi All, I have a requirement whereby the user would try to access www.test.com but it needs to be redirected to www.test.abc.com, which is hosted in our environment. Business doesn't want to publish our brand name abc.com and therefore requested to retain only www.test.com in end user browsers. Is there a way to achieve this using iRules ? Quick response is highly appreciated. Thanks in advance, Sai289Views0likes7CommentsiRule to change the URL hostname and path, but nothing else
I need to write an iRule that will redirect the browser from this: http://server1/fubarpath/AMSDocViewer.asp?DocID=626527942&Rev=1 to this: http://server2/apppath/ImageEnablingLauncher.aspx?DocID=626527942&Rev=1 The main point is that I need to retain the ? character and everything to the right of it. [HTTP::uri] seems to be important here, that grabs everything after the hostname. I only need part of that. "string map" could maybe be used to provide a list of things to be changed in the URL, thus keeping the part I need to keep, but I don't know how to put it all together.349Views0likes2CommentsiRule to mask hostname in browser and send to a different hostname
My challenge: All our internal users need to hit a public website (final.destination.org) from the same public IP. No issue here, been doing it for years using an internal VIP that "final.destination.org" resolves to via internal DNS and then SNATs them all to a single public IP that the website uses to identify that it's us, and directs our users to the proper data container in the site (there's no login on their site; they ID and permit based on the incoming public IP). The new development is one of our divisions is breaking out there data on that web platform in to a different container at final.destination.org so they need their own custom URL to differentiate from the other users that are using this tried and tested solution. The public site identifies our users by the public IP they see us coming from so I need to get this group of users hitting that website from a different public than the one we've been using. I'm trying to use custom.destination.org for this group of users, which will simply use internal DNS to connect them to a 2nd internal VIP on the F5, which will SNAT those users to a different public IP on our side that the destination in the internet can use to identify these folks, and auto direct them to their custom portal on their site. The kicker is that every web request that hits the final.destination.org website must have final.destination.org in the web request or it won't work. So with this new setup the users are entering custom.destination.org and that's what is showing up at the final web server so it's not being accepted. So basically I have the internal DNS set up for custom.destination.org and that resolves to the new internal VIP, which SNATs the session outbound to a new public IP. However, I need the client's browser to use custom.destination.org and write an iRule that makes the 2nd leg of the connection between the F5 and the destination convert to final.destination.org (while maintaining all URIs of course).525Views0likes3CommentsFlash problems when portal rewrite profile is defined but not used
I have an access policy that is used across several different virtual servers, one of which has a webtop and portals defined on it's policy branch. But I'm finding that flash is broken on traffic to another virtual server using the same policy that never hits the webtop/portal branch and shouldn't be doing any rewriting. Just to make sure, I specified the URLs to be rewritten and excluded the others, including the problem virtual. I'm sure the problem is with the rewrite profile, because if I remove it and the policy branch that has the webtop, my flash problem clears up. Unfortunately, the policy must be shared across both virtuals because of an unrelated external SSO setup. Any suggestions?220Views0likes0CommentsTCL error :Prerequisite operation not in progress (line ...
I have an iRule that looks like this : when HTTP_REQUEST { if {[HTTP::path] eq "/"} { HTTP::uri "/newpath" pool website-pool} } It seems to do his job, but sometimes the next error appears in the Local Traffic Logs: TCL error: /Partition/iRule-name - Prerequisite operation not in progress (line 1) invoked from within "HTTP::path" TCL error: _plugin_rule_/Common/pluginasm - Prerequisite operation not in progress (line 1) invoked from within "HTTP::class asm" Tried searching for TCL errors but found nothing that could help me. Can someone tell me what I am doing wrong ? I know, it is only to keep the logs clean, but I want to understand what I am doing wrong.863Views0likes7CommentsHost rewrite with SSL offloading
Hello, Am trying to accomplish the following task, that looks very easy, but currently cannot figure out/find out on devcentral or kb. I would like to use my BIG-IP with LTM as a reverse proxy replacement with SSL offloading towards internet, i.e.: External application: https://app.external.com Internal application: http://app.internal.com Everything appended after the URL should be kept as it is (no URI rewrite), means: https://app.external.com/a ----->http://app.internal.com/a https://app.external.com/b ----->http://app.internal.com/b so basically, I only want the host name rewritten, as we are using IIS host headers to bind on a single IP multiple websites. In order to accomplish that, I have setup a VS with client SSL profile, and applied ProxyPass iRule. Nevertheless, I can see that when the server response is on http, the client get the http URL, than the HTTPS back and this trows a client error. ProxyPass log is: Rule /Common/ProxyPass : VS=/Common/test_vs_https_app.external.com, Host=app.external.com, URI=/a/: Changing response header Location: http://app.internal.com/a/login.do with http://app.external.com/a/login.do As you can see, the response back to client is in http, rather than https, and this obviously generates an error. Can you please help me in obtaining such objective?370Views0likes2Comments