Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Creating A Redirect with Local Traffic Policies v11.4

This is not a question, I'm just putting this out here to help people who have run into this problem.


Before 11.4, you could easily redirect from HTTP to HTTPS using HTTP Classes. In 11.4, HTTP Classes are no longer present, and there is not yet a solution article published showing how to accomplish the same thing using Local Traffic Policies. You should be able to get by with this for now.


  1. First, you need to Create a policy with the matching strategy of your choice, I chose “best-match”. Chose a name for the policy.
  2. This policy should require “http”, and control “forwarding”.
  3. You can then add a rule. Choose a name for the rule
  4. For the rule conditions, leave the defaults in (empty conditions list).
  5. For the actions, the target should be “http-reply”, the event should be “request” and the action “redirect”. You will have the location parameter available to you. Set the value to : https://[getfield [HTTP::host] ":" 1][HTTP::uri] . This is exactly the same as it is on the HTTP Class documentation (Ref: http://support.f5.com/kb/en-us/solutions/public/7000/100/sol7125.html?sr=32531961 )
  6. Click “Add” for the parameter, then “Add” again to add the action to the list of actions.
  7. Click Finished once done, and then you can attach this policy to the virtual server of choice, and it should redirect all requests to the HTTPS equivalent of the incoming host and URI combination.
11
Rate this Discussion
Comments on this Discussion
Comment made 19-Nov-2013 by czacek 26
Thank you for this. "How to redirect HTTP to HTTPS without an iRule now that HTTP Class Profiles are gone" was difficult to find. How can I make it close the connection afterwards? I have tried everything I could think of, but I always get "Connection: Keep-Alive", and that's not what I want when redirecting the browser to a different TCP port. I tried adding another Rule (all-match strategy on the policy, no condition, http-header response replace / insert name=Connection value=close) to the policy, but it had no effect. I tried using an HTTP Profile that had "Maximum Requests: 1" (and even HTTP 1.1 Pipelining disabled), but it still let me request over and over on the same connection, still said Connection: Keep-Alive, and still redirected me.
0
Comment made 21-Nov-2013 by BinaryCanary
Hi Czacek, Unfortunately, I haven't had time to explore it in more depth yet. So I can't answer your questions at this point in time.
0
Comment made 18-Dec-2013 by James Deucker
Is it possible to control 301 vs 302?
0
Comment made 02-Jan-2014 by BinaryCanary
Hey, unfortunately, it is currently not selectable. There's an open ticket to address this in the hopefully not too distant future. Happy new year :)
0
Comment made 14-Jul-2014 by Steve Duys 0
Can someone link, supply screenshots? Or describe where this is in the UI? Can't find.
0
Comment made 16-Jul-2014 by BinaryCanary
There's an image here: http://postimg.org/image/rypfwsqk9/
0
Comment made 10-Aug-2015 by ictjl 132
This helped us. Thanks!
0
Comment made 11-Aug-2015 by ictjl 132
I'm on version 11.5.3 and I still don't see the option to change the response to a 301 instead of 302 in the LTM policies. Does anyone have a solution for that yet?
0
Comment made 20-Oct-2016 by Jeya Kirushna 0

Thanks :)

0

Replies to this Discussion

placeholder+image

Very Thanks. aFanen01

Is there a more detailed introduction about the local traffic policy?

0
Comments on this Reply
Comment made 21-Nov-2013 by BinaryCanary
Sadly, not at this time. Situation should improve eventually though.
0
placeholder+image

If you want finer grained control attach the following iRule.

when HTTP_REQUEST {
    HTTP::respond 301 Location "https://[getfield [HTTP::host] ":" 1][HTTP::uri]" Connection Close
}

You can add headers after connection close just keep adding them as header name, a space, header value etc....

0
placeholder+image

When will F5 re-introduce HTTP Classes!!!!

0
placeholder+image

In v11.6.0, the old HTTP profiles are still there, such as /Common/http, and other customised child ones, retained by the upgrade process. It's just that they no longer appear in "Local Traffic" -> Profiles -> Services.

I would like to replicate the function of "Redirect Rewrite" that used to be in the old HTTP profile and it seems that I need to create a rewrite profile instead, not really a "traffic policy" as mentioned above.

Can somebody clarify all this? The solution articles I can find are all about how the old profiles cannot be brought into v11.4.0+ versions for various reasons; there are no specific examples to show how to do it in the new way, and why (to ust say "HTTP class is no longer available" is not that much helpful.)

0
Comments on this Reply
Comment made 18-Mar-2015 by Jie 1786
Sorry, but "HTTP" _is_ still in the menu, at the very top; it's just that the menu is too long and could not be displayed in full.
0
placeholder+image

This construction appears to no longer work in v12.

0
Comments on this Reply
Comment made 11-May-2016 by BinaryCanary
I just tested, and it works. I used a targetted domain though, not the get field commands. What problem are you running into?
0
Comment made 11-May-2016 by BinaryCanary
i will do a test later today when I have more time and update accordingly. Thanks.
0
Comment made 11-May-2016 by rob_carr 436
The rule refuses to add with the "https://[getfield [HTTP::host] ":" 1][HTTP::uri]" syntax, complaining about an illegal URL. This article appears to cover what you need to do in v12: https://devcentral.f5.com/questions/ltm-policy-http-reply-issue Additionally, although the above article doesn't mention it, I could only enter the rule via TMSH, with GUI, it simply would not accept the location value.
0
placeholder+image

In version 12.0, tcl expression may be formatted like: tcl:[tcl expr]

try :

tcl:[https://[getfield [HTTP::host] ":" 1][HTTP::uri]]
0
Comments on this Reply
Comment made 2 months ago by leon.johnson 0

The full KB article can be found here.

https://support.f5.com/csp/article/K26312346

0
placeholder+image

Come to think of it, the whole point of using a policy for this is to remove the need of programming, i.e. having to have someone to write irules, apart from for better performance. Another benefit of that would be more robustness for automation.

Apparently there's still way to go to achieve that.

Don't get me wrong, though, for I love programming myself. :-)

0
Comments on this Reply
Comment made 12-May-2016 by BinaryCanary
Well, you're just using command substitution in order to retrieve HTTP header fields. One way or another, I think some kind of command substitution would be needed for this kind of use case, and why not leverage the available and well-known TCL? Arguably, this pretty common task could be turned into a checkbox feature though...
0