Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

http to https not working with nginx

Hi,

I have a problem about F5 iRule, i set the irule on F5 " when_HTTP_REQUEST { HTTP::host [HTTP::host]:443; }" and it's working perfectly.

but when i changed my database from apache to nginx, https is not working. we run nginx as load balance before and set proxy_set_header Host $host:443;, it worked well.

Could anyone give me any suggestions, please?

0
Rate this Question
Comments on this Question
Comment made 6 days ago by Niels van Sluis 1668

Maybe you don't even need iRules. If I understand correctly you want the client side to be HTTP and the server side HTTPS?

How does your virtual server look like? Can you share the output of:

tmsh list /ltm virtual <virtual_server_name>
0
Comment made 6 days ago by xiiispy 2

Please following the configuration :

destination x.x.x.x:https

ip-protocol tcp
mask 255.255.255.255
pool lt-test-pool
profiles {
    clientssl-xxxx {
        context clientside
    }
    clientssl-xxxx {
        context clientside
    }
    http { }
    tcp-lan-optimized {
        context serverside
    }
    tcp-wan-optimized {
        context clientside
    }
    web_acceleration_2 { }
}
rules {
    _http_header
}
source 0.0.0.0/0
source-address-translation {
    type automap
}
translate-address enabled
translate-port enabled
vlans {
    external-1
    internal-20
}
vlans-enabled
vs-index 40

} #

0
Comment made 6 days ago by Niels van Sluis 1668

I notice that you don't use any serverssl profiles. So you're basically doing SSL offloading now. When SSL offloading, I don't understand your iRules which are pointing to HTTPS. When SSL offloading I would expect your pool members to be listening on port 80. Can you tell us more about your setup?

0
Comment made 6 days ago by xiiispy 2

Hi Niels van Sluis, You're right, we don't use any serverssl profile, our pool members only listening on port 80, so we need irules to insert host:443, and we'll get the https web. when we changed the web service from apache to nginx, and it's not working. we're wondering if we need to change irules?

The following configuration is our web service and it works well.

destination x.x.x.x:https

ip-protocol tcp
mask 255.255.255.255
pool ltgm_web_pool
profiles {
    clientssl-xxxx {
        context clientside
    }
    clientssl-xxxx {
        context clientside
    }
    http { }
    http2 { }
    oneconnect { }
    tcp-lan-optimized {
        context serverside
    }
    tcp-wan-optimized {
        context clientside
    }
    wan-optimized-compression { }
}
rules {
    _http_header
}
source 0.0.0.0/0
source-address-translation {
    type automap
}
translate-address enabled
translate-port enabled
vlans {
    external-1
    internal-20
}
vlans-enabled
vs-index 63

}#

0
Comment made 6 days ago by Niels van Sluis 1668

Why do you think you need to insert this particular Host header? It makes no sense to me.

0
Comment made 6 days ago by Jie 2260

What is your nginx virtual server configuration for this? For that'll give us some clue.

0
Comment made 6 days ago by xiiispy 2

Hi Jie

we need host header because we don't use any https on nginx and apache, so we need to insert host:443 on F5, it works for apache server but nginx.

Hi Jie This is what we nginx configuration

server {
    listen      *:80;
server_name    x.x.x.x
    access_log  /var/log/nginx/xxx_log main;
    error_log   /var/log/nginx/xxx.err_log error;
    access_log off;

    proxy_hide_header               X-Powered-By;
    include                         001-share_conf/aio-thread;
    include                         001-share_conf/ad-rewrite;


    location ~ \.php$ {
        root   /home/xxx;
        include 001-share_conf/fastcgi;
        include 001-share_conf/uuid/lt/bck-lt/uuid;
        include fastcgi.conf;
    }
+++++deny access to .htaccess files
    location ~ /\.ht {
        deny  all;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /etc/nginx/html;
    }
}
0
Comment made 6 days ago by Jie 2260

What was your Apache configuration then?

0
Comment made 5 days ago by xiiispy 2

hi Jie

Thank you for your help.

This is Apache configuration :

<VirtualHost *:80>
        ServerName   www.xxx.com:80
        ServerAlias  xxxx.com yyyyy.com www.zzzz.com
        DocumentRoot /home/xxx
        ErrorLog     logs/www.xxx.err_log
        CustomLog    /var/log/httpd/www.xxx.acs_log combinedio

        <Directory "/home/web/xxx/">

                Include /etc/httpd/conf.d/001-share_conf/aa-directory-parameter
                Include /etc/httpd/conf.d/001-share_conf/ad-rewrite
                Include /etc/httpd/conf.d/001-share_conf/xxx/uuid
        </Directory>
</VirtualHost>
0
Comment made 5 days ago by Jie 2260

Remove that irule from the virtual server, and let us know what exactly was not working when you accessed it. Any error messages?

0
Comment made 5 days ago by xiiispy 2

Hi Jie, We've tried to remove irules before, and https web only shows 1 picture, it was the same problem as before that we don't insert host:443.

0
Comment made 5 days ago by Jie 2260

Did you mean you have the same output page on your screen with or without the irule?

Without a clear description of what the problem is, we can only make guesses at what is not working.

0
Comment made 5 days ago by xiiispy 2

Hi Jie,

Sorry, If our web service on the nginx, http web page is normal and it showed login page, but the https web page only showed one picture.

if our web service on the Apache, we set the irules on the https, and it works fine, it'll show login page as same as http page.

Before we use F5 LB, we used nginx LB instead, it has the same problem, but when we set "proxy_set_header Host $host:443" on the nginx, it solved the problem. is there any similar setting on F5? or can we use irules?

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If you virtual server is listening on port 443 (with clientssl profile) and your ngix server is listening on port 80 then you should configure your pool members on port 80, as simple as that.

The irule does not make any sense to be honest, injecting the port and the end of the hostname is not going to make that request going to the port you need. you pool member configuration will do that.

0
Comments on this Answer
Comment made 5 days ago by xiiispy 2

Hi Daniel,

Thanks for your suggestion, our pool members only listening on port 80, we also tried not to use any irules, but it still not working.

0
Comment made 5 days ago by Daniel Varela 615

Can you post here the pool configuration?

0
Comment made 5 days ago by xiiispy 2

Hi Daniel,

this is pool configuration

ltm pool lt_web_pool {
    members {
        192.168.x.x:http {
            address 192.168.x.x
            monitor http_head_f5 
            session user-disabled
            state up
        }
        192.168.x.x:http {
            address 192.168.x.x
            logging enabled
            session monitor-enabled
            state up
        }
        192.168.x.x:http {
            address 192.168.x.x
            session monitor-enabled
            state up
        }
    }
    monitor http_head_f5 
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I suspect that your application needs to be aware which scheme (HTTP or HTTPS) is used by the user to access it. You can try the following:

Edit the F5 virtual server's HTTP profile:

  • For the field of "Request Header Insert", add "X-Forwarded-Proto: https" (no quotes);
  • For the field of "Redirect Rewrite", select "All"

and see how that goes.

What application software is it, Weblogic, PHP, etc?

0
Comments on this Answer
Comment made 5 days ago by xiiispy 2

Hi Jie,

We really appreciate your help, we'll try it and let you know if it works for us.

0
Comment made 5 days ago by xiiispy 2

Hi Jie,

It still didn't work, we found the different part from Apache and nginx,

if we use apache, it showed [server_port] => 443 but if nginx, it showed [server_port] => 80

0
Comment made 5 days ago by Jie 2260

How did you find this out? What application software is it, Weblogic, PHP, etc?

0
Comment made 4 days ago by xiiispy 2

Hi Jie,

We set the pool member and listening on 443 port, and it works fine.

Thank you guys, we really appreciate you guys help.

0