Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

HTTPS rewrite

Hi All,

Have a requirement to rewrite a https request to another url. That part is all good with "HTTP::header replace host <xxx.xxx>". However I need the server side connection to go out as a https connection too with the newly rewritten host (not a redirect to a https host but a rewrite). Is there a way to do this via an irule and if so how? I figured this could be done via a server side SSL Profile too? For example initial https request comes in, client side SSL profile decryptes the connection, http::header replace then rewrites the url and then the server side SSL profile reencrypts to back end pool. Would this work, is this the order of processing with the combined use of SSL profiles and irules? Been trying to test but not much like with the server side SSL profile.

Thanks

0
Rate this Question
Comments on this Question
Comment made 13-Nov-2014 by Thomas Gobet 994
Hi David, You have the good way to do what you want. An iRule works with http datas whether it is https or http on client side, you just have to apply a client side SSL profile. What does not work in your iRule? Can you post in after your post?
0
Comment made 17-Nov-2014 by david0512 96
Guys I have the first irule qworking now but the second isnt quite right yet. Can anyone see why the folloiwng irule doesnt replace the "host" header with www.cde.com when HTTP_REQUEST { if { [HTTP::header host] contains "www.abc." and [HTTP::uri] starts_with "/t/" } { HTTP::uri "/[HTTP::host][HTTP::uri]" log local0. "first_host_uri: [HTTP::host][HTTP::uri]" HTTP::header replace "Host" "www.def.com" pool testredirect log local0. "second_host_uri: [HTTP::host][HTTP::uri]" } } Results from the log statements are the following..... Rule /xxx/xxx_redirect_2 <HTTP_REQUEST>: first_host_uri: www.abc.com/www.abc.com/t/spain Rule /xxx/xxx_redirect_2 <HTTP_REQUEST>: second_host_uri: www.abc.com/www.abc.com/t/spain It seems the http header replace host command isnt being actioned but not sure why.
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Thomas

So initially we have the following irule setup on a http virtual server with the intention of anything being requested to

www.abc.com/t/abc (HTTP) to be redirected to www.def.com/t/abc (HTTPS - obviously real urls being marked out).

This seems to be a little problematic

when HTTP_REQUEST {
   if { [HTTP::host] contains "www.abc." and [HTTP::uri] starts_with "/t/" } {
   HTTP::respond 301 location "https://[HTTP::host][HTTP::uri]"
 }
}

Once the redirect takes place the client hits the HTTPS Virtual server. On that Virtual server we have the following irule setup with the intention of rewriting www.abc.com/t/abc (HTTPS) to www.def.com/www.abc.com/t/abc (HTTPS - as you can see maintaining the uri and previous host header).

when HTTP_REQUEST {
    if { [HTTP::header host] contains "www.abc." and [HTTP::uri] starts_with "/t/" } {
    HTTP::uri "/[HTTP::host][HTTP::uri]"
    HTTP::header replace host "www.def.com" 
    }
   }

Currently the https server has a ssl client profile and a default pool that pushes requests to the server that can respond with a 200 to www.def.com/t/abc. The connection to the default pool has to be a https connection. So a few questions here.....a) the irule(s) above don't seem to be producing the behaviour we need, can you see any issues? b) I'm unsure how to deal with the https connection, decryption, irule processing and then sending the connection back to the default pool as a HTTPS connection

Thanks for taking the time to look

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

it looks okay to me. by the way, you may use starts_with instead of contains.

# config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        http { }
        serverssl {
            context serverside
        }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-port disabled
    vs-index 14
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:443 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos)# list ltm rule qux
ltm rule qux {
    when HTTP_REQUEST priority 100 {
  log local0. "priority 100 HOST=[HTTP::host] URI=[HTTP::uri]"
}
when HTTP_REQUEST {
  if { [HTTP::header host] contains "www.abc." and [HTTP::uri] starts_with "/t/" } {
    HTTP::uri "/[HTTP::host][HTTP::uri]"
    HTTP::header replace host "www.def.com"
  }
}
when HTTP_REQUEST priority 1000 {
  log local0. "priority 10000 HOST=[HTTP::host] URI=[HTTP::uri]"
}
}

# log

[root@ve11a:Active:In Sync] config # tail -f /var/log/ltm
Nov 17 15:34:38 ve11a info tmm[14741]: Rule /Common/qux <HTTP_REQUEST>: priority 100 HOST=www.abc.com URI=/t/abc
Nov 17 15:34:38 ve11a info tmm[14741]: Rule /Common/qux <HTTP_REQUEST>: priority 10000 HOST=www.def.com URI=/www.abc.com/t/abc
0