Forum Discussion

CraigM_17826's avatar
CraigM_17826
Icon for Altostratus rankAltostratus
Apr 29, 2010

Confusing (well to me!) Profile issue

Hi,

 

 

I had a very odd and confusing issue with a new virtual server we setup for a new WebSphere system. Basically what was happening was this, a redirect from http to https was occuring when a POST action was being submitted to the VIP despite the fact that

 

 

a) any associated iRule being used by this VIP does not do any redirects to https

 

b) any associated http classes were not doing any redirects to https

 

 

The developer of the code was adament the issue was with the BigIP. What I eventually found was that the HTTP Profile for the VIP was a custom one we used on our other WebSphere systems. From memory I found the settings in the F5 WebSphere deployment white papers. This policy only has one setting set and that is the Redirect Rewrite option which is set to all. If I set the HTTP Profile to http for the VIP then this https redirect no longer occurs. So my question is, what exactly does the Redirect Rewrite set to all actually do? I've been going through my notes and can't really find any mention of it.

 

 

The only other difference that I am aware of is that the one the new system they are no lonfer using WebSphere Portal Server, just Application Server.

 

 

Anyway if anyone could throw any light on to this for me it would be appreciated.

 

 

Regrads,

 

 

Craig
application delivery
dev
devops
iRules

3 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Apr 29, 2010
    IIRC that redirect rewrite has changed a couple of times what it actually accomplishes. However what it broadly does is the HTTP profile snoops any redirects coming back from the poolmembers and re-writes them to come back to the VS. (I remember having problems moving from v4 to v9 because of the way in which the rewrites changed)

     

     

    It's possible that what you were hitting was perhaps a websphere system redirecting elsewhere? Which then redirected to an https version of the original VS?

     

     

    However the best way to discover exactly what was happening is to duplicate the problem (e.g. with a test VS pointing at the same pools) and then getting a tcpdump of the traffic (Both frontend and backend connections) and investigating the responses that were being sent from the websphere to the F5 and the responses from the F5 to the client.

     

     

    Sorry, I can't be more detailed... But experience tells us that there are many ways this could be happening... The best way to determine exactly what is to view the traffic passing between the endpoints.

     

     

    BTW. I tend not to use the redirect rewrite option, but use iRUles to acomplish he results. Because in the past I have found too many instances where things don't quite work as you'd like them to...

     

     

    H
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Apr 29, 2010
    The experience I have had using the Redirect Rewrite was for consistency.

     

     

    We had a pair of VIPs:

     

    Port 80 - iRule for HTTP to HTTPS Redirect.

     

    Port 443 - SSL Offload

     

     

    On the HTTPS VIP we were doing SSL Off-Load and communicated to the backend server via HTTP. As far as the client was concerned all of the communication was HTTPS, but the application believing that it was HTTP would give all redirects in HTTP.

     

     

    Using the Redirect Rewrite "Matching" setting caused the VIP to look at all redirects and change them all to HTTPS.

     

     

    Client accesses the site:

     

    HTTPS://www.website.com

     

     

    Server sents redirect for content:

     

    HTTP://www.website/somecontent/index.html

     

     

    F5 (Matching Setting) captures the redirect traffic and compares the original URL (HTTPS) and the redirect URL (HTTP) and forces a consistency by changing the redirect HTTPS://www.website/somecontent/index.html

     

     

    This is how we are using it in one instance on one setting. I haven't had the time to test any other uses for it or come across any other situations that might need it.

     

  • CraigM_17826's avatar
    CraigM_17826
    Icon for Altostratus rankAltostratus
    Apr 30, 2010
    Hi all,

     

     

    thanks Hamish and Michael for your informative replies. The online help for the rewrites is fairly terse. Michaels setup is identical to ours and illustrated the behavour we were seeing pretty much to as tee.

     

     

    Many thans to you two for explaining this to me. It makes sence now.

     

     

    Regards

     

     

    Craig