Mobile redirect with forced SSL

How many virtual servers do you have for these two hostnames? Do you have an http and https VS for both? Which VS(s) do you want to redirect from http to https?

 

 

Aaron

I have a single publically available port 80 VS built for “main” site with addition of VS on same IP address providing final target for SSL termination. Final SSL based target VIP has about 10 servers in the farm. This main set of two VSs (80 and 443 VIPS under one IP address) services about 5 k users on average at any time.

 

Mobile devices need to be detected and redirected on the first hit on port 80 to www.main.com site and port 80 VS. Once detected, redirect takes place to m.site.com. M site has same two VIPS as well but is new and can be modified accordingly.

 

When I install redirection script shown, I get redirection working well but SSL redirection with second script fails, regardless where is this applied. I think, It is also safe to say, that m.site needs to respond to port 80 requests as well so it would not be easy to handle SSL requests only on m.site.com VS. M.test.com farm has 4 members in the farm under SSL VIP.

 

 

Thanks for sharing your thougths -

 

 

So basically, if I understand this correctly, you want to redirect all traffic from 80 -> 443, but with any request coming from a mobile device (as defined by your list of Use-Agents) you want to redirect them to https://m.site.com instead of https://site.com?

If that's correct, then your iRule is pretty close, and you could simply modify it to handle both cases:

when HTTP_REQUEST {
  switch -glob [string tolower [HTTP::header User-Agent]] {
   "*blackberry*" -
   "*windows ce*" -
   "*palm*" -
   "*sonyericsson*" -
  "*lg*" -
  "*sie*" -
  "*up.b*" -
   "*up*" -
  "*motorola*" -
  "*mot-*" -
   "*astel;*" -
  "*j-phone*" -
  "*netfront*" -
   "*xiino*" -
  "*iphone*" -
  "*benq*" -
  "*cricket*" -
  "*andr*" - 
  "*htc*" -
  "*nokia*" -
   "*portalmmm *" -
  "*samsung*" -
  "*sec*" - 
   "*vodafone*" -
  "*smartphone*" -
   "*symbian*" { 
      HTTP::redirect "https://msite.web.com[HTTP::uri]" 
      return 
      }
  }
   if { [string tolower [HTTP::header Accept]] contains "vnd.wap.wml" } {
    HTTP::redirect "https://msite.web.com[HTTP::uri]"
    return
   }
   if { [HTTP::header exists "MSISDN"] } {
    HTTP::redirect "https://msite.web.com[HTTP::uri]"
    return 
   }
  if {[TCP::local_port] != 443 }{ 
    HTTP::redirect "https://[HTTP::host][HTTP::uri]
  }

Since all of your previous logical statements have built in return statements anyway, this final if should only be executed if nothing else fired, and will do the global redirect everything to SSL functionality, so you would disable this in the profile or wherever you're doing it now and let the iRule handle it. That would, I think, solve the problem.

Colin

Hi Colin and and thank you for your help. I tried sligtly modified version you attached and noticed it does not work.

 

Now, it acts strange with firefox vs IE v 8.x. Firefox actually works well. Using FFX I get redirected. Quick test also shows that mobile devices get detected to m-site, but IE 8.x gets to be detected as a mobile devices.

 

 

 

You are right about extend of redirection. It is okay to redirect mobile gear directly to SSL VIP for m-site. It is one process less for any client to get established SSL to m-site.

 

Buttom line is a requirement that all mobile devices get redirected and be SSL for all sessions right from very first response.

 

 

As I attempt to find out what is causing FFX vs IE 8 issue - do you have other suggestions ?

 

 

I appreciate your help

 

 

Chris

 

 

 

 

It sounds like this approach will work well for you then, you just need to get a more specific list of User-Agents. One of the User-Agents in your list must be catching IE8 and redirecting it. Perhaps try removing them one by one and testing to see which it is? My guess would be windows ce, but it's hard to tell.

 

 

Colin

I'd be concerned with false matching on the really short patterns like these:

 

 

"*lg*" -

 

"*sie*" -

 

"*up.b*" -

 

"*up*" -

 

 

You might try using another set of matching logic like this:

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=86313&ptarget=86381

 

 

Aaron

Agreed that making the matches as unique and detailed as possible is a good thing. The shorter/more ambiguous they are the more chances you have for errors.

 

 

Colin

Thanks guys,

 

 

I found nice combo set of statements probably capable of taking care of all functionalities but get stuck on syntaxt so further testing is impossible. Can you guys see where I get it wrong. I really appreciate it.

 

 

 

 

when HTTP_REQUEST {

 

if {([string tolower [HTTP::host]] contains "nativeweb-site.com")} {

 

switch -glob [HTTP::header User-Agent] {

 

"*BlackBerry*"

 

"*Blackberry*"

 

"*Blazer*"

 

"*blazer*"

 

"*palm*" -

 

"*Palm*" -

 

"*SMARTPHONE*" -

 

"*Smartphone*" -

 

"*smartphone*" -

 

"*Danger*" -

 

"*hiptop*" -

 

"*MOT-*" -

 

"*RAZR*" -

 

"*AUDIOVOX*" -

 

"*Symbian*" -

 

"*symbian*" -

 

"*NOKIA*" -

 

"*Nokia*" -

 

"*Sony Ericsson*" -

 

"*Samsung*" -

 

"*LG 8*" -

 

"*Alcatel 735i*" -

 

"*Nextel*" -

 

"*Windows CE*" -

 

"*AUDIOVOX*" -

 

"*AU-MIC,*" -

 

"*Alcatel*" -

 

"*BENQ*" -

 

"*CASIO*" -

 

"*CDM-*" -

 

"*Ericsson*" -

 

"*EZOS*" -

 

"*kyok*" -

 

"*Kyocera*" -

 

"*LG-*" -

 

"*LGE-*" -

 

"*NEC-*" -

 

"*Nokia*" -

 

"*nok6*" -

 

"*NOKIA*" -

 

"*Mitsu*" -

 

"*MOT-*" -

 

"*mot-*" -

 

"*Motorola*" -

 

"*Sagem*" -

 

"*SAGEM*" -

 

"*Sendo*" -

 

"*SonyEricsson*" -

 

"*Panasonic*" -

 

"*PANTECH*" -

 

"*QC-*" -

 

"*PlayStation Portable*" -

 

"*PHILIPS*" -

 

"*Samsung*" -

 

"*SAMSUNG*" -

 

"*sama*" -

 

"*SEC-S*" -

 

"*SEC-s*" -

 

"*SEC-N*" -

 

"*Sanyo*" -

 

"*SHARP*" -

 

"*Sharp*" -

 

"*SIE-*" -

 

"*Sony*" -

 

"*SymbianOS*" -

 

"*Symbian OS*" -

 

"*portalmmm*" -

 

"*Vodafone/*" -

 

"*KDDI-*" -

 

"*J-PHONE*" -

 

"*Blazer*" -

 

"*AvantGo*" -

 

"*avantbrowser.com*" -

 

"*Danger*" -

 

"*hiptop*" -

 

"*ProxyNet*" -

 

"*IEMobile*" -

 

"*MobileExplorer*" -

 

"*.Web*" -

 

"*Palm*" -

 

"*Series60*" -

 

"*PalmSource*" -

 

"*PalmOS*" -

 

"*MIDP-2.0*" -

 

"*MIDP-1.0*" -

 

"*CLDC-1.0*" -

 

"*CLDC-1.1*" -

 

"*Series60*" -

 

"*Opera Mini*" -

 

"*MobilePhone*" -

 

"*NetFront*" -

 

"*Nitro*" -

 

"*DoCoMo*" -

 

"*Obigo*" -

 

"*PocketPC*" -

 

"*Pocket PC*" -

 

"*RegKing*" -

 

"*Smartphone*" -

 

"*SmartPhone*" -

 

"*EPOC*" -

 

"*Rover*" -

 

"*iPAQ*" -

 

"*Jornada*" -

 

"*iOpus*" -

 

"*iNASSAP*" -

 

"*Minimo*" -

 

"*Plucker*" -

 

"*ERICY*" -

 

"*SoftBank*" -

 

"*WILLCOM*" -

 

"*YOSPACE*" -

 

"*TagTag*" -

 

"*WinWAP*" -

 

"*UP.Link*" -

 

"*PDXGW*" -

 

"*ASTEL*" -

 

"*WAP1.*" -

 

"*Xiino*" -

 

"*UP/4*" -

 

"*Maemo*" -

 

"*Windows CE*" -

 

"*MSPIE*" -

 

"*Microsoft Pocket Internet Explorer*" -

 

"*Elaine*" -

 

"*EudoraWeb*"

 

"*ReqwirelessWeb*"

 

"*jBrowser-WAP*"

 

"*Lenovo*"

 

"*M3GATE*"

 

"*Cellphone*"

 

"*Sony CMD*"

 

"*wapsilon*"

 

"*TELME*"

 

"*Linux armv*"

 

"*SONY/COM1*"

 

"*embedix armv5tel*"

 

"*Xplore G*"

 

"*mobileOK DDC*"

 

"*Google WAP Proxy*"

 

"*Google CHTML Proxy*"

 

"*NetFront*"

 

{

 

HTTP::redirect "]"

 

return

 

}

 

}

 

 

if { [string tolower [HTTP::header Accept]] contains "vnd.wap.wml" } {

 

HTTP::redirect "]"

 

return

 

}

 

if { [TCP::local_port] != 443 }{

 

HTTP::redirect "]"

 

}

 

}

 

A few of the lines in the switch statement were missing the hyphen. I also set the User-Agent string to lower case so you don't have to use multiple patterns to handle mixed cases.

when HTTP_REQUEST {
   if { [string tolower [HTTP::host]] contains "nativeweb-site.com" } {
      switch -glob [string tolower [HTTP::header User-Agent]] {
         "*blackberry*" -
         "*blazer*" -
         "*palm*" -  
         "*smartphone*" -  
         "*danger*" -  
         "*hiptop*" -  
         "*mot-*" -  
         "*razr*" -  
         "*audiovox*" -  
         "*symbian*" -  
         "*nokia*" -  
         "*sony ericsson*" -  
         "*samsung*" -  
         "*lg 8*" -  
         "*alcatel 735i*" -  
         "*nextel*" -  
         "*windows ce*" -
         "*audiovox*" -
         "*au-mic,*" -
         "*alcatel*" -
         "*benq*" -
         "*casio*" -
         "*cdm-*" -
         "*ericsson*" -
         "*ezos*" -
         "*kyok*" -
         "*kyocera*" -
         "*lg-*" -
         "*lge-*" -
         "*nec-*" -
         "*nokia*" -
         "*nok6*" -
         "*nokia*" -
         "*mitsu*" -
         "*mot-*" -
         "*motorola*" -
         "*sagem*" -
         "*sagem*" -
         "*sendo*" -
         "*sonyericsson*" -
         "*panasonic*" -
         "*pantech*" -
         "*qc-*" -
         "*playstation portable*" -
         "*philips*" -
         "*samsung*" -
         "*sama*" -
         "*sec-s*" -
         "*sec-n*" -
         "*sanyo*" -
         "*sharp*" -
         "*sie-*" -
         "*sony*" -
         "*symbianos*" -
         "*symbian os*" -
         "*portalmmm*" -
         "*vodafone/*" -
         "*kddi-*" -
         "*j-phone*" -
         "*blazer*" -
         "*avantgo*" -
         "*avantbrowser.com*" -
         "*danger*" -
         "*hiptop*" -
         "*proxynet*" -
         "*iemobile*" -
         "*mobileexplorer*" -
         "*.web*" -
         "*palm*" -
         "*series60*" -
         "*palmsource*" -
         "*palmos*" -
         "*midp-2.0*" -
         "*midp-1.0*" -
         "*cldc-1.0*" -
         "*cldc-1.1*" -
         "*series60*" -
         "*opera mini*" -
         "*mobilephone*" -
         "*netfront*" -
         "*nitro*" -
         "*docomo*" -
         "*obigo*" -
         "*pocketpc*" -
         "*pocket pc*" -
         "*regking*" -
         "*smartphone*" -
         "*smartphone*" - 
         "*epoc*" -
         "*rover*" -
         "*ipaq*" -
         "*jornada*" -
         "*iopus*" -
         "*inassap*" -
         "*minimo*" -
         "*plucker*" -
         "*ericy*" -
         "*softbank*" -
         "*willcom*" -
         "*yospace*" -
         "*tagtag*" -
         "*winwap*" -
         "*up.link*" -
         "*pdxgw*" -
         "*astel*" -
         "*wap1.*" -
         "*xiino*" -
         "*up/4*" -
         "*maemo*" -
         "*windows ce*" -
         "*mspie*" -
         "*microsoft pocket internet explorer*" -
         "*elaine*" -
         "*eudoraweb*" -
         "*reqwirelessweb*" -
         "*jbrowser-wap*" -
         "*lenovo*" -
         "*m3gate*" -
         "*cellphone*" -
         "*sony cmd*" -
         "*wapsilon*" -
         "*telme*" -
         "*linux armv*" -
         "*sony/com1*" -
         "*embedix armv5tel*" -
         "*xplore g*" -
         "*mobileok ddc*" -
         "*google wap proxy*" -
         "*google chtml proxy*" -
         "*netfront*" {
            HTTP::redirect "http://mobile.site.com[HTTP::uri]"
            return
         }
      }

      if { [string tolower [HTTP::header Accept]] contains "vnd.wap.wml" } {
         HTTP::redirect "http://mobile.site.com[HTTP::uri]"
         return
      }
      if { [TCP::local_port] != 443 }{
         HTTP::redirect "https://nativeweb-site.com[HTTP::uri]"
      }
   }
}

Aaron

Hi Aaron,

 

 

Quick addon of two more devices and acceptance on the box was flowless.

 

All working perfect from my point of view. Customer is testing now.

 

 

I really appreciate your help on the syntax.

 

BTW - what would you suggest as a good reference start in case of syntax of the script problems?