Forum Discussion

stevelee_88077's avatar
stevelee_88077
Icon for Nimbostratus rankNimbostratus
Jul 20, 2011

help with http to https rediect - XenDesktop

Big-IP LTM 1600 10.2.2 (763.3)

 

 

Hello

 

 

I've been through the setup guide for XenDesktop http://www.f5.com/pdf/deployment-guides/ltm-citrix-xendesktop-dg.pdf

 

 

This all went fine and we are offloading SSL at Big-IP. The site loads fine over https, however I want to redirect any client requests from http to https. I've used this forum and added this to my setup: http://devcentral.f5.com/wiki/default.aspx/iRules/Redirect_non_ssl_requests_on_ssl_vs_rule.html

 

 

So now I have a VS on 443 (https) with the following iRule:

 

 

when HTTP_REQUEST {

 

Check if the client used an SSL cipher

 

if {not ([catch {SSL::cipher version} result]) && $result ne "none"}{

 

Client did use a cipher log local0. "\$result: $result. Allowing encrypted request."

 

} else {

 

Client did not use a cipher log local0. "\$result: $result. Redirecting unencrypted request."

 

HTTP::redirect https://xen.mysite.com } }

 

 

I've also changed the SSL Profile (Client) to allow "Non-SSL Connections" as per the above article.

 

 

https://xen.mysite.com loads fine and I can see traffic through Big-IP

 

http://xen.mysite.com does not redirect to https and I get page connot be displayed error. (in Chrome its Error 102 (net::ERR_CONNECTION_REFUSED)

 

 

 

If I take Big-IP out of the equation and go directly to the Cirtix XenDesktop web it works over both 80 and 443. I can also get it to work over 80 via Big-IP if I change the VS to 80.

 

 

Is there something wrong with the iRule or have I missed something in the config?

 

 

Many thanks in advance for any help you can provide!

 

 

 

application delivery
dev
devops
iRules

6 Replies

Sort By
  • stevelee_88077's avatar
    stevelee_88077
    Icon for Nimbostratus rankNimbostratus
    Jul 20, 2011
    for info, I've also tried these iRules on the https VS without success:

     

     

    when HTTP_REQUEST {

     

    HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

     

    }

     

     

    or

     

     

    when HTTP_REQUEST {

     

    if { [TCP::local_port] == 80 }{

     

    HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

     

    }

     

    }

     

     

    Must be something to do with the VS config or the client SSL profile....can't figure out what though :(
  • stevelee_88077's avatar
    stevelee_88077
    Icon for Nimbostratus rankNimbostratus
    Jul 20, 2011
    I've managed to sort this. Although it may be obvious to other Big-IP users, we've only just started using it here so thought I would post back what the resolution was.

     

     

    The article below states that you only need to change SSL Profile (Client) to allow "Non-SSL Connections"

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/Redirect_non_ssl_requests_on_ssl_vs_rule.html

     

     

    This didn't work in my setup for some reason. I had to change the service port on the VS to all ports, not 443. Now, with the following iRule all traffic is redirected to https when a connection is made to this VS:

     

     

    when HTTP_REQUEST {

     

    HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

     

    }

     

     

    I may be missing something here but it works for me, let me know if there are any other suggestions...
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jul 21, 2011
    The first rule you're testing is used to redirect clients who make an HTTP request to an HTTPS virtual server. That rule should only be used on the HTTPS virtual server.

    If you're trying to redirect port 80 traffic to port 443 via HTTPS, you can use the second rule.

    If that's not working, can you try adding logging to both virtual servers: 

     Port 80 iRule
when CLIENT_ACCEPTED {
   log local0. "[IP::client_addr]:[TCP::client_port]: Connection to [virtual name] [IP::local_addr]:[TCP::local_port]"
}
when HTTP_REQUEST {
   log local0. "[IP::client_addr]:[TCP::client_port]: UA: [HTTP::header User-Agent], [HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE {
   log local0. "[IP::client_addr]:[TCP::client_port]: status: [HTTP::status], Location? \"[HTTP::header Location]\""
}

 Port 443 iRule
when CLIENT_ACCEPTED {
   log local0. "[IP::client_addr]:[TCP::client_port]: Connection to [virtual name] [IP::local_addr]:[TCP::local_port]"
}
when CLIENTSSL_HANDSHAKE {
   log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake complete"
}
when HTTP_REQUEST {
   log local0. "[IP::client_addr]:[TCP::client_port]: UA: [HTTP::header User-Agent], [HTTP::host][HTTP::uri]"
}
when HTTP_RESPONSE {
   log local0. "[IP::client_addr]:[TCP::client_port]: status: [HTTP::status], Location? \"[HTTP::header Location]\""
}

    Aaron
  • stevelee_88077's avatar
    stevelee_88077
    Icon for Nimbostratus rankNimbostratus
    Jul 21, 2011
    Aaron

     

     

    Thanks for your response. Originally I had my VS setup with Service Port 443 (https). I'm guessing the iRule didn't work because the VS isn't allowing Port 80 traffic and therefore never hit the iRule for it to be redirected to 443?

     

     

    The article I mention doesnt seem to suggest this is the case though and just says to set the Client profile used on the SSL VS to allow "Non-SSL Connections".

     

     

    All of the iRules I mention work once the VS service port is set to "* All". Now any traffic I send to that VS is redirected to https, which is exactly what I wanted. Just not sure this is the best way to do it?

     

     

    We've only been using Big-IP for a week but already have a number of sites load balanced. Impressed so far...!
  • Austin_Geraci's avatar
    Austin_Geraci
    Icon for MVP rankMVP
    Jul 23, 2011
    Using * and accepting traffic on all ports isn't best practice... If your goal is to redirect http traffic to https for the application leave your HTTPS vs alone and set it to listen only on 443.

    Then create an 80 VS at the same ip, you will not need to set a pool for this vs, Yes it will show blue in the gui (unknown), no big deal, it still accepts traffic and it's just used for the redirect. Then use this simple iRule on the VS. 

     
rule myrule {
   when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
}