https and http to http http::path redirection not working

if a user went to https://xxx.b.com/test, nothing happened no logging user gets page cannot be displayed. i think i may be missing something, do i need to setup a separate vs on https 443?yes since even xxx.b.com is resolved to aaa.b.com but user is still accessing https (443).

e.g.

[root@ve1023:Active] config  b virtual aaa.b.com.80 list
virtual aaa.b.com.80 {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b virtual aaa.b.com.443 list
virtual aaa.b.com.443 {
   destination 172.28.19.79:443
   ip protocol 6
   rules myrule
   profiles {
      clientssl {
         clientside
      }
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   if {[string tolower [HTTP::host]] equals "xxx.b.com"} {
      HTTP::redirect "http://aaa.b.com[HTTP::uri]"
   }
}
}

[root@ve1023:Active] config  curl -Ik https://xxx.b.com/test
HTTP/1.0 302 Found
Location: http://aaa.b.com/test
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

thanks, i will give that a try.

 

 

i can see that you have clientssl and clientside ssl profiles, can you tell me what you specified?

 

 

clientssl is default parent to clientside? under clientside do i need to specify non-ssl connections?

 

 

 

my client is adamant that they do not want users being notified regarding a cert by the browser. do I need a cert for the 443 VS for this to work?

 

 

ok i want to ignore the https part on 443 for now as i am having issues redirecting http://xxx.b.com/test to http://aaa.b.com/test.

 

 

i added the rule exactly as you have it and added it to my aaa.b.com:http VS aswell.

 

 

i used fidler2 and went to http://xxx.b.com/test

 

the response URL is: http://xxx.b.com/aaa.b.com/test

 

 

confused as to whats going on. i added logging to my rule and in the ltm log it seems to be stuck in a loop, keeps posting redircting to http://aaa.b.com/test

 

i can see that you have clientssl and clientside ssl profiles, can you tell me what you specified?clientssl is used to decrypt https traffic. since we want to see http header, i.e. HTTP::host, and do redirection, so clientssl is required. clientside means it is configured on client-side i.e. between client and f5.

sol10167: Overview of the Client SSL profile

http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167

under clientside do i need to specify non-ssl connections?no. i do not think you need non-ssl.

my client is adamant that they do not want users being notified regarding a cert by the browser. do I need a cert for the 443 VS for this to work?yes, you have to import certificate and private of xxx.b.com and set them in clientssl profile.

as i am having issues redirecting http://xxx.b.com/test to http://aaa.b.com/test.each i.e. xxx.b.com and aaa.b.com, is different in ip and has own virtual server, hasn't it?

can you try this on xxx.b.com virtual server?

[root@ve1023:Active] config  b virtual bar list
virtual bar {
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
   if {[string tolower [HTTP::host]] equals "xxx.b.com"} {
      HTTP::redirect "http://aaa.b.com[HTTP::uri]"
   }
}
}

[root@ve1023:Active] config  curl -I http://xxx.b.com/test
HTTP/1.0 302 Found
Location: http://aaa.b.com/test
Server: BigIP
Connection: Keep-Alive
Content-Length: 0

they are actually on the same IP address.

 

 

when going to xxx.b.com, dns is pointing them to aaa.b.com address which would be the IP of aaa.b.com.

 

 

i can get it to understand that the request is coming from http::host of xxx.b.com, but still not redirecting.

 

 

i will give what you have posted a try. thanks for the help

alright i got it all working, but for https/443 i could only get it working using the default certificate

 

 

the real xxx.b.com is pointing to a f5 pair in a dmz location.

 

i archived the ca-bundle, and certs from the dmz f5.

 

 

 

the cert common name is for xxx.b.com

 

 

 

imported the archive to the f5 pair doing the redirecting internally.

 

so i put in a cert for xxx.b.com, but the request never goes through and get a page cannot be displayed.

 

once i update the clientssl profile to use the default cert, i get through and am redirected to http://aaa.b.com/test

 

 

 

so the redirect is working, but i need to look into whats up with the certs... going to https://xxx.b.com/test externally is working no problem going to the dmz f5 with the exact same certs I imported into f5 internally at aaa.b.com.

 

 

 

 

 

 

 

did you upload both xxx.b.com certificate and private key? both have to be set in clientssl profile.

yup, even validated them on source f5 with openssl.

 

then validated them on aaa.b.com f5 with openssl. the key and cert are matching pair. md5 hashes match.

 

 

is there any events that i could log with ssl irule event to see where its failing with the certificate.

 

 

 

do you think i could redirect before ssl handshake to avoid use of a cert all together?

 

have you captured packet? was there anything suspicious there?

 

 

e.g.

 

 

tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x or host y.y.y.y

 

x.x.x.x is virtual ip

 

y.y.y.y is pool member ip

 

 

ssldump -Aed -nr /var/tmp/output.pcap -k /config/ssl/ssl.key/zzzz.key

 

zzzz.key is private key file

 

 

you are able to decrypt ssl traffic in wireshark.

 

 

Decrypting SSL traffic with Wireshark, and ways to prevent it

 

http://wirewatcher.wordpress.com/20...revent-it/