Jan_T_104445
Nimbostratus
NimbostratusRewriting HTTP redirection with HTTPS->HTTPS (SSL-to-Server feature) does not func.
Topic was wrongly opened in the "iRules - v9.x" forum.
The answers so far:
08/01/2007 7:40 PM by ellmau:
Dear Developers and Dear Community,
I've read many topics in the forum concerning the "rewrite HTTP redirection" feature - always reflecting the "HTTP redirect to HTTPS" case.
None is saying anything about the "HTTPS redirect to HTTPS" case.
I have redirection problems within our websphere application servers, 'cause they are always using the appserver port and never the origin Big-IP SSL proxy port, when sending out redirects.
I know that in other environments/setups, e.g. if using IBM HTTP Server with WebSphere plugin in front ionstead of F5 to achieve lookalike functionallity as Big-IP load-balancing, session stickiness, etc., they have some variables that can influence the appservers behavior:
E.g. WebSphere plugin ->
AppServerPortPreference
Specifies which port number the Application Server should
use to build URIs for a sendRedirect.
This field also specifies where to retrieve the value for
HttpServletRequest.getServerPort().
The following values can be specified:
"hostHeader" if the port number from the host header of the
HTTP request coming in is to be used.
"webserverPort" if the port number on which the Web server
received the request is to be used.
So, my question is, how can I do this with Big-IP?
In my setup the following, which is a webapp request for form-based authentication (j_security_check is doing a sendRedirect() call), has to be solved:
Request/Response Flow:
1.) Client requests https://a.b.c/login.html -> Big-IP SSL Proxy -> webapp_https Pool (SSL-to-Server feature) -> sends to https://a.b.c:9443/login.html
2.) Appserver receives the request + does a "sendredirect()" which leads to a "302" with HTTP LOCATION Header https://a.b.c:9443 wich is unfort. send out to the client.
Any ideas or thoughts are very welcome.
Thanks.
Jan
hoolio
Posts:750
08/03/2007 3:26 PM Quote ReplyAlert
Can you try enabling rewrite redirects on the HTTP profile? Try searching for 'rewrite redirect' on AskF5 for more information on this feature.
Aaron
ellmau
Posts:2
08/06/2007 12:56 PM Edit Quote ReplyAlert
Thanks for the information.
But we already tried the "Rewriting HTTP redirecct" option for the SSL proxy configuration (Big-IP Vers. 4.6.2).
Unfort. we had no luck to get it work.
Maybe it has something to do with ->, that the SSL proxy is not able to do the "rewrite redirect" for SSL (HTTPS) delivered responses. We tried it in many ways, but the "LOCATION" header has always been delivered to the client with the WebSphere Appserver port information and port was not "stripped out" as it should with the "rewriting HTTP reditrect" option enabled.
The doccumentation, concerning the "Rewriting HTTP redirection", is only talking about redirects for:
1.) Incoming HTTPS traffic which flows to appserver as HTTP, and resulting HTTP response would be redirect as HTTPS to the client.
Question:
Can the same work for HTTPS <-> HTTPS - only stripping out the port information inserted by the appserver (..or could it not work by design)?
Can somebody give an example of an working example configuration (Steps for SSL-Proxy, virt. Server/IP, HTTPS Pool)?
Any thoughts are very welcome :-)
Best regards,
Jan
hoolio
Posts:750
08/06/2007 1:09 PM Quote ReplyAlert
Can you confirm which version of BIG-IP are you running? If 4.x, you should post in the 4.x iRules forum (Click here).
Aaron
Sorry, you are right. We are running BIG-IP Vers. 4.5.x., so I reopend the subject in this forum.
Do think it's possible to do the HTTPS <-> HTTPS rewrite redirection with stripping out the appserver port from LOCATION header with that version?
Or do we have to wait for iRules - Vers. 9.x to e.g. replace the LOCATION header from the appserver response accordingly?
Best regards,
Jan
