Forum Discussion

Phil_Rudich_735's avatar
Phil_Rudich_735
Icon for Nimbostratus rankNimbostratus
Dec 05, 2007

Redirect Issue

Having a small issue with my iRule. We are trying to first redirect any request that come in on port 80 to use https, then perform a host replace (see code below). However, when I hit the site, sometimes it comes up fine and other times we get a "page not found" error. It's not consistent and can't figure out if it's the code or a pool issue.

 

 


when HTTP_REQUEST {
  if { [TCP::local_port] == 80 } {
    HTTP::redirect "https://[HTTP::host][HTTP::uri]"
  } else
  {
  if { [HTTP::host] equals "www.xxx.company.com"} {
    HTTP::header replace "Host" "zzz.company.com"
    if { [HTTP::uri] starts_with "/FOO" } then
    {
    } else {
        switch -glob [HTTP::uri] {
           "/*" -
          "/images/*" - 
          "/bin/*" {
            HTTP::uri "/FOO[HTTP::uri]"
          }
        }
      }
    }
  }
}

 

 

Please help!

 

 

Thanks,

 

Phil

8 Replies

  • Hi,

     

     

    It looks like every request with a relative URI which makes it to your switch statement will match /* and get rewritten to /FOO[HTTP::uri], as all relative URIs start with /. If you want to match requests which are literally /, you can remove the asterisk.

     

     

    Do you see any errors in the /var/log/ltm log file when a 'page not found' error occurs? Do you have any other iRules attached to the virtual server?

     

     

    Aaron
  • I'm not seeing anything relative in the logs. I may not have the necessary error tracking turned on... as I'm new to these LTM's. Please advise.
  • With a default configuration, TCL errors from iRules will be logged to /var/log/ltm. If you're not seeing an error with TCL in the error text, it's probably not the rule generating the error.

    Can you add log statements and reproduce the problem? The log output will be to /var/log/ltm.

    
    when HTTP_REQUEST {
       log local0. "Client [IP::client_addr]: requested [HTTP::host][HTTP::uri]"
       if { [TCP::local_port] == 80 }{
          log local0. "Client [IP::client_addr]: requested via port 80, redirecting to https"
          HTTP::redirect "https://[HTTP::host][HTTP::uri]"
       } elseif { [HTTP::host] equals "www.xxx.company.com"}{
          log local0. "Client [IP::client_addr]: client requested [HTTP::host], updating to zzz.company.com"
          HTTP::header replace "Host" "zzz.company.com"
          if {not ([HTTP::uri] starts_with "/FOO")}{
             switch -glob [HTTP::uri] {
                / -
                /images/* - 
                /bin/* {
                   log local0. "Client [IP::client_addr]: rewriting URI to /FOO[HTTP::uri]"
                   HTTP::uri "/FOO[HTTP::uri]"
                }
             }
          }
       }
    }

    Aaron
  • Here is a small blurb of what the log shows:

     

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: requested www.abms.benelogic.com/

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: client requested www.abms.benelogic.com, updating to memberp06.benelogic.com

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: rewriting URI to /AAEP/

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: requested www.abms.benelogic.com/Benelogic/PF/Templates/BeneBlue/images/logo.gif

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: client requested www.abms.benelogic.com, updating to memberp06.benelogic.com

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: rewriting URI to /AAEP/Benelogic/PF/Templates/BeneBlue/images/logo.gif

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: requested www.abms.benelogic.com/Benelogic/PF/Templates/BeneBlue/images/help_disabled.gif

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: client requested www.abms.benelogic.com, updating to memberp06.benelogic.com

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: rewriting URI to /AAEP/Benelogic/PF/Templates/BeneBlue/images/help_disabled.gif

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: requested www.abms.benelogic.com/Benelogic/PF/Templates/BeneBlue/images/signout_disabled.gif

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: client requested www.abms.benelogic.com, updating to memberp06.benelogic.com

     

    Dec 5 14:08:49 tmm tmm[673]: Rule AAEP_Redirect : Client 172.29.2.100: rewriting URI to /AAEP/Benelogic/PF/Templates/BeneBlue/images/signout_disabled.gif

     

     

    Appears to be doing what it should. So maybe I need to look elsewhere within the LTM for the issue? One thing I forgot to mention (which may be critical) is that we're running in HA mode.
  • Now having an additional issue with the iRule at the very top, that I'm hoping someone can assist with!!

     

     

    The iRule appears to be working fine - it replaces the host like it should - but when I browse to www.xxx.company.com using IE7, I receive a certificate error "Mismatched Address". I have a feeling it's doing this because the iRule is adding on the /FOO statement, but can't prove it. If I go directly to the site at zzz.company.com/FOO, it works fine with no cert error.

     

     

    Anyone have a clue as to why this is happening?? Please advise!

     

     

    Thanks,

     

    Phil
  • What is the hostname the client is making a request to? What is the CN of the certificate? It sounds like the two aren't the same, so the browser generates a hostname mismatch alert.

     

     

    Aaron
  • The hostname of the actual server is memberc06.benelogic.com and it's a star certificate (*.benelogic.com). I just spoke with Microsoft and they explained to me that one of the rules for star-certs is that they can't go more than three deep with the name. So, for instance, www.XXX.benelogic.com would not be acceptable... only if I purchased a cert for that specific name. And since we are performing a host replace, IE still thinks its the original which is not acceptable by they star-cert standards.

     

     

    If anyone knows a way around this, I'm all ears!

     

     

    Phil