Forum Discussion

sparky_86686's avatar
sparky_86686
Icon for Nimbostratus rankNimbostratus
Nov 19, 2008

Using "matching" on Rewrite Redirects

In post 13907 Deb mentions that for the Rewrite Redirects functionality in the http profile:

 

* Matching: Specifies that the system rewrites the scheme to HTTPS in any HTTP redirect responses in which the hostname matches that of the request.

 

Is this accurate? I see other docs that only mention:

 

Use "Matching" to rewrite only courtesy redirects intended to append a missing trailing slash to a directory request.

 

 

Using this functionality, assuming that Deb's comments are correct, I would think the below test should work?

 

Background:

 

I am coming in on an F5 SSL terminated connection with the F5 going back to a http listener on the webserver.

 

The webserver (Sun) has NSAPI code that does a redirect based on a cookie (since moving SSL to the F5 ALL redirects are going http).

 

This redirect needs to be changed to https when the connection is https at the F5 and the hostname matches.

 

 

GET / HTTP/1.1

 

Host: www.example.com

 

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3

 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

 

Accept-Language: en-us,en;q=0.5

 

Accept-Encoding: gzip,deflate

 

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

 

Keep-Alive: 300

 

Connection: keep-alive

 

Cookie: TEST=.tI%3EJYrYfb4bhrqub..

 

HTTP/1.x 302 Moved Temporarily

 

Server: ""

 

Date: Wed, 19 Nov 2008 19:52:11 GMT

 

Content-Type: text/html

 

Location: http://www.example.com/noauth/servlet/example?redirectPage=/

 

Content-Encoding: gzip

 

Transfer-Encoding: chunked

 

----------------------------------------------------------

 

http://www.example.com/noauth/servlet/example?redirectPage=/

 

 

GET /noauth/servlet/example?redirectPage=/ HTTP/1.1

 

...

 

 

Yet it goes to http.

 

 

Any clues?
application delivery
dev
devops
iRules

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 24, 2008
    Hi there,

    I think that's a slight mis-statement. I'm pretty sure the host in the redirect location is not checked against the request. The 9.4.5 and 9.3.1 online help shows:

    Redirect Rewrite

    Specifies whether the system rewrites the URIs that are part of HTTP redirect (3XX) responses. The default is None.

    * None: Specifies that the system does not rewrite the URI in any HTTP redirect responses.

    * All: Specifies that the system rewrites the URI in all HTTP redirect responses.

    * Matching: Specifies that the system the URI in any HTTP redirect responses that match the request URI.

    * Nodes: Specifies that if the URI contains a node IP address instead of a host name, the system changes it to the virtual server address.

    If you want to rewrite the redirect to https if the host in the Location header matches a predefined host you could hardcode it like this: 

      
  when HTTP_RESPONSE {  
    
      Check if response is a redirect  
     if {[HTTP::is_redirect]}{  
    
         Rewrite the location header if it matches a hardcoded host value  
        HTTP::header replace Location [string map -nocase "http://www.example.com https://www.example.com" [HTTP::header value Location]]  
    
     }  
  }

    A more general (but less efficient) option would be to save the Host header value on every request and check if the Location header starts with it: 

      
  when HTTP_REQUEST {  
    
      Save host header in lower case  
     set host [string tolower [HTTP::host]]  
  }  
  when HTTP_RESPONSE {  
    
      Check if response is a redirect  
     if {[HTTP::is_redirect] and [string tolower [HTTP::header value Location]] starts_with "http://$host"}{  
    
         Rewrite the location header if it matches a hardcoded host value  
        HTTP::header replace Location [string map -nocase "http:// https://" [HTTP::header value Location]]  
    
     }  
  }

    Aaron
  • sparky_86686's avatar
    sparky_86686
    Icon for Nimbostratus rankNimbostratus
    Dec 10, 2008
    Thanks. Used the generic one so I can apply this on different VIPs if needed. Performs well for our amount of traffic.