Forum Discussion

jeebustrain_421's avatar
jeebustrain_421
Icon for Nimbostratus rankNimbostratus
Sep 08, 2009

rewrite http hyperlinks as https inside SharePoint

Hi,

 

 

This is my first post here, so my apologies if this is something that has been covered ad-nauseum (I couldn't find anything using search). I'll also start out by saying that I am not an F5 expert (I am more on the application side of things), but I am comfortable with scripting and I just don't understand all of the power and capabilities of the iRule. Here's my situation:

 

 

We are currently building out a SharePoint environment. In this environment, we are placing each web application (there are 5) behind it's own pool in our F5 LTM (9.4.3). We are also planning on terminating all SSL for the apps on the F5 as well. Also, for our external customers, we are using a pair of MS ISA Server 2007 appliances (behind their own F5 pool as well), which authenticate the users using Forms based auth and redirect them to the appropriate F5 pool for whatever web app they are trying to reach.

 

 

I am in the midst of baking out the SSL part of all of this. Now due to budget constraints, we were unfortunately unable to secure an F5 for our lab, so I had to mock up the SSL termination on our lab ISA Server. It works great... actually, too great. I turned on the URL direct feature and it not only redirected all requests to https, it also went the extra step of rewriting all of the referenced hostnames inside the html itself as https. That's pretty cool, but unfortunately since our ISA Server will not be terminating SSL in production (other than being used as an SSL bridge just to authenticate), this will be creating some inconsistencies between our lab and production. If I can't figure out a way to replicate this in production, it's going to make testing a nightmare, as there are all sorts of add-in apps that this might cause issues for.

 

 

What I'd like to do is figure out a way to write an irule (if it's possible) to rewrite all of the hyperlinks (and text) of, say http://app1.intranet.com to https://app1.intranet.com.

 

 

This seems like something that someone has needed to do before. Does anyone have a good direction for me to follow? Let me know if anymore information is needed.

 

 

thanks in advance,

 

-brian
application delivery
dev
devops
iRules

6 Replies

Sort By
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Sep 08, 2009
    Hi Brian,

     

     

    Sounds like the quickest and simplest way is to apply the STREAM Profile

     

     

    Check out this article. It explains the stream profile especially how it's used.

     

     

    http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=101

     

     

    I hope this helps,

     

     

    CB

     

     

     

  • jeebustrain_421's avatar
    jeebustrain_421
    Icon for Nimbostratus rankNimbostratus
    Sep 08, 2009
    this is fantastic. Sweet, I can even use regular expressions. I'll be trying this today and I'll let you know what I find.

     

     

    One more question though - is it possible to have 2 expressions inside of an iRule? As in, could I stick your standard https redirect iRule at the top and put a stream replacement right below it? Or will I have to combine the logic into a single conditional?
  • jeebustrain_421's avatar
    jeebustrain_421
    Icon for Nimbostratus rankNimbostratus
    Sep 08, 2009
    nm - I think I figured it out. For what I want, I don't even need to use an iRule at all, I should be able to fix it by just creating a custom Stream Profile.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 08, 2009
    If you enable a stream profile on the virtual server without an iRule, LTM will apply the stream filter to both requests and responses. This includes client POST requests (which you probably don't want to rewrite) as well as binary response content (which probably won't match the find string but can consume a lot of extra LTM resources).

     

     

    There is an existing Request For Enhancement (RFE) open with F5 Support which requests F5 provide a GUI option for enabling the stream profile on requests and/or responses. It would also be ideal if they allowed you to configure a filter on the Content-Type value as well.

     

     

    Until the GUI options are improved, you would be much better off using an iRule with STREAM::expression (Click here) to configure the stream profile dynamically per request. There are some fairly detailed examples on how to do this on the wiki page.

     

     

    That said, you could probably avoid any configuration changes on LTM by properly configuring Sharepoint to use HTTPS references to itself using Alternate Access Mappings. Check this post for some related info:

     

     

    http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=3352955976

     

     

    Aaron
  • Sly_85819's avatar
    Sly_85819
    Icon for Nimbostratus rankNimbostratus
    Sep 11, 2009
    Just FYI.. we have seen issues in our environment even with alternate access mapping configured on Sharepoint. In our case, LTM is doing SSL offload and the server is configured to listen on 80. The sharepoint has access mapping configured which changes http to https. We also have HTTP -> HTTPS redirection set on LTM. Even after having this we have seen requests breaking. One of the example is List view. The response shows "http" url embedded instead of https.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 11, 2009
    If there are issues with the Alternate Access Mapping, you could potentially fix them with an iRule and stream profile, but it would be ideal to investigate the problem with Microsoft Support too.

     

     

    Aaron