secure redirect behind load balancer

Brian: Create a custom http profile for this virtual server and enable "redirect rewrite". This should work. I'm surprised Spring does this, although I'm sure there's a parameter somewhere that allows you to tune it. Either way, this should work.

 

 

-Matt

OK, that works for the spring app but now the rest of my apps are broken. For example my PHP site is somehow getting directed to SSL when its not supposed to be SSL.

 

 

Weird

 

--Brian

Can the "redirect rewrite" be applied in an iRule somehow?

Hi Brian,

 

 

As Matt said, you should be able to configure the application to send HTTPS redirects, but I'm not sure how. If you want to use an iRule, you can use one like this to rewrite the Location header value:

 

 

Rewrite HTTP Redirect Hostname

 

http://devcentral.f5.com/wiki/default.aspx/iRules/RewriteHTTPRedirectHostname.html

 

 

Rewrite HTTP Redirect Port

 

http://devcentral.f5.com/wiki/default.aspx/iRules/RewriteHTTPRedirectPort.html

 

 

Aaron

Brian: It really sounds like you've applied this change to the top level parent HTTP profile, which would then cause *any* virtual server using this profile to take the change. Be sure and create a custom HTTP profile for this specific application, then modify it for this particular app (the Spring app). If you need help doing this please post back. Oh, and if you've indeed changed the parent HTTP profile be sure and roll back your original change!

 

 

Profiles are one of the most powerful (and overlooked) features of BigIP: if you need to assign a set of very specific behaviors to a specific virtual server, you can create a custom profile stack and apply it to that single service...

 

 

Anyhow, if you need help post back - if not, please update us with your final solution so everyone can learn from your config!

 

 

-Matt

Hey Matt,

 

 

Nice call... that does sound correct.

 

 

Aaron

Matt and Aaron,

 

 

Thank you so much for your assistance. I managed to get it working. It has been a while since I setup the BigIP. With the exception of iRules I rarely have to change anything.

 

 

Two lessons I learned last night:

 

 

1. Don't use the same custom HTTP Profile for both your port 80 VS and your port 443 VS.

 

This is why when I modified my custom HTTP profile as suggested by Matt my non SSL apps started redirecting to SSL.

 

 

2. Don't expect all the iRule code posted on DevCentral to be error free ;-).

 

My attempt to use an irule instead of the check box in the HTTP profile lead me to this link on devcentral:

 

 

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=220

 

 

At the bottom is the code I took and modified. There is an error in the "string map" function syntax used in this example. It took me some time to figure it out. Below is my solution which I am using.

 

 

when HTTP_REQUEST {

 

set URI [HTTP::uri]

 

set URIHOST [HTTP::host]

 

set URIHOST [getfield [HTTP::host] : 1]

 

set CLIENT [IP::client_addr]

 

set fqdn_name [HTTP::host]

 

 

save hostname for use in response

 

set fqdn_name [HTTP::host]

 

}

 

 

 

when HTTP_RESPONSE {

 

set HeadLoc [HTTP::header Location]

 

log local0. "HeadLoc is $HeadLoc"

 

switch $URIHOST {

 

www.somewhere.org {

 

switch -glob $URI {

 

"/appname1/*" -

 

"/appname2/*" {

 

if { [HTTP::is_redirect] }{

 

if { [HTTP::header Location] starts_with "/" }{

 

HTTP::header replace Location "https://$fqdn_name[HTTP::header Location]"

 

} else {

 

HTTP::header replace Location "[string map { "http://" "https://" } [ HTTP::header Location]]"

 

}

 

}

 

}

 

}

 

}

 

}

 

}

 

 

 

I chose to do it this way because I wanted to control which apps were being rewritten.

 

 

 

This weekend I'll probably setup a HTTP profile for my port 80 VS. Once that is done I'll re-enable the "redirect rewrite" option on my custom HTTP profile attached to my port 443 VS. Then I'll test all my apps again.

 

 

Thanks again,

 

--Brian