CraigM_17826
Feb 03, 2010Altostratus
Odd issue with pools and a redirect
Hi all,
Sorry if this is a bit of a rambling post, but it's quite an odd issue I am seeing and I wanted to explain what we are doing and why. Hopefully it's not too confusing.
One of the current tasks I have been assigned to modify an existing rule so that when the URI contains some specific text, a server side redirect to a external URL occurs so that the content displayed is actually comming from an external server but the clientside URL must still show our corporate URL. For example
If the user enters https://www.amce.com.au then the content comes from our web servers. If they enter https://www.acme.com.au/site1 then the content displayed comes from the external web server but the URL presented to the user is still https://www.acme.com.au/site1
In a nutshell part of our website is being hosted elsewhere but my company doesn't want the end users to be aware of this, they want it to appear to be comming from us.
Now I thought the easiest way would be to create a pool with a single node that resolves to the external server and then in the iRule check thhe URI for the matching text and then use that pool.
The external server is running Oracle Application Server with a self signed SSL cert.
For the Pool I created a node for the remote server and specified the operating port as 443. I also installed the companys CA for their self signed cert so the BigIP would trust their certificate.
In the iRule I have
when HTTP_Request {
if { [string tolower [HTTP::uri]] starts_with "/site1" } {
pool "External_Site1"
return
}
when SERVER_CONNECTED {
if { [string tolower [LB::server pool]] eq "External_Site1" } {
SSL::profile "External_Site1"
} else {
SSL::disable serverside
}
}
Now what is happening is that the remote server is also attempting to load balance their site and for resaons out of my control it is issuing a client side redirect to their backend servers on port 82. I don't know why this is occuring and neither do they, but apart from the obvious issues this will cause, one odd thing is that even though they claim the redirects to their backend servers are over HTTP to port 82, the BigIP seems to be enforcing a HTTPS connection for the redirect. This is what I see with HTTPWatch under IE if I go direct to their website, bypassing our BigIP
redirect to http://backendserver1.com.au:82/site1
If I go to the our bigip URL then I see
redirect to https://backendserver1.com.au:82/site1
and then the error ERROR_INTERNET_SECURITY_CHANNEL_ERROR (this error is from HTTPWatch) which I gather is because the BigIP is attempting a SSL connection on port 82 and on a server that doesn't have a SSL cert installed.
My question is why is the redirect being forced to HTTPS by the BigIP and is there a way to stop this?
Any comments welcome.
Regards
Craig