Multipule HTTPS redirect to single HTTP URL

Question

We are installing a Server to present Maintenence pages for several different web sites. The sServer is using host headers and that appears to be working when a user connects to a Down VIP. The issue I'm having is when conencting Via HTTPS the client will get a Certificate warning because the SSL profile does not match all of the potential URL's . &nbsp;
I would like to create an I rule that would use a Datalist to map the correct url for the initial requested VIP than redirect them to the single server using host headers to present the appropriate Site's maintenence or Site Down page. Any Suggestions? Seem most of the conversation is for HTTP - HTTPS redirects. &nbsp;
Appreciate any direction on this. &nbsp;
Mike&nbsp;

andres_4712 · Answer

I am not sure if this is what you are looking for, but it sounds like :) :&nbsp;
SOL13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication feature&nbsp;

richard__harlan · Answer

You could also create a iRule and attach it to each VIP. If all the members in the pool are down or if all the pool members return a 5xx error then it would return the maintenance page to the user. There would still be only one iRule to maintain and you would not have to worry about redirecting any requests.

arie · Answer

Just keep in mind that SNI is not compatible with any version of IE on Windows XP.&nbsp;

robertcolbert · Answer

Using TLS Server Name Indication is one way of handling this however, it will only work for TLS 1.1 and BigIP 11.1 and later.&nbsp;
There are a couple ways you could do this or something like it:
1) Use a priority based pool membership where your 1 maintenance server is at a lower priority group than the others. Then when it is time for maintenance, take your primary servers offline and traffic would flow through the VIP to the maintenance server. (No iRules required)&nbsp;
2) Use a simple iRule that can be applied to the VIP when you want to take the site down. My company created a vanity host "sorry.your domain.com" and the iRule does a 302 redirect to the http://sorry address. Because the HTTPS VIP issues the 302 to the HTTP address, you don't end up with the SSL issue but if your site is in a browers "trusted" site list, they may get a warning about being redirected to an "untrusted" site.&nbsp;
3) Use a rule like the ProxyPass iRule that would take the inbound request and remap it on the fly to a different pool &amp; URI on the inside network.&nbsp;
All 3 of these scenarios are viable alternatives to using SNI if it is not available.&nbsp;
One somewhat less desirable option would be to create a multi-name SSL cert for your maintenance VIP that contains all of your other domains as aliases. If your maintenance page is a vanity host header, this is probably not an issue but could be a security risk if your key was compromised and those names reached the live application.&nbsp;

binarycanary_19 · Answer

By the time your irule gets to the HTTP_REQUEST event, the SSL handshake would have already completed (including the certificate warnings).&nbsp;
If you cannot use a certificate with SNI on the LTM, then what you ask does not seem feasible -- because if you are not doing SSL-offloading on the LTM, then you cannot have access to the HTTP events in an irule.&nbsp;

Forum Discussion

Multipule HTTPS redirect to single HTTP URL

5 Replies

Recent Discussions

preserve client IP on layer 4 VIP

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

iRule Recipe 1: Single URL Explicit Redirect

Redirect single URL (hostname) only.

Brute Force protection for single parameter like OTP

Anchor Link Redirect

single slot multiple core vs multiple slot single core