Hi all. Users must use https://sso.domain.com/sp/ACS.saml2 to pass their SSO (Single Sign ON) to our SP servers. Our SP server listens on port 9031. I need the SSO POST data coming to https://sso.domain.com/sp/ACS.saml2 to be redirected to https://sso.domain.com:9031/sp/ACS.saml2. Traffic to https://sso.domain.com:9031/sp/ACS.saml2 needs to sent to our "SSO" VIP. The iRule have written doesn't pass the POST data through the redirect. Can anyone be so kind as to review my iRule? when HTTP_REQUEST { Check if request was a POST if { [string tolower [HTTP::method]] eq "post" } { Check if there is a Content-Length header if { [HTTP::header exists "Content-Length"] } { if { [HTTP::header "Content-Length"] > 1048000 }{ Content-Length over 1Mb so collect 1Mb set content_length 1048000 } else { Content-Length under 1Mb so collect actual length set content_length [HTTP::header "Content-Length"] } } else { Response did not have Content-Length header, so use default of 1Mb set content_length 1048000 } Don't collect content if Content-Length header value was 0 if { $content_length > 0 } { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { if {[TCP::local_port] == 443 and [HTTP::uri] contains "/sp/ACS.saml2"}{ HTTP::redirect https://sso.domain.com:9031/sp/ACS.saml2 } if {[TCP::local_port] == 9031 and [HTTP::uri] contains "/sp/ACS.saml2"}{ virtual SSO_9031 } else { return } }

I need the SSO POST data coming to https://sso.domain.com/sp/ACS.saml2 to be redirected to https://sso.domain.com:9031/sp/ACS.saml2. Traffic to https://sso.domain.com:9031/sp/ACS.saml2 needs to sent to our "SSO" VIP. is sso.domain.com:443 virtual server? and what is its pool? is sso.domain.com:9031 also virtual server? is it same or different sso.domain.com:443 virtual server? and what is its pool?

sso.domain.com:443 is a virtual server with a pool named "pool_sso.domain.com_443" sso.domain.com:9031 is a different virtual server named sso_9031 with a pool named "pool_sso_9031"

sso.domain.com:9031 is a different virtual server named sso_9031 with a pool named "pool_sso_9031" can you just use virtual command to forward traffic from sso.domain.com:443 to sso.domain.com:9031? virtual https://devcentral.f5.com/wiki/iRules.virtual.ashx

Help with Irule to redirect url port and pass POST data

13 Replies

nitass_89166
Noctilucent
May 28, 2014
I need the SSO POST data coming to https://sso.domain.com/sp/ACS.saml2 to be redirected to https://sso.domain.com:9031/sp/ACS.saml2. Traffic to https://sso.domain.com:9031/sp/ACS.saml2 needs to sent to our "SSO" VIP.

is sso.domain.com:443 virtual server? and what is its pool?

is sso.domain.com:9031 also virtual server? is it same or different sso.domain.com:443 virtual server? and what is its pool?
- chuckcald_15879
  Nimbostratus
  May 28, 2014
  sso.domain.com:443 is a virtual server with a pool named "pool_sso.domain.com_443" sso.domain.com:9031 is a different virtual server named sso_9031 with a pool named "pool_sso_9031"
nitass
Employee
May 28, 2014
I need the SSO POST data coming to https://sso.domain.com/sp/ACS.saml2 to be redirected to https://sso.domain.com:9031/sp/ACS.saml2. Traffic to https://sso.domain.com:9031/sp/ACS.saml2 needs to sent to our "SSO" VIP.

is sso.domain.com:443 virtual server? and what is its pool?

is sso.domain.com:9031 also virtual server? is it same or different sso.domain.com:443 virtual server? and what is its pool?
- chuckcald_15879
  Nimbostratus
  May 28, 2014
  sso.domain.com:443 is a virtual server with a pool named "pool_sso.domain.com_443" sso.domain.com:9031 is a different virtual server named sso_9031 with a pool named "pool_sso_9031"
nitass
Employee
May 28, 2014
sso.domain.com:9031 is a different virtual server named sso_9031 with a pool named "pool_sso_9031"

can you just use virtual command to forward traffic from sso.domain.com:443 to sso.domain.com:9031?

virtual

https://devcentral.f5.com/wiki/iRules.virtual.ashx
- chuckcald_15879
  Nimbostratus
  May 28, 2014
  We do not want to route all traffic from sso.domain.com:443. Only traffic going to /sp/ACS.saml2. https://sso.domain.com goes to our sso.domain.com:443 virtual server and is needed for normal 443 traffic. https://sso.domain.com/sp/ACS.saml2 needs to be redirected to https://sso.domain.com:9031/sp/ACS.saml2 and sent to virtual server sso_9031 where the SP server is listening only on port 9031. I hope this clarifies more.
nitass_89166
Noctilucent
May 28, 2014
sso.domain.com:9031 is a different virtual server named sso_9031 with a pool named "pool_sso_9031"

can you just use virtual command to forward traffic from sso.domain.com:443 to sso.domain.com:9031?

virtual

https://devcentral.f5.com/wiki/iRules.virtual.ashx
- chuckcald_15879
  Nimbostratus
  May 28, 2014
  We do not want to route all traffic from sso.domain.com:443. Only traffic going to /sp/ACS.saml2. https://sso.domain.com goes to our sso.domain.com:443 virtual server and is needed for normal 443 traffic. https://sso.domain.com/sp/ACS.saml2 needs to be redirected to https://sso.domain.com:9031/sp/ACS.saml2 and sent to virtual server sso_9031 where the SP server is listening only on port 9031. I hope this clarifies more.

nitass

Employee

May 28, 2014

isn't it like this?

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar443
ltm virtual bar443 {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        clientssl {
            context clientside
        }
        http { }
        serverssl {
            context serverside
        }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    vs-index 36
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when HTTP_REQUEST {
  if { [HTTP::path] starts_with "/sp/ACS.saml2" } {
    virtual bar9031
  }
}
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar9031
ltm virtual bar9031 {
    destination 172.28.24.10:9031
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 37
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}

 trace

[root@ve11a:Active:In Sync] config  ssldump -Aed -nni 0.0 -k /config/ssl/ssl.key/default.key port 443 or port 9031 or port 80
New TCP connection 1: 172.28.24.1(42244) <-> 172.28.24.10(443)
1 1  1401289187.2551 (0.0347)  C>S SSLv2 compatible client hello
1 2  1401289187.2552 (0.0000)  S>CV3.1(81)  Handshake
1 3  1401289187.2552 (0.0000)  S>CV3.1(954)  Handshake
1 4  1401289187.2552 (0.0000)  S>CV3.1(4)  Handshake
1 5  1401289187.2598 (0.0045)  C>SV3.1(262)  Handshake
1 6  1401289187.2598 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 7  1401289187.2598 (0.0000)  C>SV3.1(48)  Handshake
1 8  1401289187.2672 (0.0074)  S>CV3.1(1)  ChangeCipherSpec
1 9  1401289187.2672 (0.0000)  S>CV3.1(48)  Handshake
1 10 1401289187.2696 (0.0024)  C>SV3.1(272)  application_data
    ---------------------------------------------------------------
    POST /sp/ACS.saml2 HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.24.10
    Accept: */*
    Content-Length: 4
    Content-Type: application/x-www-form-urlencoded

    test---------------------------------------------------------------
New TCP connection 2: 172.28.24.1(9736) <-> 172.28.24.10(9031)
2 1  1401289187.2709 (0.0000)  C>SV3.3(109)  Handshake
2 2  1401289187.2709 (0.0000)  S>CV3.3(81)  Handshake
2 3  1401289187.2709 (0.0000)  S>CV3.3(954)  Handshake
2 4  1401289187.2709 (0.0000)  S>CV3.3(4)  Handshake
2 5  1401289187.2719 (0.0009)  C>SV3.3(262)  Handshake
2 6  1401289187.2719 (0.0000)  C>SV3.3(1)  ChangeCipherSpec
2 7  1401289187.2721 (0.0002)  C>SV3.3(80)  Handshake
2 8  1401289187.2780 (0.0059)  S>CV3.3(1)  ChangeCipherSpec
2 9  1401289187.2780 (0.0000)  S>CV3.3(80)  Handshake
2 10 1401289187.2782 (0.0001)  C>SV3.3(288)  application_data
    ---------------------------------------------------------------
    POST /sp/ACS.saml2 HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.24.10
    Accept: */*
    Content-Length: 4
    Content-Type: application/x-www-form-urlencoded

    test---------------------------------------------------------------
New TCP connection 3: 200.200.200.14(17839) <-> 200.200.200.101(80)
1401289187.2790 (0.0006)  C>S
---------------------------------------------------------------
POST /sp/ACS.saml2 HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.24.10
Accept: */*
Content-Length: 4
Content-Type: application/x-www-form-urlencoded

test---------------------------------------------------------------

chuckcald_15879
Nimbostratus
May 28, 2014
When I follow the configuration listed my browser connection gets reset and nothing loads. I noticed that your pool foo is listening on port 80. It should be listening on 9031. I made that change and the browser still get reset.

nitass_89166

Noctilucent

May 28, 2014

isn't it like this?

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar443
ltm virtual bar443 {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        clientssl {
            context clientside
        }
        http { }
        serverssl {
            context serverside
        }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    vs-index 36
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when HTTP_REQUEST {
  if { [HTTP::path] starts_with "/sp/ACS.saml2" } {
    virtual bar9031
  }
}
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar9031
ltm virtual bar9031 {
    destination 172.28.24.10:9031
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        http { }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 37
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}

 trace

[root@ve11a:Active:In Sync] config  ssldump -Aed -nni 0.0 -k /config/ssl/ssl.key/default.key port 443 or port 9031 or port 80
New TCP connection 1: 172.28.24.1(42244) <-> 172.28.24.10(443)
1 1  1401289187.2551 (0.0347)  C>S SSLv2 compatible client hello
1 2  1401289187.2552 (0.0000)  S>CV3.1(81)  Handshake
1 3  1401289187.2552 (0.0000)  S>CV3.1(954)  Handshake
1 4  1401289187.2552 (0.0000)  S>CV3.1(4)  Handshake
1 5  1401289187.2598 (0.0045)  C>SV3.1(262)  Handshake
1 6  1401289187.2598 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 7  1401289187.2598 (0.0000)  C>SV3.1(48)  Handshake
1 8  1401289187.2672 (0.0074)  S>CV3.1(1)  ChangeCipherSpec
1 9  1401289187.2672 (0.0000)  S>CV3.1(48)  Handshake
1 10 1401289187.2696 (0.0024)  C>SV3.1(272)  application_data
    ---------------------------------------------------------------
    POST /sp/ACS.saml2 HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.24.10
    Accept: */*
    Content-Length: 4
    Content-Type: application/x-www-form-urlencoded

    test---------------------------------------------------------------
New TCP connection 2: 172.28.24.1(9736) <-> 172.28.24.10(9031)
2 1  1401289187.2709 (0.0000)  C>SV3.3(109)  Handshake
2 2  1401289187.2709 (0.0000)  S>CV3.3(81)  Handshake
2 3  1401289187.2709 (0.0000)  S>CV3.3(954)  Handshake
2 4  1401289187.2709 (0.0000)  S>CV3.3(4)  Handshake
2 5  1401289187.2719 (0.0009)  C>SV3.3(262)  Handshake
2 6  1401289187.2719 (0.0000)  C>SV3.3(1)  ChangeCipherSpec
2 7  1401289187.2721 (0.0002)  C>SV3.3(80)  Handshake
2 8  1401289187.2780 (0.0059)  S>CV3.3(1)  ChangeCipherSpec
2 9  1401289187.2780 (0.0000)  S>CV3.3(80)  Handshake
2 10 1401289187.2782 (0.0001)  C>SV3.3(288)  application_data
    ---------------------------------------------------------------
    POST /sp/ACS.saml2 HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.24.10
    Accept: */*
    Content-Length: 4
    Content-Type: application/x-www-form-urlencoded

    test---------------------------------------------------------------
New TCP connection 3: 200.200.200.14(17839) <-> 200.200.200.101(80)
1401289187.2790 (0.0006)  C>S
---------------------------------------------------------------
POST /sp/ACS.saml2 HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.24.10
Accept: */*
Content-Length: 4
Content-Type: application/x-www-form-urlencoded

test---------------------------------------------------------------

chuckcald_15879
Nimbostratus
May 28, 2014
When I follow the configuration listed my browser connection gets reset and nothing loads. I noticed that your pool foo is listening on port 80. It should be listening on 9031. I made that change and the browser still get reset.

nitass
Employee
May 28, 2014
When I follow the configuration listed my browser connection gets reset and nothing loads.

who sends reset first? if it is bigip, can you try this?

sol13223: Configuring the BIG-IP system to log TCP RST packets

http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html

Forum Discussion

Help with Irule to redirect url port and pass POST data

13 Replies

Recent Discussions

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Pricing when used with aws waf

Related Content

iRule redirection

URL redirection irule

URL redirection iRule

IRULE - redirect URI

Anchor Link Redirect