Forum Discussion

Wayne_159516's avatar
Wayne_159516
Icon for Nimbostratus rankNimbostratus
Jun 03, 2014
Solved

Redirect or Append URI with a new path /newpath, for a https website.

What is the best way to handle an https site that requires authentications, but would like the F5 to append or redirect traffic to a new path?

 

https://exam.mycomp.com/ to https://exam.mycomp.com/newpath ?

 

I've tried using : when HTTP_REQUEST { if {[HTTP::path] eq "/"}{ HTTP::path "/newpath" } }

 

but the website does not handle http profile at all. It just spins and crashes. Please advise. Thanks.

 

application delivery
devops
iRules
LTM
  • Cory_50405's avatar
    Cory_50405
    Jun 04, 2014

    You should be able to use the same iRule on your 443 virtual server as long as you apply a client SSL profile. If your servers on the back end are expecting SSL, then yes you will need to apply a server SSL profile as well. The standard serverssl profile will do in most cases unless the server is doing some kind of certificate based authentication.

     

12 Replies

Sort By
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Jun 03, 2014

    Do you have a client SSL profile applied to your 443 virtual server? You'll need to decrypt the SSL in order to inspect the HTTP traffic and redirect. The client SSL profile will terminate the SSL at the BIG-IP so you can perform layer 7 functions like HTTP redirection.

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Jun 03, 2014

    Try to obtain the certificate and private key from the server in question. Then load that into your LTM and apply it to a client SSL profile. Then apply that client SSL profile to your 443 virtual server.

     

  • Mark_Stradling_'s avatar
    Mark_Stradling_
    Icon for Cirrus rankCirrus
    Jun 03, 2014

    You might also want to make sure you capture "" as the path.

    HTTP_REQUEST 
    { if {[HTTP::path] eq "/" || [HTTP::path] eq ""} {
        HTTP::path "/newpath" }
        pool target_pool
    }
  • Wayne_159516's avatar
    Wayne_159516
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2014

    What if I need to use a vanity name? And need to redirect that to the '/path' ?

     

    http://vanityname/ needs to point to https://exam.mycomp.com/newpath ?

     

    What is the best way to incorporate that? Thanks.

     

  • Wayne_159516's avatar
    Wayne_159516
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2014

    when HTTP_REQUEST {

     

    if {[HTTP::host] eq "vanityname" || [HTTP::host] eq "vanityname.mycomp.com" } {

     

    HTTP::redirect "https://exam.mycomp.com/newpath/"

     

    } }

     

    So I confirmed this works on port80/http.

     

    Unfortunately, I need to get this working on port443/https on the virtual server and the backend nodes in the pool.

     

    I know I probably need a client ssl profile, but do I need a server ssl profile for the backend nodes listening on 443?

     

    Does the client ssl profile use the same certificate as the server ssl profile? Should the certificate be for the vanityname or the actual name?

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Jun 04, 2014

    You should be able to use the same iRule on your 443 virtual server as long as you apply a client SSL profile. If your servers on the back end are expecting SSL, then yes you will need to apply a server SSL profile as well. The standard serverssl profile will do in most cases unless the server is doing some kind of certificate based authentication.

     

    • Wayne_159516's avatar
      Wayne_159516
      Icon for Nimbostratus rankNimbostratus
      Jun 04, 2014
      Do I still need to check for [HTTP::path] eq "/" || [HTTP::path] eq "" ?
    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Jun 04, 2014
      What's the final state of your iRule? Can you post the most recent? It may still be needed but I want to see what you're working with right now.
  • Wayne_159516's avatar
    Wayne_159516
    Icon for Nimbostratus rankNimbostratus
    Jun 04, 2014

    this is the current one. I've tested this on a test vip on 443. It appears to work.

     

    when HTTP_REQUEST {

     

    if {[HTTP::host] eq "vanityname" || [HTTP::host] eq "vanityname.mycomp.com" } {

     

    HTTP::redirect "https://exam.mycomp.com/newpath/"

     

    }

     

    }

     

    • Cory_50405's avatar
      Cory_50405
      Icon for Noctilucent rankNoctilucent
      Jun 04, 2014
      Since you're redirecting away from the original host request, no path checking should be needed. This shouldn't put you in any redirect looping scenarios.