Forum Discussion

Alex_Dominic_Sa's avatar
Alex_Dominic_Sa
Icon for Nimbostratus rankNimbostratus
Sep 13, 2014

How to do Port forwarding from 443 to 80 ?

My VIP is enabled with HTTPS and running on 443 and i have pool configured with 80. My underlying JBoss is configured with 8080. When I hit the VIP with HTTPS , it does not reach any of the pool instances which are HTTPD instances. At the same time, when i configure VIP with HTTP:80 it works perfectly. Kindly help to me to understand the problem and explain the solution

 

APM
application delivery
ASM Advanced WAF
deployment
devops
hp
iRules
security

6 Replies

Sort By
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Sep 13, 2014

    As long as Translate Port/Service is enabled on the VIP, the VIP will automatically translate the destination port to match the target pool member, so you just need to add your pool members to the pool with the correct port.

     

    • BinaryCanary_19's avatar
      BinaryCanary_19
      Historic F5 Account
      Sep 13, 2014
      A common mistake people make is to also put a ServerSSL profile on the VIP when the pool members are not doing SSL (because they think a 443 VIP needs it). You only need serverssl when the F5 is supposed to do SSL to the pool members (it has nothing to do with the ports)
  • Alex_Dominic_Sa's avatar
    Alex_Dominic_Sa
    Icon for Nimbostratus rankNimbostratus
    Sep 13, 2014

    Thanks all, I resolved this issue by enabling Virtual Servers -> HTTP Profile to rewriteredirectall. Now got a different issue where I am able to hit deployed JBoss application with HTTPS VIP URL but the subsequent requests are not going HTTPS and when I try other links inside the application, it goes to HTTP and I get Page cannot be displayed. Please advice. I tried the iRule but nothing works , even it does not hit the Apache HTTPD using VIP address. when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }

     

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Sep 13, 2014

    The problem has nothing to do with port forwarding at all, but is simply trying to patch a limitation in your app that hard-codes links as "HTTP" (absolute urls), when it should use relative URLs, and allow the browser to decide whether it should be HTTP or HTTPS.

     

    Apart from actually fixing the app itself (which may be as simple as flipping a setting somewhere), you may be able to use a "stream" or "rewrite" profile to rewrite all possible links from HTTP to HTTPS, and to make sure that the host part of the links points to the same F5 VIP. Using an irule that redirects HTTP to HTTPS may work too, but that is going to cause POSTS that get a 302 response to be lost.

     

    The best and easiest way is to find a solution in the application itself. Failing that, you're gonna have to play around with the stream and rewrite profile, and irules and hope you catch every case.

     

  • Alex_Dominic_Sa's avatar
    Alex_Dominic_Sa
    Icon for Nimbostratus rankNimbostratus
    Sep 19, 2014

    I created another Virtual Server with same VIP on F5 where I configured it with the same application port 8080. Added the rule to redirect HTTP request to HTTPS and it is working. But now i have another problem , I unable to log out from the application. When I click on log out it goes to application home page.

     

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Sep 19, 2014

    Quite likely, somewhere in all the redirects, you have a redirect that discards the PATH of the URL.

     

    Example, if the logout page has link: http://example.com:8080/logout.php

     

    and your 8080 VIP sends a redirect to https://example.com , then the logout will not work, because /logout.php has been discarded in the redirect.