Forum Discussion

sterreta_87927's avatar
sterreta_87927
Icon for Nimbostratus rankNimbostratus
Oct 15, 2014

My iRule is creating a redirect loop!

I have a LTM virtual server that receives port 80 traffic and redirects it via a HTTP Class Profile to HTTPS and my port 443 virtual server. I am having trouble handling incoming URI's failing. I am trying to change the path for an incoming host request so that the existing path is replaced with "/wfc/navigator/logonWithUID"

This is the rule I came up with. It works with all of my test URL's in that it rewrites the path correctly (as seen in the web browser address bar), but it has a redirect loop and never gets past the virtual server to the Pool. Log checks confirm the looping

    when HTTP_REQUEST {
  if {[HTTP::host] contains "timesheet"} { 
     HTTP::uri "/wfc/navigator/logonWithUID"
        log local0.info "why wont you work"
     }                  
    }

These are my test URL's:

    http://timesheet.widget.com
    http://timesheet.widget.com/
    https://timesheet.widget.com
    https://timesheet.widget.com/
    http://timesheet.widget.com/wfc/logon
    http://timesheet.widget.com/wfc/logon/
    https://timesheet.widget.com/wfc/logon
    https://timesheet.widget.com/wfc/logon/

I just cannot figure out the looping. Any help is much appreciated.

APM
application delivery
deployment
devops
iRules
LTM
redirect looping
security

7 Replies

Sort By
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Oct 15, 2014
    Using the solution above user won't see the remapped URI in the browser bar, this is a silent method as the header replacement happens in F5 without user's having any awareness of the modifications made.

As it's a redirect to another service (from HTTP to HTTPS), you might be better off trying something as follows:

when HTTP_REQUEST {

 if {[HTTP::host] contains "timesheet"} {
   HTTP::respond 302 Location "https://[HTTP::host]/wfc/navigator/logonWithUID"
   event disable all
   TCP::close
   log local0.info "Redirected [IP::client_addr] to https://[HTTP::host]/wfc/navigator/logonWithUID"
   }
 }

Also, can you please provide outputs from the commands below:

 1) (From any device besides F5) curl -vI https://your-service.com
 2) (From F5) curl -vI http://pool-member:xxxx
    • sterreta_87927's avatar
      sterreta_87927
      Icon for Nimbostratus rankNimbostratus
      Oct 15, 2014
      Thank you for your time and attention. I tried the iRule script provided above. The browser responded with "Internet Explorer cannot display the webpage" and the address in the address bar did not change from the test URL entered. The F5 log had the following message repeated dozens of times: "Rule ir_timesheet-test_HTTPStoHTTPS_URI_ADD : Redirected 10.220.188.89 to https://uslv-timesheet-test.xxxxx.com/wfc/navigator/logonWithUID" How do I use the curl statements to provide the output you are requesting?
    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous
      Oct 15, 2014
      Perhaps the server responds back with a redirect from HTTPS location to a HTTP location? E.g. - F5 redirects to: https://uslv-timesheet-test.xxxxx.com/wfc/navigator/logonWithUID - Server redirects to http://whatever - F5 redirects to: https://uslv-timesheet-test.xxxxx.com/wfc/navigator/logonWithUID - Server redirects to http://whatever ... You can test that with a "firebug" add-on (Firefox) or developer tools (Chrome) Alternatively, you can use the cURL method I suggested (requires UNIX/Linux OS): "curl -vI https://uslv-timesheet-test.xxxxx.com/wfc/navigator/logonWithUID" (paste all output here)
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Oct 15, 2014
    Using the solution above user won't see the remapped URI in the browser bar, this is a silent method as the header replacement happens in F5 without user's having any awareness of the modifications made.

As it's a redirect to another service (from HTTP to HTTPS), you might be better off trying something as follows:

when HTTP_REQUEST {

 if {[HTTP::host] contains "timesheet"} {
   HTTP::respond 302 Location "https://[HTTP::host]/wfc/navigator/logonWithUID"
   event disable all
   TCP::close
   log local0.info "Redirected [IP::client_addr] to https://[HTTP::host]/wfc/navigator/logonWithUID"
   }
 }

Also, can you please provide outputs from the commands below:

 1) (From any device besides F5) curl -vI https://your-service.com
 2) (From F5) curl -vI http://pool-member:xxxx
    • sterreta_87927's avatar
      sterreta_87927
      Icon for Nimbostratus rankNimbostratus
      Oct 15, 2014
      Thank you for your time and attention. I tried the iRule script provided above. The browser responded with "Internet Explorer cannot display the webpage" and the address in the address bar did not change from the test URL entered. The F5 log had the following message repeated dozens of times: "Rule ir_timesheet-test_HTTPStoHTTPS_URI_ADD : Redirected 10.220.188.89 to https://uslv-timesheet-test.xxxxx.com/wfc/navigator/logonWithUID" How do I use the curl statements to provide the output you are requesting?
    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      Oct 15, 2014
      Perhaps the server responds back with a redirect from HTTPS location to a HTTP location? E.g. - F5 redirects to: https://uslv-timesheet-test.xxxxx.com/wfc/navigator/logonWithUID - Server redirects to http://whatever - F5 redirects to: https://uslv-timesheet-test.xxxxx.com/wfc/navigator/logonWithUID - Server redirects to http://whatever ... You can test that with a "firebug" add-on (Firefox) or developer tools (Chrome) Alternatively, you can use the cURL method I suggested (requires UNIX/Linux OS): "curl -vI https://uslv-timesheet-test.xxxxx.com/wfc/navigator/logonWithUID" (paste all output here)
  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus
    Oct 15, 2014
    curl -I http://timesheet.widget.com/wfc/logon

    Also, make sure you don't assign Hannes' rule to both VIPs (for 80 and 443).