Forum Discussion

david0512_20548's avatar
david0512_20548
Icon for Nimbostratus rankNimbostratus
Nov 12, 2014

HTTPS rewrite

Hi All,

 

Have a requirement to rewrite a https request to another url. That part is all good with "HTTP::header replace host ". However I need the server side connection to go out as a https connection too with the newly rewritten host (not a redirect to a https host but a rewrite). Is there a way to do this via an irule and if so how? I figured this could be done via a server side SSL Profile too? For example initial https request comes in, client side SSL profile decryptes the connection, http::header replace then rewrites the url and then the server side SSL profile reencrypts to back end pool. Would this work, is this the order of processing with the combined use of SSL profiles and irules? Been trying to test but not much like with the server side SSL profile.

 

Thanks

 

APM
application delivery
deployment
devops
http to https
iRules
LTM
security

4 Replies

Sort By
  • Thomas_Gobet's avatar
    Thomas_Gobet
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2014
    Hi David, You have the good way to do what you want. An iRule works with http datas whether it is https or http on client side, you just have to apply a client side SSL profile. What does not work in your iRule? Can you post in after your post?
  • david0512_20548's avatar
    david0512_20548
    Icon for Nimbostratus rankNimbostratus
    Nov 13, 2014

    Hi Thomas

    So initially we have the following irule setup on a http virtual server with the intention of anything being requested to

    www.abc.com/t/abc (HTTP) to be redirected to www.def.com/t/abc (HTTPS - obviously real urls being marked out).

    This seems to be a little problematic

    when HTTP_REQUEST {
   if { [HTTP::host] contains "www.abc." and [HTTP::uri] starts_with "/t/" } {
   HTTP::respond 301 location "https://[HTTP::host][HTTP::uri]"
 }
}

    Once the redirect takes place the client hits the HTTPS Virtual server. On that Virtual server we have the following irule setup with the intention of rewriting www.abc.com/t/abc (HTTPS) to www.def.com/www.abc.com/t/abc (HTTPS - as you can see maintaining the uri and previous host header). 

    when HTTP_REQUEST {
    if { [HTTP::header host] contains "www.abc." and [HTTP::uri] starts_with "/t/" } {
    HTTP::uri "/[HTTP::host][HTTP::uri]"
    HTTP::header replace host "www.def.com" 
    }
   }

    Currently the https server has a ssl client profile and a default pool that pushes requests to the server that can respond with a 200 to www.def.com/t/abc. The connection to the default pool has to be a https connection. So a few questions here.....a) the irule(s) above don't seem to be producing the behaviour we need, can you see any issues? b) I'm unsure how to deal with the https connection, decryption, irule processing and then sending the connection back to the default pool as a HTTPS connection

    Thanks for taking the time to look

  • david0512_20548's avatar
    david0512_20548
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2014
    Guys I have the first irule qworking now but the second isnt quite right yet. Can anyone see why the folloiwng irule doesnt replace the "host" header with www.cde.com when HTTP_REQUEST { if { [HTTP::header host] contains "www.abc." and [HTTP::uri] starts_with "/t/" } { HTTP::uri "/[HTTP::host][HTTP::uri]" log local0. "first_host_uri: [HTTP::host][HTTP::uri]" HTTP::header replace "Host" "www.def.com" pool testredirect log local0. "second_host_uri: [HTTP::host][HTTP::uri]" } } Results from the log statements are the following..... Rule /xxx/xxx_redirect_2 : first_host_uri: www.abc.com/www.abc.com/t/spain Rule /xxx/xxx_redirect_2 : second_host_uri: www.abc.com/www.abc.com/t/spain It seems the http header replace host command isnt being actioned but not sure why.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 17, 2014

    it looks okay to me. by the way, you may use starts_with instead of contains.

     config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:443
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        clientssl {
            context clientside
        }
        http { }
        serverssl {
            context serverside
        }
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-port disabled
    vs-index 14
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:443 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when HTTP_REQUEST priority 100 {
  log local0. "priority 100 HOST=[HTTP::host] URI=[HTTP::uri]"
}
when HTTP_REQUEST {
  if { [HTTP::header host] contains "www.abc." and [HTTP::uri] starts_with "/t/" } {
    HTTP::uri "/[HTTP::host][HTTP::uri]"
    HTTP::header replace host "www.def.com"
  }
}
when HTTP_REQUEST priority 1000 {
  log local0. "priority 10000 HOST=[HTTP::host] URI=[HTTP::uri]"
}
}

 log

[root@ve11a:Active:In Sync] config  tail -f /var/log/ltm
Nov 17 15:34:38 ve11a info tmm[14741]: Rule /Common/qux : priority 100 HOST=www.abc.com URI=/t/abc
Nov 17 15:34:38 ve11a info tmm[14741]: Rule /Common/qux : priority 10000 HOST=www.def.com URI=/www.abc.com/t/abc