Forum Discussion

DDuck_139270's avatar
DDuck_139270
Icon for Nimbostratus rankNimbostratus
Jun 15, 2016

HTTPS (old) to HTTPS (new) Redirect with an existing VS and Client Profile

I have read many postings on similar setups, but I am not sure any of them fit mine. So I need to share my scenario.

Here is the scenario:

I have an existing VS and a client profile that is terminating SSL using the F5. This existing VS will have its client profile changed to the new SSL certificate. The old domain (https) will need to map or redirect to the new domain (https) without the users noticing.

So, we need to redirect https://olddomain.com/path to https://newdomain.com/path. Both old and new domains will use the same DNS IPs.

The goal is to ensure the user sees "https://newdomain.com/whatever/path" every time using a 301 redirect. The following is what I am proposing:

when HTTP_REQUEST {
        HTTP::respond 301 Location "https://newdomain.com[HTTP::uri]"
}

Any issues with this proposal?

Thanks D

301 redirect
cloud
https_redirect
iRules
LTM

4 Replies

Sort By
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 15, 2016

    Hi,

    This is correct.

    You may need to force the client to close the connection: 

    when HTTP_REQUEST {
        HTTP::respond 301 Location "https://newdomain.com[HTTP::uri]" "Connection" "Close"
}

    As you are using multiple dns hostname for the same IP address. How do you manage the client ssl part.

    Do you have Server Name Indication used with 2 certificates on the virtual server ?

    or

    Do you have a single SSL profile using a Subject Alternative Name certificate containing both hosts ?

    or

    a wildcard certificate on a single ssl profile ?

  • DDuck_139270's avatar
    DDuck_139270
    Icon for Nimbostratus rankNimbostratus
    Jun 15, 2016

    "Do you have Server Name Indication used with 2 certificates on the virtual server ?"

     

    No.

     

    or

     

    "Do you have a single SSL profile using a Subject Alternative Name certificate containing both hosts ?"

     

    Yes, the new certificates have SANs. The SANs include the old domains.

     

    or

     

    "a wildcard certificate on a single ssl profile ?"

     

    Yes, in some cases there are wildcard certificates replacing wildcard certificates using SANs.

     

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 15, 2016

    Ok, perfect, so using the below irule will help you redirect users coming to your app using an old hostname to the new hostname : 

    when HTTP_REQUEST {
    if { !([HTTP::header "Host"] eq "newdomain.com") } {
        HTTP::respond 301 Location "https://newdomain.com[HTTP::uri]" "Connection" "Close"
    }
}

    This irule will redirect every request made to a hostname different than newdomain. You can also define the opposite : 

    when HTTP_REQUEST {
    if { [HTTP::header "Host"] eq "olddomain.com" } {
        HTTP::respond 301 Location "https://newdomain.com[HTTP::uri]" "Connection" "Close"
    }
}

    And to conclude, if you have several old domains you want to include, you can use a string based datagroup with the below irule 

    when HTTP_REQUEST {
    if { [class match [HTTP::header "Host"] equals DG_OLD_DOMAINS] } {
        HTTP::respond 301 Location "https://newdomain.com[HTTP::uri]" "Connection" "Close"
    }
}