Forum Discussion

modyo_63245's avatar
modyo_63245
Icon for Nimbostratus rankNimbostratus
Nov 27, 2012

Help please with an LB&SSL configuration for a Rails APP

Hi,

 

I need to set up an iRule with an SSL certificate which connects the 443 port to the 80 of the backend servers (the communication between the balancer and backends are in plain http). Problem is that my app is a Ruby on Rails app which needs to detect that the origin request was done in HTTPS to properly redirect and provide https urls.

 

The framework can read the following headers: (rails request.rb code snippet)

 

 

def scheme

 

if @env['HTTPS'] == 'on'

 

'https'

 

elsif @env['HTTP_X_FORWARDED_SSL'] == 'on'

 

'https'

 

elsif @env['HTTP_X_FORWARDED_SCHEME']

 

@env['HTTP_X_FORWARDED_SCHEME']

 

elsif @env['HTTP_X_FORWARDED_PROTO']

 

@env['HTTP_X_FORWARDED_PROTO'].split(',')[0]

 

else

 

@env["rack.url_scheme"]

 

end

 

end

 

 

How can i inject one of those headers? (ie: HTTP_X_FORWARDED_SCHEME=https) or should the iRule do this automatically for me when configuring certificates on it?

 

 

PS: Sorry about my iRule's technical level. I'm the developer behind the F5 balancer needing this simple header so my app can redirect properly to https urls :(

 

 

Thanks!

 

Antonio

 

application delivery
dev
devops
iRules

6 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 27, 2012
    It's unlikely you'd need to use an iRule to configure the SSL termination on the F5, normally a ClientSSL profile would be used. You can use an iRule like this to insert the header - note I've assumed the value should be 'on' not 'https' as you think but I could be wrong; 

    
when HTTP_REQUEST {
 [HTTP::Header] insert HTTP_X_FORWARDED_SSL "on"
}
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 27, 2012

    Steve, i think it is "https".

     

     

    X-Forwarded-Proto Assistance

     

    https://devcentral.f5.com/community/group/asg/50/aft/26643/showtab/groupforums

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 27, 2012
    Thanks Nitass. A HTTP profile didn't occur to me at all, but how do you insert the header with a value?

    For the rule, here's an update based on Nitass's information; 

    
when HTTP_REQUEST {
 [HTTP::header] remove "HTTP_X_FORWARDED_SSL"
 [HTTP::Header] insert HTTP_X_FORWARDED_SSL "https"
}
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 27, 2012
    A HTTP profile didn't occur to me at all, but how do you insert the header with a value?is this what you are talking?

    e.g. 

    [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:443
   ip protocol 6
   profiles {
      clientssl {
         clientside
      }
      myhttp {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b profile myhttp list
profile http myhttp {
   defaults from http
   header insert "HTTP_X_FORWARDED_SSL: https"
}

[root@ve10:Active] config  ssldump -Aed -nni 0.0 port 443 or port 80 -k /config/ssl/ssl.key/default.key
New TCP connection 1: 172.28.19.251(35636) <-> 172.28.19.79(443)
1 1  1354028315.6417 (0.0219)  C>S SSLv2 compatible client hello
1 2  1354028315.6417 (0.0000)  S>CV3.1(81)  Handshake
1 3  1354028315.6417 (0.0000)  S>CV3.1(953)  Handshake
1 4  1354028315.6417 (0.0000)  S>CV3.1(4)  Handshake
1 5  1354028315.6449 (0.0031)  C>SV3.1(262)  Handshake
1 6  1354028315.6449 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
1 7  1354028315.6449 (0.0000)  C>SV3.1(36)  Handshake
1 8  1354028315.6615 (0.0166)  S>CV3.1(1)  ChangeCipherSpec
1 9  1354028315.6615 (0.0000)  S>CV3.1(36)  Handshake
1 10 1354028315.6626 (0.0010)  C>SV3.1(175)  application_data
    ---------------------------------------------------------------
    HEAD / HTTP/1.1
    User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
    Host: 172.28.19.79
    Accept: */*

    ---------------------------------------------------------------
New TCP connection 2: 200.200.200.10(35636) <-> 200.200.200.101(80)
1354028315.6638 (0.0010)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.79
Accept: */*
HTTP_X_FORWARDED_SSL: https

---------------------------------------------------------------
  • modyo_63245's avatar
    modyo_63245
    Icon for Nimbostratus rankNimbostratus
    Nov 27, 2012
    Thanks Steve, Nitass. I'll try that header insertion on my iRule configuration.