Forum Discussion

Dean_Brown_01_1's avatar
Dean_Brown_01_1
Icon for Nimbostratus rankNimbostratus
Aug 19, 2013

Redirect internal link to external site

We are trying to have a client application use a proxy URL into our Big-IP server through an SSL connection from a mobile client. We want to redirect a Virtual Server input url (.../ms365) back out to the Microsoft 365 Web site (https://login.microsoftonline.com). The remainder of the urls are routed to our internal pool of web servers. I created a new MS_redirect Virtual Server that gets called with the /ms365 link, which then has an HTTP redirect call back out to the microsoft site. I set SNAT to dynamic on the MS_redirect virtual server. The redirect is also a SSL connection back out to the microsoft site.

 

My question is, is the a valid approach to do an external redirect? I am getting an error (although, i'm struggling with how to log the error response (newbie)). Also, do I need a SSL Server profile or SSL Client profile on the MS_redirect?

 

../ms365 (web client) -> proxyVS - iRule -> MS_redirect vs -> HTTP Redirect -> https://login.microsoftonline.com (then back).

 

Thanks for any help! Dean

 

7 Replies

  • not sure if i understand correctly (i guess i don't). if not, would you mind posting some example please? anyway, this is just a http redirection example based on uri.

    e.g.

    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.20.111:443
        ip-protocol tcp
        mask 255.255.255.255
        pool foo
        profiles {
            clientssl {
                context clientside
            }
            http { }
            tcp { }
        }
        rules {
            myrule
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        vs-index 22
    }
    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo
    ltm pool foo {
        members {
            200.200.200.101:80 {
                address 200.200.200.101
            }
        }
    }
    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
    ltm rule myrule {
        when HTTP_REQUEST {
      if { [HTTP::uri] starts_with "/ms365" } {
        HTTP::redirect "https://login.microsoftonline.com/"
      }
    }
    }
    
    
  • not sure if i understand correctly (i guess i don't). if not, would you mind posting some example please? anyway, this is just a http redirection example based on uri.

    e.g.

    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.20.111:443
        ip-protocol tcp
        mask 255.255.255.255
        pool foo
        profiles {
            clientssl {
                context clientside
            }
            http { }
            tcp { }
        }
        rules {
            myrule
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        vs-index 22
    }
    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo
    ltm pool foo {
        members {
            200.200.200.101:80 {
                address 200.200.200.101
            }
        }
    }
    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
    ltm rule myrule {
        when HTTP_REQUEST {
      if { [HTTP::uri] starts_with "/ms365" } {
        HTTP::redirect "https://login.microsoftonline.com/"
      }
    }
    }
    
    
  • ../ms365 (web client) -> proxyVS - iRule -> MS_redirect vs -> HTTP Redirect -> https://login.microsoftonline.com (then back).

     

    Does this mean that when a client requests the URI "/ms365" from the proxy VIP, that an iRule redirects them to another VIP, which then redirects them directly to a Microsoft page? If so, why so many redirects (and VIPs)? And more important, what is the goal? How does your application interact with the Microsoft site?

     

  • Okay, so my first observation here is that SNAT isn't relevant in an HTTP redirect situation. SNAT would be important if the traffic were flowing through the VIP to the application, but because you're redirecting, the remote service is going to get the client's source address.

     

    Second, when a user accesses the trigger URL, gets redirected and then redirected again, and then lands on the remote site's page, what happens next? How does the user get back to your site? How does the remote site share information with your site?

     

  • From an iRule, you can simply use:

    log local0. "some arbitrary test or output of a command like [HTTP::uri]"
    

    That will show up in /var/log/ltm. If you have access to the management shell, one of the best iRule troubleshooting tools is simply to "tail" this log:

    tail -f /var/log/ltm