Need help with irule masking the url, please.

At the very least you should:

1. Rewrite the host header on incoming traffic (internal LTM) in case that's causing the server to send the redirect, and

2. Rewrite the Location header on outgoing redirects (internal LTM)

   when HTTP_REQUEST {
       HTTP::header replace Host "x.x.x.x:8020"
   }
   when HTTP_RESPONSE {
       if { [HTTP::header exists Location] } {
           HTTP::header replace Location [string map {"http://x.x.x.x:8020" "https://x.x.x.x"} [HTTP::header Location]]
       }
   }
   

That'll cover the incoming Host header to the web servers and outgoing redirects to the client. If that doesn't completely work, then there may still be internal document object references to deal with.

Hi Kevin, Thanks for the response. It's great stuff. I have been testing the irule you suggested but not getting very far. To get even the basic access to work, It seems that I need to at the least enable two virtual servers on the external LTM (one for 443 and another for 8020). This in addition to the internal virtual also listening on 443, which hands off the cert.

Do you have two BIG-IPs (one for internal and a separate one for external), or just different VIPs?

Regarding the port change, have you considered using 443 between the client and 8020 between the LTM and the web service?

Let's add another piece to the puzzle. Add an empty STREAM profile to the VIP and this iRule:

when HTTP_REQUEST {
     disable serverside compression
    HTTP::header remove Accept-Encoding

     disable request side STREAM processing
    STREAM::disable

     replace the incoming Host header
    HTTP::header replace Host "x.x.x.x:8020"
}
when HTTP_RESPONSE {
     catch redirects and remap Location header URLs
    if { [HTTP::header exists Location] } {
        HTTP::header replace Location [string map {"http://x.x.x.x:8020" "https://x.x.x.x"} [HTTP::header Location]]
    }

     only apply the STREAM profile for text-based responsed
    if { [HTTP::header Content-Type] contains "text" } {
         create a STREAM expression
        STREAM::expression {@http://x.x.x.x:8020@https://x.x.x.x@}

         enable STREAM processing
        STREAM::enable
    }
}

You mentioned that you still get redirected to the port 8020 URL for a login page, and I'm guessing that's not a redirect but actually a link within the document object. The previous iRule only inserted a Host header on requests and caught redirects on responses. It did not, however, manage any of the content of the HTML document, which itself could have references to the port 8020 URL. Adding the STREAM profile and the above STREAM expression creates a rewrite mechanism for the content as it passes through the proxy to the client. The objective here is to NOT have separate external port 443 and port 8020 VIPs, but to have all external traffic flow through the port 443 VIP. In order for that to work, the client must not be presented with any references to the port 8020 URL, which can exist both in headers and document content. Give this a shot and let me know how it goes.

You dont need 2 VIPs, if you have 2 LTMs you can add this rule to the internal LTM. I hope you are using a domain instead of x.x.x.x if so it would be easier to handle internal and external requests separately with Split DNS.

Kevin / Arie, Thanks for the help with the iRule to suppress the backend non standard port. It is working exactly as expected. I actually used the iRule for additional virtual servers where the client was requesting a similar experience. Dave 8)