NimbostratusHi All,
Apologies in advance if this was answered anywhere on the site but is there an iRule (not good in writing one) that i can apply to a VIP which states that if a client goes to https:xxx.com:8443 they will get redirect to https:xxx.com Going from the custom SSL port of 8443 to the well known port of 443.
Thanks again community !
Employeewhen HTTP_REQUEST {
HTTP::respond 302 Location "https://[HTTP::host]"
}
Not sure if you also needed to evaluate the host name, but in this case you have a VIP listening on port 8443 with a client SSL profile and this iRule. All requests to this VIP are automatically redirected to the 443 URL (a different VIP).
NimbostratusThank you so much Kevin for the quickly reply. Im not at all proficient in iRule writing but im trying to get better.
What is this part: HTTP:respond 302 location..
Also even though the original client request is HTTPS do we still need to put "when HTTP_REQUEST" ?
EmployeeWhat is this part: HTTP:respond 302 location..
This is an HTTP response command. You're essentially instructing the iRule to issue an immediate HTTP response to the client, with a status code of 302 (redirect), and a Location header that points to the desired URL.
Also even though the original client request is HTTPS do we still need to put "when HTTP_REQUEST" ?
Yes. The S in HTTPS is SSL, which is an OSI layer 6 wrapper around the layer 7 HTTP communications. SSL is processed and removed before the HTTP request is processed, so both HTTP and HTTPS requests are still HTTP and processed as HTTP events.
NimbostratusThanks Kevin, I implemented the iRule but doesnt seem to be working. I get error timed out. So here is the implementation. I have two VIPs. One with the F5 listening on port 8443 but without a clientssl. I have another VIP with the F5 listening on port 443 with a clientssl profile. The URI is the following - https://jiratest.chicago.xxx.com:8443/login which of course will get redirected to https://jiratest.chicago.xxx.com/login
So I took your script and did the following: when HTTP_REQUEST { HTTP::respond 302 Location "https://[HTTP::jiratest.chicago.xxx.com]" }
The F5 throws out the following error:01070151:3: Rule [/Common/Custom_Redirect] error: /Common/Custom_Redirect:2: error: [undefined procedure: HTTP::jiratest.chicago.xxx.com][HTTP::jiratest.chicago.xxx.com]
So i then remove the URI and put in - when HTTP_REQUEST { HTTP::respond 302 Location "https://[HTTP::host]" }
F5 takes the script and I apply it but then that when i get the timed out message when I try to visit the site.
EmployeeThe problem is that you're doing HTTPS at the 8443 VIP but you don't have a client SSL profile. You need that to decrypt the client's SSL and process the underlying HTTP request.
"[HTTP::jiratest.chicago.xxx.com]" isn't valid. You can explicitly name the URL:
HTTP_REQUEST {
HTTP::respond 302 Location "https://jiratest.chicago.xxx.com"
}
Or you can use [HTTP::host] to redirect back to the FQDN that the client requested
HTTP_REQUEST {
HTTP::respond 302 Location "https://[HTTP::host]"
}
Ahhh it all makes sense now actually. Thanks Kevin so much.
If thats the case then I dont think this will work as we already have a certificate for jiratest.chicago.xxx.com and dont think I can apply that same certificate to the new VIP on port 8443.....unless.......i use the same clientssl for multiple VIPs.
EmployeeThat should work.
AltostratusIf you're relatively certain that you always want to redirect 8443 to 443 you'll want to use a 301 (permanent redirect) rather than a 302 (temporary redirect. The latter doesn't get cached by the client and results in an additional request/response every time the resource is requested over port 8443.