Forum Discussion

JotaCePena_1783's avatar
JotaCePena_1783
Icon for Nimbostratus rankNimbostratus
Oct 23, 2015

how to redirect http/https to new destination ports

Hi all, I tried to redirect ports 80 and 443 in a VS, this manner:

 

My VS1 is configured to listening on port 80 and my pool to listening in port 1080 My VS2 is configured to listening on port 443 and my pool to listening in port 1081 The response to client in both cases is: This page can't be displayed

 

I think the solution is more complex than this simple configuration.

 

Please Any idea for fix this?

 

APM
application delivery
deployment
LTM
security

8 Replies

Sort By
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Oct 24, 2015

    The F5 will automatically forward traffic from your VS port to your pool member on what ever port it resides with no additional configuration. The F5 doesnt care what ports they use, it just passes the traffic.

    What matters is the right thing is listening on your server. You should have a webserver that does not use SSL listening on port 1080 for the first virtual. You should have a webserver that does use SSL listening on port 1081. This assumes you are not using a clientssl/serverssl profile. Its pretty easy to tell if they are setup correctly by testing from the command line of the F5.

    curl http://x.x.x.x:1080
curl -k https://x.x.x.x:1081
    • JotaCePena_1783's avatar
      JotaCePena_1783
      Icon for Nimbostratus rankNimbostratus
      Oct 25, 2015
      Here are the results of curl commands: I think server side is misconfigured or missing something in the argument of the URL. Active:In Sync] ~ curl http://11.240.64.32:1080 301 Moved Permanently Moved Permanently

      The document has moved here.

       

      In Sync] ~ curl -k http://11.240.64.32:1081 400 Bad Request Bad Request

      Your browser sent a request that this server could not understand.

       

      Reason: You're speaking plain HTTP to an SSL-enabled server port.

       

      Instead use the HTTPS scheme to access this URL, please.

       

       

      Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

       

      [jcpena@F2000S-SBD1-00A-CORE-C1U1:Active:In Sync] ~ curl -k https://11.240.64.32:1081 302 Found Found

      The document has moved .

       

  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Oct 25, 2015

    Ok that tells us a lot. You may find it easier to post output to places like https://gist.github.org and include a link here.

     

    The first curl responds with a redirect that adds a trailing slash and then uses Try it again with the trailing slash... curl http://11.240.64.32:1080/

     

    The second curl was a typo as you used http:// instead https:// and you are lucky at least it gave you a hint.

     

    The third curl responded with another redirect but doesnt tell you the destination in the message. Try the curl again but this time use the -i option to tell curl to include the HTTP headers.

     

    • JotaCePena_1783's avatar
      JotaCePena_1783
      Icon for Nimbostratus rankNimbostratus
      Oct 25, 2015
      Hera are ouputs Active:In Sync] ~ curl -i https://11.240.64.32:1081/ curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. [jcpena@F2000S-SBD1-00A-CORE-C1U1:Active:In Sync] ~
    • JotaCePena_1783's avatar
      JotaCePena_1783
      Icon for Nimbostratus rankNimbostratus
      Oct 26, 2015
      This is in right form: Active:In Sync] ~ curl -ik https://11.240.64.32:1081/ HTTP/1.1 302 Found Date: Mon, 26 Oct 2015 13:33:55 GMT Server: RP Cache-Control: no-store Location: /ipcservice/00globalerr.html?TYPE=33554433&REALMOID=06-000184ad-37fb-162a-b22f-441e0bf0d04d&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-DjK8VHf8V0n%2bQuQeG1rl6bKULPS0VHcc5i0R5Nh0qTT8qAD4vND9f9B4hxLBXdTX&TARGET=-SM-https%3a%2f%2f11%2e240%2e64%2e32%3a1081%2f Vary: Accept-Encoding Content-Length: 468 Content-Type: text/html; charset=iso-8859-1 302 Found Found

      The document has moved .

       

  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Oct 28, 2015

    From those results I think you are correct in saying the serverside confiugration needs to be looked at. The http webserver on port 1080 is redirecting you to a https website which should not be happening for starters.

    The https webserver on port 1081 appears to be redirecting you to an error page.

    Do these websites have a DNS name? If so try adding -h "Host: dns_name" to the curl request and see if that helps.

    curl -ik -h "Host: dns_name" https://....