Forum Discussion

LeighK_316106's avatar
LeighK_316106
Icon for Nimbostratus rankNimbostratus
Apr 03, 2017

url redirection with SSL offload

I have set up and F5 to test it against my companies software. A lot of our customers have F5's and often ask for advice on setting it up.

 

I have been able to configure it for standard HTTP load balancing, SSL using SSL bridging and layer 4 with no issues. The one configuration I am stuck with is SSL offload.

 

The way our software works is this: If a user connects on port 80, thy will get redirected to port 4248 for authentication and then back to 80 once authenticated. If a user connects on 443 (ssl) they get redirected to port 4244 for authentication and then back to 443 once authenticated.

 

The issue I believe if the client is receiving a redirect URL for 4248 when they need to get one for 4244. So I suspect from reading here I will need a rule to rewrite the url's. Does that sound likely?

 

If so how do I go about this? The url is going to look something like this:

 

http://192.168.203.103:4248/windows_authentication/?targetId=08c9a54f-59fc-42da-b4b3-fca1dd63adfd

 

and needs to be:

 

https://192.168.203.103:4244/windows_authentication/?targetId=08c9a54f-59fc-42da-b4b3-fca1dd63adfd

 

which will then of course be redirected internally from by the F5 back to 4248.

 

Thanks all !

 

1 Reply

  • The problem you have is that when doing SSL offloading, the server only sees an HTTP request.

    First, you need to change the redirect to use SSL, using an iRule in the virtual server you already have.

    Second, you need to create a virtual server to handle the authentication and redirect. You do SSL offloading in this virtual server as well, but you need to rewrite the redirect to point to the first virtual server.

    You can use a iRule similar with this one in both case:

    when HTTP_RESPONSE {
      if { [HTTP::status] == 302 && [HTTP::header "Location"] equals "......" } {
        HTTP::redirect "https://.../"
     }
    }
    

    You need to check how your application do the first (for authentication) and second (after authentication) redirects, and change to iRule to match that.

    More examples in these links:

    https://devcentral.f5.com/wiki/irules.http__status.ashx

    https://devcentral.f5.com/wiki/irules.http__header.ashx

    https://devcentral.f5.com/wiki/irules.http__redirect.ashx