Forum Discussion

Biche_XD_185704's avatar
Biche_XD_185704
Icon for Nimbostratus rankNimbostratus
Jul 10, 2018

[Offloading SSL] SOAP Response

Hi all, I would like help with a SOAP response problem.

I have two VIP with the same pool

VIP 1:443 --> Offload SSL --> Pool 8080

VIP 2:8080 --> Pool 8080

These two pools send traffic on a Tomcat 8.

On my VIP 1, I set a X-Forwarded-Proto: HTTPS column in the HTTP Header for the tomcat to answer me in HTTPS.

Here is my test result : 

[/home/user]$ curl https://fqdn_of_vip1/cupro-ws-8.0/soap/WSCompte?wsdl |grep location 
      

[/home/user]$ curl -H "Host: fqdn_of_vip1" -H "X-Forwarded-Proto: https" 172.16.105.63:8080/cupro-ws-8.0/soap/WSCompte?wsdl |grep location

As you can see, when I curl on VIP 1, Tomcat send me a response with an soap:address location=http...

But when I curl VIP2 with X-Forwarded-Proto manualy set, response is correct in HTTPS.

I think than when F5 do SSL Offloading.

X-Forwarded-Proto is generate by an irule : 

        if { [class match [HTTP::uri] starts_with datagrouplist1] and [ class match [IP::client_addr] equals datagrouplist2 ] } {
            log local0. "Access 8080 from [IP::client_addr]"
            HTTP::header insert X-Forwarded-Proto https
            HTTP::header insert x-forwarded-proto https
            HTTP::header insert ipis [IP::client_addr]
            snat automap
            pool mypool

For information, when I uncomment "snat automap", my CURL on VIP1 (HTTPS) send me a response location in HTTPS.

I don't understand why.

Do you have any information ?

Thaks a lot for your answer

application delivery
LTM

7 Replies

Sort By
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Jul 10, 2018

    Are you confident that your URI and source IP address match against your cURL? I would be inclined to improve the logging ie print out HTTP headers etc. Are you confident that the iRule is on VS1?

     

  • Biche_XD_185704's avatar
    Biche_XD_185704
    Icon for Nimbostratus rankNimbostratus
    Jul 10, 2018

    Thanks for your reply. Yes, I'm sur for URI and IP Client. (I make log to be sur).

    An here is the content of http_header : 

    : =============================================
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Client 193.X.X.X:25988 -> myfqdn.com/cupro-ws-8.0/soap/WSCompte?wsdl (request)
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Host: myfqdn.com
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : User-Agent: curl/7.58.0
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Accept: */*
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : X-Forwarded-Proto: https
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : =============================================
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : =============================================
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Client 193.X.X.X:25988 -> myfqdn.com/cupro-ws-8.0/soap/WSCompte?wsdl (response) - status: 200
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Server: Apache-Coyote/1.1
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Content-Type: text/xml;charset=UTF-8
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Transfer-Encoding: chunked
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : Date: Tue, 10 Jul 2018 08:39:26 GMT
Jul 10 10:39:27 myf5.local info tmm3[12274]: Rule /Common/irule-log-http_header : =============================================
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Jul 10, 2018

    OK, so if X-Forwarded-Proto is already set ( as in the headers ) and the server is sending the wrong response then it's an issue on the server. Are you trying to fix the issue on the server by rewriting the content on the F5?

     

  • Biche_XD_185704's avatar
    Biche_XD_185704
    Icon for Nimbostratus rankNimbostratus
    Jul 10, 2018

    So, I can rewrite the SOAP Response by an irule but for me, this is not the right solution.

     

    For me, this is not a problem on the server, because VIP in tcp/8080, with x-forwarded-proto set in curl : soap address location is in HTTPS.

     

    I've the feeling that problem is in offload SSL. Or maybe in HTTP_profile (I use the default http profile)

     

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Jul 10, 2018

    OK, I think I must be missing something here.

     

    Just to clarify, you want the VIP 1 which is listening on port 443 to have the X-Forwarded-Proto header inserted but not the VIP 2 ( listening on port 8080 ).

     

    To do this you need to create a new HTTP profile as per this link https://support.f5.com/csp/article/K43444200 and assign it to VIP 1. Use the standard http profile for VIP 2.

     

    That should fix the issue.

     

  • Biche_XD_185704's avatar
    Biche_XD_185704
    Icon for Nimbostratus rankNimbostratus
    Jul 10, 2018

    VIP 1 is an evolution.

     

    Originally, all the traffic was sent on VIP 2. But an application manager want to migrate this application on HTTPS. That's why VIP 1 was created.

     

    VIP 2 didn't have X-Forwarded-Proto configured. But we make some test and emulate X-Forwarded-Proto with curl (with -H) on VIP2.

     

    On VIP 1, we already have a HTTP Profile, that's the default HTTP Profile. We have the same HTTP Profile on VIP 2 for other need (redirect fom HTTP:Host)

     

    In conclusion, wa have :

     

    VIP1:443 --> Offload SSL --> X-Forwarded-Proto --> Pool:8080 --> Node:8080 --> VIP we want to redirect production traffic

     

    VIP2:8080 --> Pool:8080 --> Node:8080 --> VIP actually in production