consolidate all http to https request under one virtual server

Question

I would like to create one virtual server that uses a network segment to support all incoming http requests. The majority of my company's http traffic is redirected to https. I've come up with four different iRules that could be used to support the various redirects, including one to simply forward traffic to the correct pool.  
&nbsp;  
&nbsp; Can I consolidate the following iRules into one iRule? And, does it even make sense to do this?  
&nbsp;  
&nbsp; Rule URI_https_redirect 
&nbsp;  Purpose - Redirect http URI to specific https URI 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;             switch -glob [string tolower [HTTP::uri] ] { 
&nbsp; "/portal*" {HTTP::redirect "https://secure.aaa.com/login.do"} 
&nbsp; "/b-portal*" {HTTP::redirect "https://secure.bbb.com/login.do"} 
&nbsp;             } 
&nbsp; } 
&nbsp;   
&nbsp;  
&nbsp; Rule domain_https_redirect 
&nbsp;  Purpose - Redirect http domains to specific https URI 
&nbsp;  
&nbsp; when HTTP_REQUEST 
&nbsp;             switch [string tolower [HTTP::host] ] { 
&nbsp; www.aaa.com { HTTP::redirect https://www.aaa.com[HTTP::uri] } 
&nbsp; www.bbb.com { HTTP::redirect https://www.bbb.com[HTTP::uri] } 
&nbsp;             } 
&nbsp; } 
&nbsp;   
&nbsp;  
&nbsp; Rule http_no_redirect 
&nbsp;  Purpose - Forward http traffic to appropriate pool 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;             switch [string tolower [HTTP::host] ] { 
&nbsp; www.ccc.com {pool www.ccc.com} 
&nbsp; www.ddd.com {pool www.ddd.com} 
&nbsp;             } 
&nbsp; } 
&nbsp;   
&nbsp;  
&nbsp; Rule http_to_https_redirect  
&nbsp;  Purpose - Redirect any http URL to an https URL 
&nbsp;  
&nbsp; when HTTP_REQUEST { HTTP::redirect https://[HTTP::host][HTTP::uri] } 
&nbsp;  
&nbsp;

hooleylist · Answer

Do you have an HTTP and an HTTPS virtual server?  Which iRules are for HTTP requests and which are for HTTPS?  Do you have a pool of webservers that answer for all web applications on the network segment you refer to? 
&nbsp;  
&nbsp; Aaron

milo · Answer

The majority of our public facing sites are built with two virtual servers; one listening on port 80 and the other listening on port 443. We're using a class C block for all the virtuals. The webservers are segmented into different vlans according to the application being supported.  
&nbsp;  
&nbsp; What I would like to accomplish is to get away from creating virtual servers listening on port 80 that are primarily used to redirect http traffic to https. Setting up one virtual server that uses our virtual IP network segment with a port 80 listener seemed like a good start. Then, applying the four iRules above to that virtual server will allow the F5 to direct http requests to the correct https URI as they hit the VIP. I can configure the iRules to redirect http requests based on the domain name or URI content for any traffic coming in on that class C block.

hooleylist · Answer

You could combine the rules into one with something like this:

when HTTP_REQUEST { 
    switch -glob [string tolower [HTTP::uri] ] { 
       "/portal*" { 
          log local0. "[IP::client_addr]:[TCP::client_port]: Matched URI /portal*, redirecting." 
          HTTP::redirect "https://secure.aaa.com/login.do" 
  return 
       } 
       "/b-portal*" { 
          log local0. "[IP::client_addr]:[TCP::client_port]: Matched URI /b-portal*, redirecting." 
          HTTP::redirect "https://secure.bbb.com/login.do" 
          return 
       } 
    } 
    switch [string tolower [HTTP::host] ] { 
       www.aaa.com { 
          log local0. "[IP::client_addr]:[TCP::client_port]: Matched host www.aaa.com, redirecting" 
          HTTP::redirect "https://www.aaa.com[HTTP::uri]" 
          return 
       } 
       www.bbb.com { 
          log local0. "[IP::client_addr]:[TCP::client_port]: Matched host www.bbb.com, redirecting" 
          HTTP::redirect "https://www.bbb.com[HTTP::uri]" 
          return 
       } 
       www.ccc.com { 
          log local0. "[IP::client_addr]:[TCP::client_port]: Matched www.ccc.com, using pool" 
          pool www.ccc.com 
          return 
       } 
       www.ddd.com { 
          log local0. "[IP::client_addr]:[TCP::client_port]: Matched www.ddd.com, using pool" 
          pool www.ddd.com 
          return 
       } 
    } 
    log local0. "[IP::client_addr]:[TCP::client_port]: Matched , " 
    HTTP::redirect "https://[HTTP::host][HTTP::uri]" 
 }

I added logging as I'm not 100% sure it matches your scenario.  Anyhow, it should give you a start. 
  
 Aaron

milo · Answer

Thanks Hoolio. This appears to be exactly what I need. I'm definitely going to need the logging when testing, I appreciate that. But, I especially appreciate you adding the "return" command. It never dawned on me that the iRule processing would continue evaluating each condition after a match was found.

Forum Discussion

consolidate all http to https request under one virtual server

4 Replies

Recent Discussions

Using okta as SSO to login F5 GUI

(How) can I get two client certificates in one APM session?

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Disk space full - what files, folders are safe to delete?

Converting config to DO

Related Content

OCSP: Bad Request

Tmsh command - virtual address list vs virtual server IP list (discrepancy)

Migrate configuration from physical LTM to virtual

LDAPS account interception through Virtual Server - Is it possible

Consolidate Virtual Servers