DX Application Performance Management

Expand all | Collapse all

F5 Load Balanced configuration SSL offload and onload ??

  • 1.  F5 Load Balanced configuration SSL offload and onload ??

    Posted 08-31-2015 12:45 AM

    Hi folks

    I'm working to a load balanced F5 Configuration design that has the following config ...

    Comms from Browser to the MOM:

    Client > https:443 > f5 VIP > F5 SNAT > http:8080 > Server (MOM)

    So when i browse my URL https://dnsname i get the APM welcome screen for Workstation / CEM

    When i then click on the CEM login i get the error This webpage is not available ERR_CONNECTION_REFUSED

    the client is redirected to http://dnsname/wily/cem/tess/app/login.html and therefore fails.

    I can see in the em.log :

    8/31/15 02:39:17.509 PM EST [INFO] [btpool0-1] [Manager.EMWebServer.WebStartWebapp] CEMRedirectServlet is loaded by webstart plugin

    8/31/15 02:39:17.510 PM EST [INFO] [btpool0-1] [Manager.EMWebServer.WebStartWebapp] we are redirecting to : /wily/cem/tess/app/login.html

     

    If i manually amend the URL to https://dnsname/wily/cem/tess/app/login.html the login works.

    Is this a config issue on the F5 ? or have i missed some config in APM ?

    Thanks.



  • 2.  Re: F5 Load Balanced configuration SSL offload and onload ??

    Posted 08-31-2015 03:27 AM

    I have been doing some digging on the F5 forums and come up with a possible solution :

     

    The answer would seem to be a matter of what I like to call "the proxy effect". In short, your application is quite probably not designed to understand that a proxy can sit in front of it. In most cases that means that the application is spitting out absolute URLs in HTTP redirects and in document object references (images, script, etc.). You're getting to the main page fine, but then any information sent back to the client from the server has an absolute URL reference to http://hostname(instead of https://hostname). There are a number of ways to address this, each dealing with different aspects of the problem. Let's start with the redirects. If it's a simple of matter of changing http:// to https://, and the rest of the URL is correct, then you can simply enable the Redirect Rewrite in the HTTP profile. This will catch any http:// 30x redirects from the server and rewrite them to https://. The following iRule will do basically the same thing:

    when HTTP_RESPONSE { if { ( [HTTP::header exists Location] ) and ( [HTTP::header Location] contains "http://" ) } { HTTP::header replace [string map -nocase {"http://" "https://"} [HTTP::header Location]] } } 

    If the URL returned by the server is actually different as well, then you'd need to modify the iRule above to replace on URL for the other. You haven't mentioned anything about HTML content rendering, so I'll leave it at HTTP header management for now.