Forum Discussion

dlawke's avatar
dlawke
Icon for Nimbostratus rankNimbostratus
Sep 10, 2024

iRule redirection for VIP on 443

We're migrating from NetScaler, and the one thing that NetScaler was able to do is redirect on a 'downed' VIP as a protection measure. 

 

Basically, an application is migrating to the cloud, and we're needing to do a redirect from the downed VIP to the cloud. I've got the syntax for the HTTP_redir irule, but I'm not sure how to actually make the VIP without requiring the certificate for it. Is it possible to create the redirect in this sense, or will I just need to create a standard VIP, bind the cert, and attach the iRule to do the redirect? 

 

Example:

User sends request to application FQDN that is no longer hosted on-prem but still points to the load balanced VIP:

10.10.10.10 -> https://applicationa.contoso.com (VIP-port 443-now down because internal servers are removed from environment)

applicationa.contoso.loc VIP -redirect-> hosted-applicationa.contoso.com 

application delivery
  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Altocumulus rankAltocumulus
    Sep 10, 2024

    A simple irule with 302 redirect is enough in your case as said.

    But there is no way to avoid SSL termination when using https.

     

    So if you still have a valid cert for applicationa.contoso.com, just assign the below irule to the VS bind the cert and you should be ok.
    It would better also to deassign the pool.

     

    when HTTP_REQUEST {
      if { [HTTP::host] equals "applicationa.contoso.com"} {
          HTTP::redirect "https://hosted-applicationa.contoso.com"
      }
    }

    • dlawke's avatar
      dlawke
      Icon for Nimbostratus rankNimbostratus
      Sep 10, 2024

      Thanks. That makes sense. I was trying to avoid even having BIG-IP even bothering looking at the packet. I just wanted the traffic to hit the VS and respond by telling them to go to the URL in the iRule. If that is not possible, then that makes sense.

       

      On the NetScaler, there were times we had to bind an 'always up' service/node to a VS in order for a feature to function like a responder or rewrite. Is that unnecessary on the F5-side?

  • zamroni777's avatar
    zamroni777
    Icon for Nacreous rankNacreous
    Sep 10, 2024

    using f5 dns gslb is ideal solution and it is done is dns layer.

    this is not exactly your use case,
    but you can use this article as example how to make http response when all pool members are down.
    https://my.f5.com/manage/s/article/K20405069

    in your case, use http response 302 (temporary redirect).
    dont use 301 as it is permanent redirect.