Forum Discussion

Old-Greg-MD's avatar
Old-Greg-MD
Icon for Nimbostratus rankNimbostratus
Mar 25, 2016

Negating traffic policy rules

Hoping someone can help me out with this. Recently tried deploying a traffic policy to redirect users to https if the URI contains a list of different strings, and to redirect back to http if it does not contain a list of strings.

 

Logic seemed simple. As an example:

 

HTTP virtual server: if URI path contains login.php, redirect to the same host/URI over https.

 

HTTPS virtual server: if URI path NEGATE contains login.php, redirect to same host/URI over http.

 

The contains works great, but the minute I negate the same rule for my https server, I wind up in a redirect loop. so even if my http request is sent is I get redirected to http, which in turns redirects me back to https, looping me indefinitely. What I expected to happen was the traffic policy would be evaluated and since I was already using HTTPS and my URI contained login.php, I would not get a 302 redirect.

 

I can get all this to work by changing my negate rule to use STARTS WITH instead of CONTAINS, however this limits me if I need to specify different URI path's that aren't stored at the root of the web server.

 

Has anyone run into this or can someone explain the the boolean logic for contains and how it changes when it is negated? It is not working as I would expect.

 

Thanks all,

 

-GR

 

  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Probably be easiest if you post your irules and/or add logging to them to log the URI they are receiving at each step so you can trace the logic.
  • They're not irules, using traffic policies. I think I can add logging to them, let me check. It just seems fairly simple. Negating a contains value just isn't functioning as I would have thought and I am not sure why.
  • Hi Greg,

     

    If you still care, it make no sense for me.

     

    if you "curl" both http and https VS, what Location and Server headers are you getting?

     

    Maybe the redirect comes from the server instead of the Big-IP, I'm not sure.

     

    Did you change rule condition leading the slash bar when starts-with operator? ("/login.php")

     

    Maybe with the starts-with operator the rule is not matching.

     

    Could you send us here the related policy rules?

     

    Regards.