Subdomain traffic through F5 proxy not being handled correctly

533 views Asked by At

Traffic to the 2nd domain name on our server, ws.example.org, is not being handled correctly. Instead of delivering content from the 2nd domain name directory it is being delivered, incorrectly, from the 1st domain name entry www.example.org.

The details:

The server is running Apache 2.2.31 and sits behind an F5 load balancer/proxy that contains the SSL certificate for the domain names in question. The traffic our server gets from the F5 is NOT encrypted but is still delivered on port 443.

The Apache configuration entry for the default:443 virtual host has been commented out. The server does not have any certificates installed or available and does not encrypt any traffic.

The relevant content of httpd.conf is:

Listen 80
Listen 443

NameVirtualHost *:80

<VirtualHost *:80>
    ServerName www.example.org
    ServerAlias example.org
    DocumentRoot /Apache/htdocs
    <Directory "/Apache/htdocs">
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName  ws.example.org
    DocumentRoot "/Apache/htdocs/WebServices"
    <Directory "/Apache/htdocs/WebServices">
    AllowOverride All
    </Directory>
</VirtualHost>

Since we want to force the use of www for example.org AND we want to force traffic to be encrypted the follow rules in .htaccess, which resides in /Apache/htdocs, are being used:

RewriteEngine On

# force www
RewriteCond %{HTTP_HOST} ^example.org [NC]
RewriteRule ^(.*)$ https://www.example.org/$1 [L,R=301]

# force HTTPS for everything
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I do not have visibility to the F5 but have been assured that there are no iRules in place related to our domain on the F5. We have tried having the traffic from the F5 delivered to our server on port 80 and although that partially works for the 2nd domain name, ws.example.org, it breaks the main domain www.example.org (the error in this case was an infinite redirect loop).

1

There are 1 answers

0
Dave On BEST ANSWER

The solution turned out to be a combination of changes that needed to be made both on the F5 and on the Apache server. On Apache we turned off all listening to port 443 after making sure that that F5 was only sending up traffic on port 80.

On the F5 a iRule needed to be added to include the header that told Apache what the protocol was so that the rewrite rule to determine whether or not we needed to rewrite to httpS would work. The iRule added to the F5 was:

when CLIENT_ACCEPTED {
    if { [PROFILE::exists clientssl] } then {
        set client_protocol "https"
    } else {
        set client_protocol "http"
    }
}
when HTTP_REQUEST {
    HTTP::header insert "X-Forwarded-For" [IP::client_addr]
    HTTP::header insert "X-Forwarded-Proto" $client_protocol
    HTTP::header insert "X-Forwarded-Port" [TCP::client_port]
}

The only rule we needed from the group of 3 above was the one for X-Forwarded-Proto

As soon as the rule for the F5 was added everything started working correctly and still is today.