I'm pulling my hair out on what should be an insanely simple problem. We are running WebSphere IHS (Apache) through an F5 BigIP. BigIP is doing the https translation for us. Our url (changed for web, not valid) is https://superniftyserver.com/lawson/portal.
我把头发拉出来应该是一个非常简单的问题。我们通过F5 BigIP运行WebSphere IHS(Apache)。 BigIP正在为我们进行https翻译。我们的网址(已更改为网页,无效)为https://superniftyserver.com/lawson/portal。
When someone types in just that without the slash after portal, Apache assumes "portal" to be a file and not a directory. When Apache finds out what it is, it sends the 301 Permanent Redirect. But since Apache knows only http, it sends the URL as http://superniftyserver.com/lawson/portal/ which then creates problems.
当有人在门户网站之后没有斜杠的情况下输入时,Apache假定“门户网站”是文件而不是目录。当Apache发现它是什么时,它会发送301永久重定向。但由于Apache只知道http,它会将URL发送为http://superniftyserver.com/lawson/portal/,然后会产生问题。
So I tried a server level httpd.conf change for mod_rewrite, this is one of the dozens of combinations I've tried.
所以我尝试了mod_rewrite的服务器级httpd.conf更改,这是我尝试过的几十种组合之一。
RewriteEngine on RewriteRule ^/lawson/portal(.*) /lawson/portal/$1
RewriteRule上的RewriteEngine ^ / lawson / portal(。*)/ lawson / portal / $ 1
I also tried RewriteRule ^/lawson/portal$ /lawson/portal/
我也试过RewriteRule ^ / lawson / portal $ / lawson / portal /
Among many other things... What am I missing?
还有很多其他的事情......我错过了什么?
4 个解决方案
#1
6
If you can't get an answer on the RewriteRule syntax, here are two other options for you: Write an custom iRule on BigIp (see F5 DevCentral) that looks for 301 responses and convert them to SSL; let the URL pass into your WebSphere server and do a programmatic redirect that sends out HTTPS. However, because F5 terminates the SSL connection, you have to set a custom header that you configure (see PQ86347) so the Java request.getScheme() works as you would expect.
如果你无法得到RewriteRule语法的答案,可以选择以下两个选项:在BigIp上编写自定义iRule(参见F5 DevCentral),查找301响应并将其转换为SSL;让URL传递到您的WebSphere服务器并执行发送HTTPS的编程重定向。但是,由于F5终止SSL连接,您必须设置您配置的自定义标头(请参阅PQ86347),以便Java request.getScheme()按预期工作。
#2
5
Fixed!
SOL6912: Configuring an HTTP profile to rewrite URLs so that redirects from an HTTP server specify the HTTPS protocol
SOL6912:配置HTTP配置文件以重写URL,以便从HTTP服务器重定向指定HTTPS协议
Updated: 8/7/07 12:00 AM
更新时间:8/7/07 12:00 AM
A ClientSSL virtual server is typically configured to accept HTTPS connections from a client, decrypt the SSL session, and send the unencrypted HTTP request to the web server.
ClientSSL虚拟服务器通常配置为接受来自客户端的HTTPS连接,解密SSL会话,并将未加密的HTTP请求发送到Web服务器。
When a requested URI does not include a trailing slash (a forward slash, such as /, at the end of the URI), some web servers generate a courtesy redirect. Without a trailing slash, the web server will first treat the resource specified in the URI as a file. If the file cannot be found, the web server may search for a directory with the same name and if found, send an HTTP 302 redirect response back to the client with a trailing slash. The redirect will be returned to the client in HTTP mode rather than HTTPS, causing the SSL session to fail.
当请求的URI不包含尾部斜杠(正斜杠,例如/,在URI的末尾)时,某些Web服务器会生成礼貌重定向。如果没有尾部斜杠,Web服务器将首先将URI中指定的资源视为文件。如果找不到该文件,Web服务器可能会搜索具有相同名称的目录,如果找到,则使用尾部斜杠将HTTP 302重定向响应发送回客户端。重定向将以HTTP模式而不是HTTPS返回到客户端,从而导致SSL会话失败。
Following is an example of how an HTTP 302 redirect response causes the SSL session to fail:
以下是HTTP 302重定向响应如何导致SSL会话失败的示例:
· To request an SSL session, a user types https://www.f5.com/stuff without a trailing slash.
·要请求SSL会话,用户键入https://www.f5.com/stuff,不带斜杠。
· The client browser sends an SSL request to the ClientSSL virtual server, which resides on the BIG-IP LTM system.
·客户端浏览器向ClientSSL虚拟服务器发送SSL请求,该服务器驻留在BIG-IP LTM系统上。
· The BIG-IP LTM system then decrypts the request and sends a GET /stuff command to the web server.
·BIG-IP LTM系统然后解密请求并向Web服务器发送GET / stuff命令。
· Since the /stuff file does not exist on the web server, but a /stuff/ virtual directory exists, the web server sends an HTTP 302 redirect response for the directory, but appends a trailing slash to the resource. When the web server sends the HTTP 302 redirect response, it specifies HTTP (not HTTPS).
·由于/ stuff文件在Web服务器上不存在,但存在/ stuff /虚拟目录,因此Web服务器会为该目录发送HTTP 302重定向响应,但会向该资源附加一个尾部斜杠。当Web服务器发送HTTP 302重定向响应时,它指定HTTP(而不是HTTPS)。
· When the client receives the HTTP 302 redirect response, it sends a new request to the BIG-IP LTM virtual server that specifies HTTP (not HTTPS). As a result, the SSL connection fails.
·当客户端收到HTTP 302重定向响应时,它会向BIG-IP LTM虚拟服务器发送一个新请求,指定HTTP(而不是HTTPS)。因此,SSL连接失败。
Configuring an HTTP profile to rewrite URLs
配置HTTP配置文件以重写URL
In BIG-IP LTM version 9.x you can configure an HTTP profile to rewrite URLs so that redirects from an HTTP server specify the HTTPS protocol. To do so, perform the following procedure:
在BIG-IP LTM版本9.x中,您可以配置HTTP配置文件以重写URL,以便从HTTP服务器重定向指定HTTPS协议。为此,请执行以下过程:
-
Log in to the Configuration utility.
登录配置实用程序。
-
Click Local Traffic.
单击本地流量。
Click Profiles.
-
Click the Create button.
单击“创建”按钮。
-
Type a name for the profile.
输入配置文件的名称。
-
Choose http from the Parent Profile drop-down menu.
从父配置文件下拉菜单中选择http。
-
Under Settings, set Redirect Rewrite to All, Matching, or Nodes, depending upon your configuration
在“设置”下,根据您的配置将“重定向重写”设置为“全部”,“匹配”或“节点”
For example:
o Choose All to rewrite any HTTP 301, 302, 303, 305, or 307 redirects to HTTPS
o选择“全部”以将任何HTTP 301,302,303,305或307重定向重写为HTTPS
o Choose Matching to rewrite redirects when the path and query URI components of the request and the redirect are identical (except for the trailing slash)
o当请求的路径和查询URI组件与重定向相同时,选择“匹配”以重写重定向(尾部斜杠除外)
o Choose Node to rewrite redirects when the redirect URI contains a node IP address instead of a host name, and you want the system to change it to the virtual server address
o当重定向URI包含节点IP地址而不是主机名时,选择节点重写重定向,并且您希望系统将其更改为虚拟服务器地址
- Click Finished.
You must now associate the new HTTP profile with the ClientSSL virtual server.
您现在必须将新的HTTP配置文件与ClientSSL虚拟服务器相关联。
#3
1
Try this:
# Trailing slash problem
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} -d
RewriteRule ^(.+[^/])$ https://<t:sitename/>$1/ [redirect,last]
#4
0
LoadModule rewrite_module modules/mod_rewrite.so
make sure that line is somewhere in you httpd.conf file
确保该行位于httpd.conf文件中的某个位置
#1
6
If you can't get an answer on the RewriteRule syntax, here are two other options for you: Write an custom iRule on BigIp (see F5 DevCentral) that looks for 301 responses and convert them to SSL; let the URL pass into your WebSphere server and do a programmatic redirect that sends out HTTPS. However, because F5 terminates the SSL connection, you have to set a custom header that you configure (see PQ86347) so the Java request.getScheme() works as you would expect.
如果你无法得到RewriteRule语法的答案,可以选择以下两个选项:在BigIp上编写自定义iRule(参见F5 DevCentral),查找301响应并将其转换为SSL;让URL传递到您的WebSphere服务器并执行发送HTTPS的编程重定向。但是,由于F5终止SSL连接,您必须设置您配置的自定义标头(请参阅PQ86347),以便Java request.getScheme()按预期工作。
#2
5
Fixed!
SOL6912: Configuring an HTTP profile to rewrite URLs so that redirects from an HTTP server specify the HTTPS protocol
SOL6912:配置HTTP配置文件以重写URL,以便从HTTP服务器重定向指定HTTPS协议
Updated: 8/7/07 12:00 AM
更新时间:8/7/07 12:00 AM
A ClientSSL virtual server is typically configured to accept HTTPS connections from a client, decrypt the SSL session, and send the unencrypted HTTP request to the web server.
ClientSSL虚拟服务器通常配置为接受来自客户端的HTTPS连接,解密SSL会话,并将未加密的HTTP请求发送到Web服务器。
When a requested URI does not include a trailing slash (a forward slash, such as /, at the end of the URI), some web servers generate a courtesy redirect. Without a trailing slash, the web server will first treat the resource specified in the URI as a file. If the file cannot be found, the web server may search for a directory with the same name and if found, send an HTTP 302 redirect response back to the client with a trailing slash. The redirect will be returned to the client in HTTP mode rather than HTTPS, causing the SSL session to fail.
当请求的URI不包含尾部斜杠(正斜杠,例如/,在URI的末尾)时,某些Web服务器会生成礼貌重定向。如果没有尾部斜杠,Web服务器将首先将URI中指定的资源视为文件。如果找不到该文件,Web服务器可能会搜索具有相同名称的目录,如果找到,则使用尾部斜杠将HTTP 302重定向响应发送回客户端。重定向将以HTTP模式而不是HTTPS返回到客户端,从而导致SSL会话失败。
Following is an example of how an HTTP 302 redirect response causes the SSL session to fail:
以下是HTTP 302重定向响应如何导致SSL会话失败的示例:
· To request an SSL session, a user types https://www.f5.com/stuff without a trailing slash.
·要请求SSL会话,用户键入https://www.f5.com/stuff,不带斜杠。
· The client browser sends an SSL request to the ClientSSL virtual server, which resides on the BIG-IP LTM system.
·客户端浏览器向ClientSSL虚拟服务器发送SSL请求,该服务器驻留在BIG-IP LTM系统上。
· The BIG-IP LTM system then decrypts the request and sends a GET /stuff command to the web server.
·BIG-IP LTM系统然后解密请求并向Web服务器发送GET / stuff命令。
· Since the /stuff file does not exist on the web server, but a /stuff/ virtual directory exists, the web server sends an HTTP 302 redirect response for the directory, but appends a trailing slash to the resource. When the web server sends the HTTP 302 redirect response, it specifies HTTP (not HTTPS).
·由于/ stuff文件在Web服务器上不存在,但存在/ stuff /虚拟目录,因此Web服务器会为该目录发送HTTP 302重定向响应,但会向该资源附加一个尾部斜杠。当Web服务器发送HTTP 302重定向响应时,它指定HTTP(而不是HTTPS)。
· When the client receives the HTTP 302 redirect response, it sends a new request to the BIG-IP LTM virtual server that specifies HTTP (not HTTPS). As a result, the SSL connection fails.
·当客户端收到HTTP 302重定向响应时,它会向BIG-IP LTM虚拟服务器发送一个新请求,指定HTTP(而不是HTTPS)。因此,SSL连接失败。
Configuring an HTTP profile to rewrite URLs
配置HTTP配置文件以重写URL
In BIG-IP LTM version 9.x you can configure an HTTP profile to rewrite URLs so that redirects from an HTTP server specify the HTTPS protocol. To do so, perform the following procedure:
在BIG-IP LTM版本9.x中,您可以配置HTTP配置文件以重写URL,以便从HTTP服务器重定向指定HTTPS协议。为此,请执行以下过程:
-
Log in to the Configuration utility.
登录配置实用程序。
-
Click Local Traffic.
单击本地流量。
Click Profiles.
-
Click the Create button.
单击“创建”按钮。
-
Type a name for the profile.
输入配置文件的名称。
-
Choose http from the Parent Profile drop-down menu.
从父配置文件下拉菜单中选择http。
-
Under Settings, set Redirect Rewrite to All, Matching, or Nodes, depending upon your configuration
在“设置”下,根据您的配置将“重定向重写”设置为“全部”,“匹配”或“节点”
For example:
o Choose All to rewrite any HTTP 301, 302, 303, 305, or 307 redirects to HTTPS
o选择“全部”以将任何HTTP 301,302,303,305或307重定向重写为HTTPS
o Choose Matching to rewrite redirects when the path and query URI components of the request and the redirect are identical (except for the trailing slash)
o当请求的路径和查询URI组件与重定向相同时,选择“匹配”以重写重定向(尾部斜杠除外)
o Choose Node to rewrite redirects when the redirect URI contains a node IP address instead of a host name, and you want the system to change it to the virtual server address
o当重定向URI包含节点IP地址而不是主机名时,选择节点重写重定向,并且您希望系统将其更改为虚拟服务器地址
- Click Finished.
You must now associate the new HTTP profile with the ClientSSL virtual server.
您现在必须将新的HTTP配置文件与ClientSSL虚拟服务器相关联。
#3
1
Try this:
# Trailing slash problem
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} -d
RewriteRule ^(.+[^/])$ https://<t:sitename/>$1/ [redirect,last]
#4
0
LoadModule rewrite_module modules/mod_rewrite.so
make sure that line is somewhere in you httpd.conf file
确保该行位于httpd.conf文件中的某个位置