mod_rewrite for trailing slash problem

Question

I'm pulling my hair out on what should be an insanely simple problem. We are running WebSphere IHS (Apache) through an F5 BigIP. BigIP is doing the https translation for us. Our url (changed for web, not valid) is https://superniftyserver.com/lawson/portal.

When someone types in just that without the slash after portal, Apache assumes "portal" to be a file and not a directory. When Apache finds out what it is, it sends the 301 Permanent Redirect. But since Apache knows only http, it sends the URL as http://superniftyserver.com/lawson/portal/ which then creates problems.

So I tried a server level httpd.conf change for mod_rewrite, this is one of the dozens of combinations I've tried.

RewriteEngine on RewriteRule ^/lawson/portal(.*) /lawson/portal/$1

I also tried RewriteRule ^/lawson/portal$ /lawson/portal/

Among many other things... What am I missing?

Answer 1

LoadModule rewrite_module modules/mod_rewrite.so

make sure that line is somewhere in you httpd.conf file

Answer 2

If you can't get an answer on the RewriteRule syntax, here are two other options for you: Write an custom iRule on BigIp (see F5 DevCentral) that looks for 301 responses and convert them to SSL; let the URL pass into your WebSphere server and do a programmatic redirect that sends out HTTPS. However, because F5 terminates the SSL connection, you have to set a custom header that you configure (see PQ86347) so the Java request.getScheme() works as you would expect.

Answer 3

Fixed!

SOL6912: Configuring an HTTP profile to rewrite URLs so that redirects from an HTTP server specify the HTTPS protocol

---

Updated: 8/7/07 12:00 AM

A ClientSSL virtual server is typically configured to accept HTTPS connections from a client, decrypt the SSL session, and send the unencrypted HTTP request to the web server.

When a requested URI does not include a trailing slash (a forward slash, such as /, at the end of the URI), some web servers generate a courtesy redirect. Without a trailing slash, the web server will first treat the resource specified in the URI as a file. If the file cannot be found, the web server may search for a directory with the same name and if found, send an HTTP 302 redirect response back to the client with a trailing slash. The redirect will be returned to the client in HTTP mode rather than HTTPS, causing the SSL session to fail.

Following is an example of how an HTTP 302 redirect response causes the SSL session to fail:

· To request an SSL session, a user types https://www.f5.com/stuff without a trailing slash.

· The client browser sends an SSL request to the ClientSSL virtual server, which resides on the BIG-IP LTM system.

· The BIG-IP LTM system then decrypts the request and sends a GET /stuff command to the web server.

· Since the /stuff file does not exist on the web server, but a /stuff/ virtual directory exists, the web server sends an HTTP 302 redirect response for the directory, but appends a trailing slash to the resource. When the web server sends the HTTP 302 redirect response, it specifies HTTP (not HTTPS).

· When the client receives the HTTP 302 redirect response, it sends a new request to the BIG-IP LTM virtual server that specifies HTTP (not HTTPS). As a result, the SSL connection fails.

Configuring an HTTP profile to rewrite URLs

In BIG-IP LTM version 9.x you can configure an HTTP profile to rewrite URLs so that redirects from an HTTP server specify the HTTPS protocol. To do so, perform the following procedure:

1. Log in to the Configuration utility.

2. Click Local Traffic.

3. Click Profiles.

4. Click the Create button.

5. Type a name for the profile.

6. Choose http from the Parent Profile drop-down menu.

7. Under Settings, set Redirect Rewrite to All, Matching, or Nodes, depending upon your configuration

For example:

o Choose All to rewrite any HTTP 301, 302, 303, 305, or 307 redirects to HTTPS

o Choose Matching to rewrite redirects when the path and query URI components of the request and the redirect are identical (except for the trailing slash)

o Choose Node to rewrite redirects when the redirect URI contains a node IP address instead of a host name, and you want the system to change it to the virtual server address

1. Click Finished.

You must now associate the new HTTP profile with the ClientSSL virtual server.