Skip to Main Content
  • Questions

  • Oracle APEX 5 behind an F5 BIGIP virtual server (https)

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, David.

Asked: November 20, 2015 - 5:08 pm UTC

Last updated: November 24, 2015 - 12:41 pm UTC

Version: 3

Viewed 1000+ times

You Asked

Hello,

We have the following setup;

F5 BIGIP 3900 (LTM version 11.6 hotfix 4)

virtual server called vs1
vs1 is listening on port 443
vs1's default pool is pool1
pool1 has a node called node1
node1 is the web server detailed below with a service port of 8080

* There no iRules associated with this Virtual Server.

Web server

Centos 6.3
Apache Tomcat 7.0.64
Oracle ORDS 3.0.2
Oracle 11.2.0.3 client
jdk 1.7.0_79

DB server

Oracle Linux 6.6
Oracle 11.2.0.4 Rac One Node (2 node configuration) with 5 databases
APEX 5.0.2.00.07


We can launch firefox from the web server and go to http://localhost:8080/apex and the page is displayed (albeit APEX naturally changes the URL to something like; http://localhost:8080/apex/f?p=4550:1:11539397511111::::: )

From a web browser (not on the web server)

When we try to launch https://ip_address_of_our_vs/apex we get a timeout message from the browser. It seems like our F5 BIGIP or APEX can't handle the URL being dynamically changed?

If we go to https://ip_address_of_our_vs/apex/f?p=116 - Again APEX changes the URL slightly (to the one below). This fails with a timeout error.

If we go to https://ip_address_of_our_vs/apex/f?p=116:LOGIN_DESKTOP:::::: - i.e the absolute URL. No rewrite of the URL is done here. This works and we get the login screen.

We can get the Apache Tomcat default page by going to https://ip_address_of_our_vs/ and we can get to any of the APEX images by going to for example;

https://ip_address_of_our_vs/i/delete.gif

or

https://ip_address_of_our_vs/i/apex_version.txt

It appears that every time there is a rewrite of the URL, we get a timeout.

HOWEVER, if we change the Virtual Server service port from 443 to port 80 (http) then EVERYTHING works as expect and these rewrite issues are not seen.


Thing is we want to have APEX behind an HTTPS virtual server on our F5 BIGIP.

This site uses APEX 5 and is presented on https, probably with the use of a network load balancer so I was hoping you could provide some advice/guidance?


I've spent 3 days banging my head against the wall with this.

Regards,
David

and Connor said...

Hi David,

I'm no network guy, but I'm publishing your question anyway so that if anyone can assist than can post a review.

Cheers,
Connor

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

This might help

Ramon Caballero, November 23, 2015 - 6:02 pm UTC

Could you check if this link helps you?
https://devcentral.f5.com/questions/redirect-https-to-http
The think that pop ups is "make sure server ssl is set to none in the VIP configuration"

Another option is to actually enable SSL in the Webserver.
Chris Saxon
November 24, 2015 - 1:07 am UTC

Thanks for contributing.

Cheers,
Connor

Here's the fix!!

David, November 24, 2015 - 11:50 am UTC

Ok, we've managed to fix it!

Previously we had 1 virtual server listening on port 443 and passing traffic to a pool which contained a node (the web server on service port 8080)

This virtual server had no iRules.

To fix it we created a second virtual server idenitical to the first except it listens on port 80. This virtual server has one iRule (a default one called "_sys_https_redirect")

This setup works and we don't experience the ERR_CONNECTION_REFUSED when going to a non-absolute URL such as https:// <ip address of our vs>/apex

Regards,
David
Connor McDonald
November 24, 2015 - 12:41 pm UTC

Thanks for getting back to us. Hopefully this information will be useful to others.

more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.