Can F5 LTM replace http with https?
I'm fairly new to F5 LTM, and am having some issues with SSL offload and SSL client profiles. Previously I had multiple server mirrors that were running SSL directly, and Apache was configured to return https URLs to SSL requests and return regular http URLs to clear text requests. Now that LTM is proxying for SSL, Apache is only returning http URLs since it is no longer running SSL. This is fine for the domain that is actually being proxied for, however there are other assets that Apache is calling on pages, for example Amazon S3 links, that get returned as clear text http regardless of whether the F5 receives an http or https request.
I found this KB article http://support.f5.com/kb/en-us/solutions/public/7000/000/sol7027.html that talks about editing the payload of client or server requests. Unless there is an easier solution that I’ve overlooked, what I’d like to do is configure LTM with some sort of rule to replace the string “http:” with “https:” in responses that are received back from servers that are in the SSL offload pool.
The article states that “When applied to a virtual server, the following example Stream profile will search all data streams (the data a virtual server receives on its client and server sides) for the strings 123 and abc. If found, the Stream profile replaces the string 123 with 456 and the string abc with xyz.” I interpret this that client to server HTTP GETs will be replaced with https, which is not what I want, since Apache is only running clear text http now.
It also says that “An iRule can perform the same function of a custom Stream profile. However, in this example the Stream profile is only enabled when an HTTP response is received from the server.” This is basically what I want to accomplish, but I tried the example syntax and couldn’t get it to actually change anything.
I created and iRule that says:
when HTTP_RESPONSE {
STREAM::expression "@http:@https:@"
STREAM::enable
}
I then applied the default HTTP profile, default Stream profile, and the iRule to the virtual server pool that is for the SSL offload. Looking at the source of pages returned from the server still has the http: URLs in it though.
Is this the correct way to implement this, or is there some easier alternate way? If this is the correct way how can I tell if the iRule is actually matching my string and the traffic?