Can F5 LTM replace http with https?

We are actually doing the same thing here on DevCentral since we made the flip to full-SSL last Friday. We've used the stream profile for other things like analytics injection previously, but when we switched to SSL, we had to replace all the internal references with https:// links.

 

 

Before we had the stream profile, the process would be to do a HTTP::collect and buffer up the whole HTTP::payload and from there do string manipulation on that value and then assign it back. In some cases, that's still the best option if you need to more than a simple search and replace.

 

 

But, with the stream profile, you can specify muliple search/replace strings and have the core code handle the conversion for you. And, for your situation, that seems most appropriate.

 

 

What you have coded looks good to me. As long as you have a stream profile assigned to the virtual in question it should work. Keep in mind that you might need to close and restart a new browser session as connections are sometimes reused by browsers and any changes you make to the virtual may not take hold until a new connect occurs.

 

 

If you have verified the config settings are correct and still aren't seeing the content modified, here's how I would debug it. You can use the STREAM_MATCHED event to log out any and all match strings for a given request. Something like this

 

 

when HTTP_RESPONSE {
  STREAM::expression "@http:@https:@"
  STREAM::enable
}
when STREAM_MATCHED {
  log local0. "FOUND STREAM MATCH '[STREAM::match]'"
}

 

 

And then you can monitor your /var/log/ltm file for the log output. If you aren't seeing any output, then either the VIP isn't configured properly or something else is a problem. You could try changing the search/replace strings with something else like "@a@A@". Odds are that there will be an 'a' character in the response stream.

 

 

Once you do get it working, I would warn against doing a blanket "http:" to "https:" conversion. That will change ALL "http:" strings and in most cases that isn't warranted. What we've done for DevCentral is something like this:

 

 

when HTTP_REQUEST {
  set host [HTTP::host]
}
when HTTP_RESPONSE {
   Support local domains
  set stream_expression "@http://$host@@"
   SSL domain2.com
  append stream_expression "@http://domain2.com@@"
   SSL domain3.com
  append stream_expression "@http://domain3.com@@"
   External embeds
  append stream_expression "@embed src=\"http://@@
   Enable stream
  STREAM::expression $stream_expression
  STREAM::enable
}
when STREAM_MATCHED {
  switch [STREAM::match] {
    "http://$host" {
      STREAM::replace "https://$host"
    }
    "http://domain2.com" {
      STREAM::replace "https://domain2.com"
    }
    "http://domain3.com" {
      STREAM::replace "https://domain3.com"
    }
    "embed src=\"https://" {
      STREAM::replace "embed src=\"https://"
    }
  }
}

 

 

You'll notice I didn't include a replace string but specified it in the STREAM_MATCHED event with the STREAM::replace command. In this case you could have specified them in the stream_expression variable without the switch case. But, for us, we have a analytics replacement that we only want to happen once. This way we can keep track of multiple replacements of that given token (ie "").

 

 

Hope this helps out a bit and please let us know if things are still not working after some debugging.

 

 

-Joe