Forum Discussion
NimbostratusCan I use an IRULE?
Trying to load balance 3 web servers running Kronos Application. Need to use 443 for some security but application uses 80. Can I use an IRULE to manipulate this? With the setup now, they can go to the URL with HTTP or HTTPS. Only want HTPS.
User goes to https://time.abc.org/scf/login
Java client needs to be installed if not already. They sign in and do what they need to in the Application. Currently I have both ports 80 and 443 opened to make this work.
I did find this on the site for HTTP redirects:
when HTTP_REQUEST {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
Will this work? I really have no idea about Irules so I appologize for any stupidity! Thanks in advance!
hoolioCirrostratus
Hi,
The rule you listed will redirect all requests from HTTP to HTTPS. The question is: does the Kronos application answer on HTTPS for every object that it does for HTTP?
I think the simplest way to find that out would be to test the using the rule against the application.
If the redirect rule doesn't work, there are some other options you can try, but why not test what you have first.
Aaron
mike_schweinberHello,
Thanks! I tested it and it failed! I am starting to think that I will have to have Kronos reinstall their APP to get HTTPS to work.- hoolioIf it's an option to have the application reconfigured to use only HTTPS, that would be the most efficient fix.
Else, if you aren't able to do that, I'd suggest contacting support to work through exactly what isn't working when redirecting requests from HTTP to HTTPS. If they recommend specific changes to make using an iRule, post back here again for more help.
Aaron 
David_HomoneyWhy not setup a clientssl profile. This will allow you to keep all commo between your clients and BIGIP secure while allowing your Kronos servers to stay on port 80.- mike_schweinberPosted By homoney on 7/25/2006 8:59 AM
Why not setup a clientssl profile. This will allow you to keep all commo between your clients and BIGIP secure while allowing your Kronos servers to stay on port 80.
Hi,
I tried that and I stay encrypted with the IE lock at the bottom of the webpage. I get that popup asking do you want to display non secure data. If you check no, it works just fine. I am just not sure how to tell if all data is encrypted. - John_45523I'm having the similar problem. I set up the client side for 443 and server 80. with the IRule below it will only display the Kronos app page and not display the data from SQL database.
this IRule is under my Port 80 VS
when HTTP_REQUEST {
if { [HTTP::uri] equals "/" } {
HTTP::redirect https://[HTTP::host]/wfc/logon
}
}
did you get yours fixed? 
Michael_YatesI think that you should be able to do it without manipulating the end application (leave it HTTP on Port 80 and use the F5 to do full SSL Offload).
Apply to your HTTP VIP (Redirect all HTTP to HTTPS):
when HTTP_REQUEST {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
Apply to your HTTPS VIP (Sets the Secure Cookie Flag):
when HTTP_RESPONSE {
set cookies [HTTP::cookie names]
Loop through each cookie by name in request
foreach aCookie $cookies {
Replace cookie name from list and set Secure Flag to Enable
HTTP::cookie secure $aCookie enable
}
NOTE: The SSL Certificate Website Name MUST match in order for this iRule to work Properly
}
Apply to your HTTPS VIP (Corrects all content responses from HTTP to HTTPS):
Create Custom HTTP Profile. Model after Default HTTP Profile but enable the "Redirect Rewrite" option to "Matching".
It will monitor the response traffic back to the requestor and anything that directs the browser to go to http://website.com/content will be modified to https://website.com/content on the fly.
NOTE: This will only work if the content within the same site. (if content for a different website is requested you will get the "Do you wish to display Non-Secure Data")- r_dynamo_79563
There are some java objects that are not being rendered correctly using above setup. I tried using a stream profile with an iRule on the HTTPS VIP which correctly rendered those java objects in HTTPS. However, there is an instance whereby clicking on run report the web-app is suppose to direct you towards the report status which is failing. After clicking on "Run Report" several times, I can get an error saying undefined.
when HTTP_REQUEST { tell server not to compress response HTTP::header remove Accept-Encoding disable STREAM for request flow STREAM::disable } when HTTP_RESPONSE { catch and replace redirect headers if { [HTTP::header exists Location] } { HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]] } only look at text data if { [HTTP::header Content-Type] contains "text" } {
create a STREAM expression to replace any http:// with https:// STREAM::expression {@http://@https://@} enable STREAM STREAM::enable }}
- r_dynamo_79563
I am trying to set http to https rewrites on all Server responses within Kronos. I tried Michael Yates suggestion, however some features within the web-app are not displaying at all on https. I tried using a stream profile with the irule below on the HTTPS VIP, all the features are running. However, there's a run report operation that throws an undefined javascript error upon several clicks, but the reports are generating fine. Is there any work around to ensure everything is rendered correctly on HTTPS?
when HTTP_REQUEST { tell server not to compress response HTTP::header remove Accept-Encoding disable STREAM for request flow STREAM::disable } when HTTP_RESPONSE { catch and replace redirect headers if { [HTTP::header exists Location] } { HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]] } only look at text data if { [HTTP::header Content-Type] contains "text" } { create a STREAM expression to replace any http:// with https:// STREAM::expression {@http://@https://@} enable STREAM STREAM::enable } } - Brett_10751
We run Kronos 443 on the vip and port 80 to the pool and have an irule and stream profile configured like this. We are not having the issues you report, I could have sworn the kronos admin had to enable some sort of ssl offloading settings in Kronos admin page. That may be what you are missing
when HTTP_REQUEST { STREAM::disable HTTP::header remove "Accept-Encoding" } when HTTP_RESPONSE { Check if response type is text and host isn't null if {[HTTP::header value Content-Type] contains "text" and $host ne ""}{ Replace http://$host with https://$host STREAM::expression "@http://$host@https://$host@" Enable the stream filter for this response only STREAM::enable } Rewrite the Location header in redirects to https:// if { [HTTP::is_redirect] && [string tolower [HTTP::header Location]] starts_with "http://$host"} { HTTP::header replace Location [string map -nocase "http://$host https://$host" [HTTP::header Location]] } }