Can I use an IRULE?

Hi,

 

 

The rule you listed will redirect all requests from HTTP to HTTPS. The question is: does the Kronos application answer on HTTPS for every object that it does for HTTP?

 

 

I think the simplest way to find that out would be to test the using the rule against the application.

 

 

If the redirect rule doesn't work, there are some other options you can try, but why not test what you have first.

 

 

Aaron

Hello,

 

 

Thanks! I tested it and it failed! I am starting to think that I will have to have Kronos reinstall their APP to get HTTPS to work.

If it's an option to have the application reconfigured to use only HTTPS, that would be the most efficient fix.

 

 

Else, if you aren't able to do that, I'd suggest contacting support to work through exactly what isn't working when redirecting requests from HTTP to HTTPS. If they recommend specific changes to make using an iRule, post back here again for more help.

 

 

Aaron

Why not setup a clientssl profile. This will allow you to keep all commo between your clients and BIGIP secure while allowing your Kronos servers to stay on port 80.

Posted By homoney on 7/25/2006 8:59 AM

 

 

Why not setup a clientssl profile. This will allow you to keep all commo between your clients and BIGIP secure while allowing your Kronos servers to stay on port 80.

 

 

Hi,

 

 

I tried that and I stay encrypted with the IE lock at the bottom of the webpage. I get that popup asking do you want to display non secure data. If you check no, it works just fine. I am just not sure how to tell if all data is encrypted.

I'm having the similar problem. I set up the client side for 443 and server 80. with the IRule below it will only display the Kronos app page and not display the data from SQL database.

 

 

this IRule is under my Port 80 VS

 

when HTTP_REQUEST {

 

if { [HTTP::uri] equals "/" } {

 

HTTP::redirect https://[HTTP::host]/wfc/logon

 

}

 

}

 

 

did you get yours fixed?

I think that you should be able to do it without manipulating the end application (leave it HTTP on Port 80 and use the F5 to do full SSL Offload).

 

 

Apply to your HTTP VIP (Redirect all HTTP to HTTPS):

 

when HTTP_REQUEST {

 

HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

 

}

 

 

Apply to your HTTPS VIP (Sets the Secure Cookie Flag):

 

when HTTP_RESPONSE {

 

set cookies [HTTP::cookie names]

 

Loop through each cookie by name in request

 

foreach aCookie $cookies {

 

Replace cookie name from list and set Secure Flag to Enable

 

HTTP::cookie secure $aCookie enable

 

}

 

NOTE: The SSL Certificate Website Name MUST match in order for this iRule to work Properly

 

}

 

 

Apply to your HTTPS VIP (Corrects all content responses from HTTP to HTTPS):

 

Create Custom HTTP Profile. Model after Default HTTP Profile but enable the "Redirect Rewrite" option to "Matching".

 

 

It will monitor the response traffic back to the requestor and anything that directs the browser to go to http://website.com/content will be modified to https://website.com/content on the fly.

 

 

NOTE: This will only work if the content within the same site. (if content for a different website is requested you will get the "Do you wish to display Non-Secure Data")

There are some java objects that are not being rendered correctly using above setup. I tried using a stream profile with an iRule on the HTTPS VIP which correctly rendered those java objects in HTTPS. However, there is an instance whereby clicking on run report the web-app is suppose to direct you towards the report status which is failing. After clicking on "Run Report" several times, I can get an error saying undefined.

when HTTP_REQUEST { tell server not to compress response HTTP::header remove Accept-Encoding disable STREAM for request flow STREAM::disable } when HTTP_RESPONSE { catch and replace redirect headers if { [HTTP::header exists Location] } { HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]] } only look at text data if { [HTTP::header Content-Type] contains "text" } {

     create a STREAM expression to replace any http:// with https://
    STREAM::expression {@http://@https://@}

     enable STREAM
    STREAM::enable
}

}

I am trying to set http to https rewrites on all Server responses within Kronos. I tried Michael Yates suggestion, however some features within the web-app are not displaying at all on https. I tried using a stream profile with the irule below on the HTTPS VIP, all the features are running. However, there's a run report operation that throws an undefined javascript error upon several clicks, but the reports are generating fine. Is there any work around to ensure everything is rendered correctly on HTTPS?

 when HTTP_REQUEST {     tell server not to compress response    HTTP::header remove Accept-Encoding 

 disable STREAM for request flow
    STREAM::disable
}
when HTTP_RESPONSE {
     catch and replace redirect headers
    if { [HTTP::header exists Location] } {
        HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]]
    }

     only look at text data
    if { [HTTP::header Content-Type] contains "text" } {

         create a STREAM expression to replace any http:// with https://
        STREAM::expression {@http://@https://@}

         enable STREAM
        STREAM::enable
    }
}

We run Kronos 443 on the vip and port 80 to the pool and have an irule and stream profile configured like this. We are not having the issues you report, I could have sworn the kronos admin had to enable some sort of ssl offloading settings in Kronos admin page. That may be what you are missing

 

when HTTP_REQUEST { STREAM::disable HTTP::header remove "Accept-Encoding" } when HTTP_RESPONSE { Check if response type is text and host isn't null if {[HTTP::header value Content-Type] contains "text" and $host ne ""}{ Replace http://$host with https://$host STREAM::expression "@http://$host@https://$host@" Enable the stream filter for this response only STREAM::enable } Rewrite the Location header in redirects to https:// if { [HTTP::is_redirect] && [string tolower [HTTP::header Location]] starts_with "http://$host"} { HTTP::header replace Location [string map -nocase "http://$host https://$host" [HTTP::header Location]] } }