Forum Discussion
Nimbostratuscleartext redirect to SSL
Hi, We have BIGIP (10.2.3) LTM, we need to redirect to SSL all the incoming cleartext traffic on the URLs (port80). Do we have any way to do it? thanks advance for your reply.
7 Replies
wesleyjackHien,
I know in 11 code there is a F5 provided HTTP to HTTPS redirect iRule. I do not know if it exists in 10.2.3, so I would point you to SOL7125 as it covers http redirects in 10.2.3.
https://support.f5.com/kb/en-us/solutions/public/7000/100/sol7125.html
Hopefully that helps!
truongh_36312Wesleyjack, Thanks for your quick reply, I know the irule to redirect from http to https, but in case if we don't want to have virtual server using https(443) with certificate, do you have any way to implement it without create new virtual server port 443? Thanks in advance.
- wesleyjackHien, So, the scenario is you have a virtual server (VS) on your F5 using service port 80. You do not want to create a VS on the same F5 using 443. Does this 443 VS exist on a separate F5? Something has to respond to the IP on port 443. For example, let's say your FQDN is www.hien.com. Let's also say www.hien.com resolves to 1.1.1.1. Lastly, you have a VS on your F5 listening on 1.1.1.1:80. If you establish a HTTP-HTTPS redirect for www.hien.com on the VS, then you would need another VS on your F5 listening to 1.1.1.1:443. If nothing is listening to 1.1.1.1:443, then the redirect will work but the client will get no response to their TCP SYNs.
- wesleyjackHien, So I tested this on my BigIP Lab VE. I used the redirect iRule. I disabled my 443 VS on the F5, but left my 80 VS up with the redirect iRule in place. 10.128.10.1:54984 --> 10.128.10.35:80 TCP 3-way success 10.128.10.1:54984 GET / HTTP/1.1 --> 10.128.10.35:80 10.128.10.35:80 Redirect --> 10.128.10.1:54984 10.128.10.1:54985 SYN --> 10.128.10.35:443 10.128.10.35:443 RST --> 10.128.10.1:54985
- truongh_36312
got it, thanks for your instruct.
- nitass
Employee
but in case if we don't want to have virtual server using https(443) with certificate
if you mean http on clientside (between client and bigip) and https on serverside (between bigip and server), you can just add serverssl profile to http virtual server.
- truongh_36312
Nitass, thanks for your email,I will try to apply it. thanks
