conditional ssl rewrite

Unfortunately not as simple as you'd have hoped, and the issue basically comes down to visibility and persistence.

 

While you could technically see the Host portion of a URL in the Server Name Indication (SNI) extension in an SSL handshake (client's ClientHello), the URI path is a layer 7 construct. You don't get to see that until you've terminated the SSL, so there's no way to disable SSL based on a URI path. The only real option you have is multiple virtual servers (one port 443 HTTPS and one port 80 HTTP) and a set of iRules that generate redirects back and forth based on URI patterns. For example, if the someone lands on the HTTP VIP with a /user path, you could redirect them to the HTTPS VIP. If someone lands on the HTTPS VIP, you terminate the SSL, and then find that they're not asking for a /user path, you could redirect them to the HTTP VIP. In this case you always have to terminate the SSL first before you can make a routing decision.

 

This will definitely work, but I must also issue caution. If you're encrypting /user data because it's something worth protecting, understand that flipping back and forth between encrypted and not-encrypted data paths is dangerous. Depending on how the application is architected, you could very easily leak information from the encrypted side.

 

It's more or less something like this (some tweaking may be required):

HTTP VIP:

when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] starts_with "/user" } {
        HTTP::redirect "https://[HTTP::host][HTTP::uri]"
    }
}

HTTPS VIP:

when HTTP_REQUEST {
    if { not ( [string tolower [HTTP::uri]] starts_with "/user" } {
        HTTP::redirect "http://[HTTP::host][HTTP::uri]"
    }
}

Of course again, if you establish a session with the user, by virtue of them logging on and you sending a cookie/token, that token will likely be visible to the unencrypted HTTP data flow.