Forum Discussion
Nimbostratusconditional ssl rewrite
EmployeeUnfortunately not as simple as you'd have hoped, and the issue basically comes down to visibility and persistence.
While you could technically see the Host portion of a URL in the Server Name Indication (SNI) extension in an SSL handshake (client's ClientHello), the URI path is a layer 7 construct. You don't get to see that until you've terminated the SSL, so there's no way to disable SSL based on a URI path. The only real option you have is multiple virtual servers (one port 443 HTTPS and one port 80 HTTP) and a set of iRules that generate redirects back and forth based on URI patterns. For example, if the someone lands on the HTTP VIP with a /user path, you could redirect them to the HTTPS VIP. If someone lands on the HTTPS VIP, you terminate the SSL, and then find that they're not asking for a /user path, you could redirect them to the HTTP VIP. In this case you always have to terminate the SSL first before you can make a routing decision.
This will definitely work, but I must also issue caution. If you're encrypting /user data because it's something worth protecting, understand that flipping back and forth between encrypted and not-encrypted data paths is dangerous. Depending on how the application is architected, you could very easily leak information from the encrypted side.
