For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 09, 2015

It's more or less something like this (some tweaking may be required):

HTTP VIP:

when HTTP_REQUEST {
    if { [string tolower [HTTP::uri]] starts_with "/user" } {
        HTTP::redirect "https://[HTTP::host][HTTP::uri]"
    }
}

HTTPS VIP:

when HTTP_REQUEST {
    if { not ( [string tolower [HTTP::uri]] starts_with "/user" } {
        HTTP::redirect "http://[HTTP::host][HTTP::uri]"
    }
}

Of course again, if you establish a session with the user, by virtue of them logging on and you sending a cookie/token, that token will likely be visible to the unencrypted HTTP data flow.