Forum Discussion

carter91_13591's avatar
carter91_13591
Icon for Nimbostratus rankNimbostratus
Oct 26, 2010

Custom iRULE for Specific subsites (Wordpress)

We use our F5 Big IP for SSL offloading for our webserver, and life has been good with that. Works great.

 

 

We are starting to move to WordPress as our content management solution on our webserver and want to be able to offload the Wordpress Admin page for each site.

 

 

For those who don't know, with a wordpress install, each WordPress site has an admin page located at:

 

 

www.server.com/SUBSITE/wp-admin

 

 

However, Wordpress has it's own funky redirects going on in the background, so even if I type manually https://www.server.com/SUBSITE/wp-admin I still end up with http://www.server.com/SUBSITE/wp-admin in my browser, thus causing the username and password to be sent as clear text as sub-site admins login.

 

 

Is there an iRULE that I can create that will force these back to https just for anything that as /wp-admin at the end of the address?

 

 

It's a Windows 2003 server running IIS 6.0. If we turn SSL on inside of IIS for Wordpress, it just does a loop when you try to access the wp-admin sites.

 

 

I can provide HTTP header captures or anything else if you need more info.
  • Have you tried enabling rewriting of redirects on a custom HTTP profile?

     

     

    SOL6912: Configuring an HTTP profile to rewrite URLs so that redirects from an HTTP server specify the HTTPS protocol

     

    http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6912.html

     

     

    Else, if that doesn't work, I'd try looking for options to tell Wordpress that it's being proxied by an SSL offloading device. If such a config option exists on WP, it would then use HTTPS references to itself even though it's communicating with HTTP.

     

     

    Aaron
  • That would change it so that it redirects for all URLs for that particular virtual server it looks like. We only want to do it for the Wordpress admin sites. They don't have their own VIP.

     

     

    Pretty much for anything www.server.com/*/wp-admin

     

     

    I'll look around in Wordpress somemore, or maybe just put in a feature request with them for an updated version down the road.
  • Maybe something like this?

    
    when HTTP_RESPONSE {
    
        Check if server response is a redirect and contains the wp-admin pattern
       if { [HTTP::header is_redirect] and \
          [string match -nocase {*www.server.com/*/wp-admin*} [HTTP::header Location]]} {
    
           Log original and updated values
          log local0. "Original Location header value: [HTTP::header value Location],\
             updated: [string map -nocase "http:// https://" [HTTP::header value Location]]"
    
           Do the update, replacing http:// with https://
          HTTP::header replace Location [string map -nocase "http:// https://" [HTTP::header value Location]]
       }
    }
    

    Aaron
  • I haven't checked all of the sample request/responses, but it looks like the app is URL encoding the redirect location. You could add URI decoding to the iRule to handle this:

    
    when HTTP_RESPONSE {
    
        Check if server response is a redirect and contains the wp-admin pattern (with URI decoding of the Location header)
       if { [HTTP::header is_redirect] and \
          [string match -nocase {*www.server.com/*/wp-admin*} [URI::decode [HTTP::header Location]]]} {
    
           Log original and updated values
          log local0. "Original Location header value: [HTTP::header value Location],\
             updated: [string map -nocase "http:// https://" [HTTP::header value Location]]"
    
           Do the update, replacing http:// with https://
          HTTP::header replace Location [string map -nocase "http:// https://" [HTTP::header value Location]]
       }
    }
    

    Aaron