Forum Discussion
Katherine_G_106
Nimbostratus
Nimbostratusexamining the "http://" portion of a url
Hi!
I need help to learn how to examine the "http://" or "https://" part of a url in an http_request. I know it's not [HTTP::host] or [HTTP::uri]. Surely there must be a method for doing this?
thanks!
Katherine
hoolioCirrostratus
Hi Katherine,
If you check the actual HTTP headers the browser sends on normal HTTP or HTTPS requests, the protocol of http:// or https:// is not included anywhere. The protocol of HTTP or HTTPS in links tells the browser how to open the connection and whether to use SSL or not. The main exception to this that I've seen is when clients connect to a web proxy and include use an absolute URL in the request line:
GET http://www.google.com/search HTTP/1.1
Can you elaborate on what you're trying to do?
You might be able to use the destination TCP port (retrieved using TCP::local_port in a clientside event like CLIENT_ACCEPTED or HTTP_REQUEST. Or you could check if there is a client SSL profile enabled on the virtual server using [PROFILE::exists clientssl]==1. I've read on the forums that using PROFILE:: commands has a higher overhead than checking the TCP port.
Aaron
Katherine_G_106Sure. I have a number of virtual servers that run on non-standard ports.
For example, http://myserver.com:81. I have configured an SSL profile that allows non-encrypted connections so a user can connect using either http://myserver.com:81 OR https://myserver.com:81.
Now I need to enforce a redirect from HTTP to HTTPS. The only thing that is different about the url is the presence or absense of the "S".
Maybe there is another way to do this... is there another way to test for encrypted vs non-encrypted?
thanks!
Katherine- JRahm
Admin
Yes, check this thread out:
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=1258 Click here
You may just want to set a yea/nay variable instead of disabling ssl, but this should get you pointed in the right direction
HTH....Jason - You can use the "SSL::cipher version" command, which will return "None" if there is no SSL encryption.
- JRahmah, very nice indeed.
Thomas_SchaeferOn v9, you cannot use the SSL::cipher command unless the profile is sent to clientssl or serverssl (At least I could not when I tried just that). How would this work to tell you the value if it always had to have that. Are you suggesting that all the virts (SSL and nonSSL) should have clientssl set?
I find the port method works except that nothing stops someone from doing http://www.yoursite.com:443 to get around that.
Tom- hoolioHi Tom,
Katherine had said that she was using a client SSL profile which was configured to allow non-SSL requests (which I'd question, but...). The client SSL profile would be enabled (though not always used for decryption) and SSL::cipher could be used.
I don't think it would be a good idea to add a client SSL profile unless the VIP is going to be used for SSL decryption. And in general, I don't like the idea of allowing non-SSL traffic to an SSL enabled VIP.
Aaron - hoolioActually, there is a runtime TCL error when no cipher is used when trying to get the value for SSL::cipher version:
Force SSL on one port
http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1170929&view=topic
I added a codeshare example based on this which seemed to work:
http://devcentral.f5.com/wiki/default.aspx/iRules/Redirect_non_ssl_requests_on_ssl_vs_rule.html
Aaron
