Forum Discussion

Gerardo_Garcia_'s avatar
Gerardo_Garcia_
Icon for Nimbostratus rankNimbostratus
Jul 09, 2008

Excluding some urls for the STREAM conversion

I have the following iRule that converts http to https for external users only as defined on the internal_net     However, when the page contains calls to google.com, amazon.com, ebay.com i...
application delivery
dev
devops
iRules
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Jul 28, 2008
Thinking about this again, I'm guessing the reason you were seeing strings being matched which were much longer than a single domain was the regex you were testing with was wrong.

Here is an example that should work to allow you to check all http://*.example.com strings but rewrote only those you want to. 

    
    when RULE_INIT {    
        
        List of *.example.com subdomains that should not be rewritten (in lowercase)    
       set ::subddomains_to_preserve [    
          "keep1.example.com" \    
          "keep2.example.com" \    
          "keep3.example.com" \    
       ]    
    }    
    when HTTP_RESPONSE {      
        
        Disable the stream filter by default      
       STREAM::disable      
        
        Check if response type is text     
       if {[HTTP::header value Content-Type] contains "text"}{      
        
          log local0. "[IP::client_addr]:[TCP::client_port]: Setting stream expression, enabling filter"       
           Replace any http:// instance with https:// only if the original string is http://*example.com:      
          STREAM::expression {@http://.*?example\.com@}     
        
           Enable the stream filter for this response only      
          STREAM::enable     
       }     
    }       
    when STREAM_MATCHED {    
        
        Check if the current string matched by the stream filter is part of the list of subdomains to preserve.    
       if {[matchclass [string tolower [STREAM::match]] equals $::subddomains_to_preserve]}{    
          log local0. "[IP::client_addr]:[TCP::local_port]: found [STREAM::match], but did not modify it."      
       } else [    
          log local0. "[IP::client_addr]:[TCP::local_port]: found [STREAM::match], replaced with: [string map {http:// HTTPS://} [STREAM::match]]"      
          STREAM::replace "[string map {http:// https://} [STREAM::match]]"      
       }    
    }

You could also change the list in RULE_INIT from subdomains to preserve to those you want to rewrite to https. The list could also be replaced with a separate class.

Edit: you'll also want to use an HTTP profile with response chunking set to rechunk.

SOL6422: Using the Stream profile with HTTP traffic can prevent the client from displaying all of the data

https://support.f5.com/kb/en-us/solutions/public/6000/400/sol6422.html

Aaron