F5 LTM HTTP-HTTPS Re-Direct Using iRules - Virtual Server Config Question

Hello

 

For the following scenario, please can you provide best recommendations?

 

A Virtual-Server is UP, all working with a front-end listener on TCP443 (HTTPS) and serving to back-end Pool-Member's (HTTP web application) on a different TCP port from 443/80 running over SSL (SSL offload is being performed by the pool-members and not LTM) - No Server-Side or Client-Side SSL profile.

 

We want to introduce access on HTTP (TCP80), but ensure that the re-direction is taking place to force any client HTTP web request's to HTTPS... Therefore I would presume an iRule??? (Something like the below)

 

when HTTP_REQUEST {

 

HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

 

}

 

Now my main question:

 

1) Do you apply this iRule to the existing Virtual-Server listening on TCP443?

 

2) Do you clone the Virtual-Server and its config, but set the front-end destination service-port (listener) on TCP80 (HTTP)? Then apply the iRule (performing HTTP->HTTPS re-direct) to this VIP?

 

2a) If option 2, do you still clone the back-end pool member's etc? Or can the F5 intelligently see the listener and therefore perform as a re-direct only?

 

3) Any other better/alternate suggestions?

 

From the 201 TMOS studies I did, the study-guide says the processing order for a front-end Virtual-Server when inbound traffic is coming into the LTM is the following:

 

ip:port

 

ip:any

 

network:port

 

any:port

 

network:any

 

vlan:port

 

vlan:any

 

any:any

 

Before, I thought that you would need an extra VIP and not able to apply the iRule on the 443-VIP as it would drop traffic. However, from the above would it process in top-down order and hit the ip:any, anyway?

 

Many thanks!