F5 ltm Tomcat port 8080 don't display non secure content

If you access tomcat through the port 80 VIP only, do you get this message? If you're only getting this message when accessing through the port 443 VIP, it's very likely that some http:// references are getting through to the client. Ultimately you'll probably need ALL of the traffic to pass through the port 443 VIP (https://).

Yes, if i go to the port 80 on virtual server, no problems. If i go to the port 8080 on tomcat directly, no problems. Just when i go to the Virtual Server, port 8080.

http analyzer tool may be useful to show http:// reference.

HttpFox

To add, what you want to look for is http:// references in the response payload (headers, images, javascript, css object references, etc.). The best way to do that is to run a client side capture program like Fiddler, HTTPWatch, and HTTPFox.

Nice tool. Just a question, when the F5 big Ip connect to the Server, Apache or tomcat, the service used is (Service Port). Service Monitor is just for monitoring. Because i configure my node with service port 8080 and my Virtual Servers with 80 and 443. When i going to port 8080, no ssl warning. When a going to virtualServer Ip, F5 connect to port 8080. I have a ssl warning. Its strange but, i will test with other servers.

Is it the warning that's telling you that you're trying to access non-secure content while in an HTTPS:// URL? Or are you talking about the warning you get when the browser doesn't trust the server's certificate?

If it's the former, you have to figure out what's in the headers and/or payload of the response data that still contains references to http:// URLs (vs. https://).

If it's the latter, you're always going to get an untrusted certificate warning if you try to access with an IP address. Aside from integrity checking, the browser also compares the requested URL to the subject name in the server's certificate. If they don't match, and they won't if you're using an IP address, you'll get the warning.

No its a warning because the browser detect a non secure content. Its the reason why i want to connect From F5 to 8080 port. And i would like to connect to Virtual Servers from my browser with port 80/443.

Assuming you JUST have port 80 and 443 VIPs, and the port 8080 server is not externally accesible, if the page loads at all despite the warning, it means that all traffic is getting directed to port 80 (http://) or 443 (https://). You're most likely getting the warning because the browser is communicating over 443, but is being asked to fetch content over port 80. With a client side capture you should see this interaction. Look first for how the client accesses the page with an https:// URL, and then look at the content within the responses. You'll probably see references to the same URL, but http://. That's what you have to fix. Ultimately, you'll want ALL traffic for this application to go over port 443 to eliminate the warning message.

Yes when i test the vip on port 443 and i look the trafic on HTTPfox, i see a couple of images or .js on http. If i modify the url of the http image, with https, it work. I'm testing an Irule to force all http content to use https. Now, i'm testing this irule.

when HTTP_REQUEST { HTTP::redirect https://[HTTP::host][HTTP::uri] }

Redirecting the traffic is certainly one way to do this, but understand that for every one http:// request, the client will be forced to make two requests: one to the http:// URL, and then a second to the redirected https:// URL. For this reason I'm generally partial to simply rewriting the content references as they leave the F5. For that you'd apply a simple, empty STREAM profile to the VIP and an iRule like this:

when HTTP_REQUEST {
     disable STREAM processing for incoming data
    STREAM::disable

     remove the Accept-Encoding header so that the server won't compress the response
    HTTP::header remove Accept-Encoding
}
when HTTP_RESPONSE {
     check to see if this is a redirect
    if { [HTTP::header exists Location] } {
         remap http:// to https:// in the Location header
        HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]]
    }

     build a STREAM expression to replace http:// references in the response payload
    STREAM::expression {@http://@https://@}

     enable the STREAM processor
    STREAM::enable
}

This should cover any http:// references in the response payload and redirect Location headers. Looking for just "http://" is a pretty coarse-grained filter, and could potentially affect other URLs unintentionally. I'd try this first to see if it works, and then get more specific in your expression as required.