For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sim_111521's avatar
Sim_111521
Icon for Nimbostratus rankNimbostratus
Feb 05, 2014

F5 ltm Tomcat port 8080 don't display non secure content

I configured my nodes with service port 8080. For Liferay (Tomcat). I created my virtualservers for port 80 and 443. If i go to my tomcat server on port 8080, the page is displayed correct. If i go ...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 07, 2014

Redirecting the traffic is certainly one way to do this, but understand that for every one http:// request, the client will be forced to make two requests: one to the http:// URL, and then a second to the redirected https:// URL. For this reason I'm generally partial to simply rewriting the content references as they leave the F5. For that you'd apply a simple, empty STREAM profile to the VIP and an iRule like this:

when HTTP_REQUEST {
     disable STREAM processing for incoming data
    STREAM::disable

     remove the Accept-Encoding header so that the server won't compress the response
    HTTP::header remove Accept-Encoding
}
when HTTP_RESPONSE {
     check to see if this is a redirect
    if { [HTTP::header exists Location] } {
         remap http:// to https:// in the Location header
        HTTP::header replace Location [string map {"http://" "https://"} [HTTP::header Location]]
    }

     build a STREAM expression to replace http:// references in the response payload
    STREAM::expression {@http://@https://@}

     enable the STREAM processor
    STREAM::enable
}

This should cover any http:// references in the response payload and redirect Location headers. Looking for just "http://" is a pretty coarse-grained filter, and could potentially affect other URLs unintentionally. I'd try this first to see if it works, and then get more specific in your expression as required.