Forum Discussion
Glenn_Ruffus_10
Nimbostratus
NimbostratusForce "www." redirect if missing from HTTPS requests
I am looking for help in writing an iRule that will be used on an HTTPS virtual server. I would like the LTM to examine the HTTP request and if the URL does not include "www." then redirect the browser to come back to the same URL/URI as found in the original request, only with www. put on the front of the URL. I am doing this so that the requested URL will always match the URL on the digital certificate. I'd like the iRule to be generic so that it can be applied to any virtual server regarding any URL/URI.
Example:
If an HTTP(S) request comes in for fred.flintstone.com/pebbles/dino...
then redirect the browser to come back as: https://www.fred.flintstone.com/pebbles/dino...
If the HTTP(S) request comes in for www.fred.flintstone.com/pebbles/dino... then don't take any further action because the requested URL matches the URL on the digital certificate.
Thanks.
Glenn
- For this kind of a rule all you'd need is something like:
when HTTP_REQUEST { if { ! ( [HTTP::host] starts_with "www." ) } { HTTP::redirect "https://www.[HTTP::host][HTTP::uri]" } }
Keep in mind, though, that you'll have to have a Client SSL profile assigned to this Virtual, which will decrypt the data to allow TMoS to inspect it.
HTH,
Colin 
Glenn_Ruffus_10Thanks, Colin. I have not had the time (obviously) to learn about the iRules so I have no skill. Sorry if this question is a stupid one.
It looks to me like the iRule that you are suggesting reads along the lines of: when there is an HTTP request, look at it and if you *do* find www. then redirect back to www.[URL][URI]. I'm sorry if I'm wrong about this. Our certs use the www. and I am looking for an iRule that will leave things alone if the use comes in with the www. in the request but will redirect them to come back with the cert-matching www. if they don't have it in their request.
Would you please clarify?
Thanks much!
Glenn
hoolioCirrostratus
Hi Glenn,
The exclamation point in the condition check negates the test. So it's looking for host values not starting with "www.". If you want to make it more clear you could replace the ! with 'not':
if { not ( [HTTP::host] starts_with "www." ) } {
Aaron- Glenn_Ruffus_10Thanks, Aaron.
I now have this iRule in place on the HTTPS virtual server:
when HTTP_REQUEST {
if { not ( [HTTP::host] starts_with "www." ) } {
HTTP::redirect "https://www.[HTTP::host][HTTP::uri]"
}
}
The iRule works *once it is invoked* but it is invoked *after* the SSL handshake occurs. It is an HTTP_REQUEST iRule so the SSL session negotiation happens before the HTTP request is processed. Part of the SSL negotiation involves comparing the requested URL with the URL defined on the cert. So, the security alert comes up based on a mismatch between the requested URL (with no www.) and the URL on the cert (with the www.)
Is there a way to make the above iRule get invoked *before* the SSL negotiation? Doesn't seem like it but I thought that I would ask.
Thanks.
Glenn - Ahh, I was a little concerned this is the turn this thread would take. :-/
The short answer is: Unfortunately, no, there is no way that we can get the iRule to do host inspection before the SSL negotiation.
A slightly longer version: If you think about the data that you're trying to inspect when reading the HTTP host name, you're trying to access information that is inside the HTTP headers. Those headers are encrypted via SSL for security. So until you decrypt the transaction with the proper SSL negotiation, that data is unreadable.
This is a question we've been asked a lot, and is very much a chicken and egg scenario.
I wish I could be of more help.
Colin - Glenn_Ruffus_10-Very good, Colin. Thanks for the explanation and all of the help.
Glenn
