For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

vvskaladhar_488's avatar
vvskaladhar_488
Icon for Nimbostratus rankNimbostratus
Aug 26, 2015

Forceing https on http web pages.

Hello All,

 

Can some one let me know if we can force https through F5 for a VIP.Please find the requirement below

 

We have one of the URL configured for both internal and external users.

 

for internal users it is working as expected but when external users it is redirecting to after sing in .. i tried modifying http profile by with modification Redirect Rewrite to all. it worked for sign in but again after that when i access any thing inside that it is redirecting to http ://xxxx due to this we have an issue . Can some one suggest a solution on this? may be an irule so that i can go ahead and configure and test it

 

thanks in advance.

 

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 26, 2015

    So do you have separate HTTP and HTTPS VIPs? Or do internal users use the HTTPS VIP but can also access the HTTP URLs locally? Do these HTTP URLs match the external URL (just the HTTP:// is different) or are they pointing to internal resources?

     

  • vvskaladhar_488's avatar
    vvskaladhar_488
    Icon for Nimbostratus rankNimbostratus
    Aug 26, 2015

    we have https on f5 vip and also configured http redirection to https to the VIP.

     

    for internal users as well as external users its all https.. some how the page is redirecting to http after signin

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 26, 2015

    Right, but that could actually be multiple things. The Redirect Rewrite option in the HTTP profile will catch 30x redirect responses from the server and replace http:// with But then you may also have to deal with:

     

    1. Internal URLs - the server may be responding with absolute URLs (ex. the VIP FQDN is https://www.example.com but the server is sending back references to

       

    2. Payload content - The Location header is usually the only HTTP response header that will have a URL, but the payload - the actual HTML content of the response - can have URLs anywhere. Every document object that an HTML page references will have a URL. That URL may be relative (ex. /images/my-cat.png) or absolute (ex. If the server is sending these URLs back through to the client, your internal clients may just be able to access these directly (around the BIG-IP), but external clients will not.

       

    The important thing here is to understand what's happening. There are a number of things you can do to rewrite response URLs, but you need to know what the problem is first. The best way to do that is with a client side HTTP capture utility like Fiddler or HTTPWatch. These tools will show you, form the browser's perspective, what the client is sending and how the server is responding. If you're actually getting internal URLs in the response payload, you'll see the browser attempting (and failing) to access these URLs.