Hello all, We have been using the standard HTTP redirect irule, (posted below) that comes with our LTM, ver 10.2.0, for sometime now. However I'm being told now that this not only needs to be applied to incoming traffic, but internal traffic coming from the server as well. Basically I need the HTTP redirect iRule to work for all directions no matter where the request is coming from. Currently we setup two VIPs, one http and the other https. The LTM acts as the SSL offload for a few Apps, the traffic on the backend to the server is done over http. We simply use the http redirect to https. Should I simply apply this iRule to my https VIP as well or is there a better way to redirect internal traffic to use HTTPS? when HTTP_REQUEST { if { [HTTP::host] equals "" } { reject } } Thanks, Bob

Hi Bob, If you want to redirect HTTP traffic to HTTPS you can use an iRule which redirects all requests to HTTPS: when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" } If you want to avoid cert mismatch errors based on hostname you could create an HTTP to HTTPS redirect rule which is specific to the virtual server and then hardcode the hostname: when HTTP_REQUEST { HTTP::redirect "https://www.example.com[HTTP::uri]" } Aaron

So two things: 1.) The rule that you posted does not do any redirecting, it is blocking requests that have no hostname (which would be impressive, because a request with no hostname should never make it to your VIP to start with) 2.) What would you want to redirect things to from & to when dealing with requests from the internal network? Colin

Sorry..posted the wrong iRule, here is the correct one.. when HTTP_REQUEST { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] }

Okay, that makes more sense. :) Now, what is it you want to do for requests bound from the internal network to the outside world? Do you really want to force all of those to HTTPS? Colin

Ok..we found our issue, it actually turned out to be a jquery file that was only effecting older browsers, (IE7). Basically what was happening was that the end users were being prompted to display non secure content and my dev thought because the Content Location in the header referred back to the http address and not the https address that was the issue. However I pretty much ruled that out by applying the rule below. The Content Location in the header is optional so it doesn't adverserly affect anything by removing it, but what I'd like to do is setup a rule that if the content header says http to be redirected to use https. Any thoughts on that? when HTTP_RESPONSE { if { [HTTP::header exists "Content-Location"] } { HTTP::header remove "Content-Location" } } Thanks, Bob

Help with HTTP redirect in ALL directions

12 Replies

hoolio
Cirrostratus
Jul 11, 2011
Hi Bob,

If you want to redirect HTTP traffic to HTTPS you can use an iRule which redirects all requests to HTTPS:

when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }

If you want to avoid cert mismatch errors based on hostname you could create an HTTP to HTTPS redirect rule which is specific to the virtual server and then hardcode the hostname:

when HTTP_REQUEST { HTTP::redirect "https://www.example.com[HTTP::uri]" }

Aaron
Colin_Walker_12
Historic F5 Account
Jul 11, 2011
So two things:

1.) The rule that you posted does not do any redirecting, it is blocking requests that have no hostname (which would be impressive, because a request with no hostname should never make it to your VIP to start with)

2.) What would you want to redirect things to from & to when dealing with requests from the internal network?

Colin
Bob_10976
Nimbostratus
Jul 11, 2011
Sorry..posted the wrong iRule, here is the correct one..

when HTTP_REQUEST { HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri] }
Colin_Walker_12
Historic F5 Account
Jul 11, 2011
Okay, that makes more sense. :)

Now, what is it you want to do for requests bound from the internal network to the outside world? Do you really want to force all of those to HTTPS?

Colin
Bob_10976
Nimbostratus
Jul 11, 2011
Ok..we found our issue, it actually turned out to be a jquery file that was only effecting older browsers, (IE7). Basically what was happening was that the end users were being prompted to display non secure content and my dev thought because the Content Location in the header referred back to the http address and not the https address that was the issue. However I pretty much ruled that out by applying the rule below. The Content Location in the header is optional so it doesn't adverserly affect anything by removing it, but what I'd like to do is setup a rule that if the content header says http to be redirected to use https. Any thoughts on that?

when HTTP_RESPONSE { if { [HTTP::header exists "Content-Location"] } { HTTP::header remove "Content-Location" } }

Thanks,

Bob

Michael_Yates

Nimbostratus

Jul 11, 2011

You could use something like this (you might just be able to remove the "[HTTP::is_redirect] and " portion and test it to see if it fixes that issue:


when HTTP_RESPONSE {
if { [ HTTP::is_redirect] and [URI::protocol [HTTP::header "Location" ]] eq "http" } {
set path [findstr [HTTP::header "Location" ] "//" 2 ]
HTTP::header replace "Location" "https://$path"
}
}

Colin_Walker_12
Historic F5 Account
Jul 11, 2011
Ahh, so you don't actually want an outbound redirect, what you want is a header rewrite on the response. That makes more sense.

So all you'd need is something like:

when HTTP_RESPONSE { if {[HTTP::header exists "Content-Location"] } { HTTP::header replace "Content-Location" [string map {http://yourdomain https://yourdomain} [HTTP::header "Content-Location"]] } }

This would change every occurrence of http://yourdomain in the Content-Location header to https://yourdomain.

Is that what you're looking for?

Colin
Bob_10976
Nimbostratus
Jul 11, 2011
Thanks!!

Yes, both of your examples show basically what I'm looking to do. However I'm looking for it to be more generic, something that simply redirects any content-location header from http to https. The actually path will vary for example domain.com/app1/images/1.jpg, domain2.com/app20/images/99.jpg, or domain2.com/app5/images/90.jpg, etc...

Bob
Michael_Yates
Nimbostratus
Jul 11, 2011
Try the example I posted but edit the first line to this:

if { [URI::protocol [HTTP::header "Location" ]] eq "http" } {

That should only look for the protocol in the Header Location and change it to HTTPS for everything.

It should not care about the Host or URI values.
Kevin_Davies_40
Nacreous
Jul 12, 2011
when HTTP_RESPONSE {

catch {HTTP::header replace "Content-Location" [string map {http https} [HTTP::header "Content-Location"]]}

}

More generic version of Colin's solution above.

Forum Discussion

Help with HTTP redirect in ALL directions

12 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

F5 HTTPS Redirect 2025

F5 Distributed Cloud Kubernetes Integration: Securing Services with Direct Pod Connectivity

Automating F5 Licensing - without direct internet access

Getting Started with iRules: Directing Traffic

The Disadvantages of DSR (Direct Server Return)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS