For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mslater905's avatar
mslater905
Icon for Nimbostratus rankNimbostratus
Nov 19, 2019

Help with HTTPS_Rewrite iRule

Hi all,

 

I'm currently in a bit of a pickle for developing an iRule solution to avoid HTTPS_Rewrite for certain URL's.

 

I currently have an LTM VS configured which has a profile that rewrites all redirects to HTTPS.

 

ltm profile http HTTPS_Rewrite {

  app-service none

  defaults-from http

  enforcement {

    unknown-method allow

  }

  redirect-rewrite all

}

 

For most of the redirects, I want the redirect response to be HTTPS which is why this is applied. There are two instances however, where I want the URL redirect to be HTTP.

 

For instance, for redirects to "www.one.com" & "www.two.com", we don't want the profile to rewrite it to HTTPS.

 

create ltm rule http-response-specific {

  when HTTP_RESPONSE {

if { HTTP::header value Location contains onetwo-list }

{ ....... }

 

I think replacing the Locaton Variable will be too much of a headache, is it possible to identify the location variable and then bypass the profile entirely for connections with these urls?

 

Any help would be greatly appreciated!

 

 

BIG-IP
devops
iRules

3 Replies

  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Nov 26, 2019

    You can remove the profile and use iRule with HTTP redirect for specific sites and HTTPS for others.

  • Heinrichm5's avatar
    Heinrichm5
    Icon for Altocumulus rankAltocumulus
    Nov 27, 2019

    I'm not certain I've understood the question correctly.

    When I need to redirect all sites to HTTPS except a select few domains, I do like Vijay: create an irule

    when HTTP_REQUEST {
    set vhost  [string tolower [HTTP::host]]
 
    switch $vhost {
        "http-domain1.local" -
        "http-domain2.local" { 
              #now it uses the default settings of the vs, including any default pool you might have selected
         }
         default { 
              #Send a redirect to https - 307 to tell the client that it needs to use the same method as when it send the request to this port
              HTTP::respond 307 Location "https://[getfield [HTTP::host] ":" 1][HTTP::uri]" 
         }
    }
}

    If you have a lot of sites that need the exception you might be better served with a data group. It will make the irule shorter, however, every time you troubleshoot you'll have to look an additional place.

  • mslater905's avatar
    mslater905
    Icon for Nimbostratus rankNimbostratus
    Nov 27, 2019

    I appreciate the feedback!

     

    I actually managed to write an iRule while keeping the profile attached. I was looking for some order of operations as to whether the profile or iRule was triggered first and it wound up being the profile.

     

    On the 'HTTP_Response', I just modified the 'Location Header to replace 'https' with 'http'.

     

    Cheers!