For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

theizer_91634's avatar
theizer_91634
Icon for Nimbostratus rankNimbostratus
Nov 26, 2008

http - https redirect but terminate ssl on node instead of f5

I have a requirement to load balance several sites and redirect from http to https. Only catch is, I need to have the ssl terminate on the web server node, not on the f5.

 

 

I assume this can be done with an irule but I am a newb to irules so I'm looking for little help.

 

 

setup:

 

 

www.website.com --> F5 --> pool ( node1, node2, node3 - each has a wildcard ssl cert installed for website.com)

 

 

When clients hit http://www.website.com, I need the f5 to redirect (or rewrite?) to https://www.website.com and pass along to one of the nodes which will then do the ssl handshake.

 

 

Is this possible?

 

 

Thanks in advance.
application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 27, 2008
    You can configure one HTTP virtual server (VS) and one HTTPS VS. On the HTTP VS, add an iRule which redirects to HTTPS (Click here). On the HTTPS VS, don't a client SSL profile and set it to use a pool of the web servers configured on port 443. You can use a FastL4 profile on the HTTPS VS (type: Performance (L4) - Click here) as you aren't doing any SSL decryption or parsing/modifying of the HTTP on this VS.

     

     

    Aaron
  • menzo_110968's avatar
    menzo_110968
    Icon for Nimbostratus rankNimbostratus
    Aug 04, 2010
    Hi,

     

    I am new in F5, I have some problem since several days in putting in place https virtual server terminating ssl at end servers (https end to end).

     

    I have configure:

     

    - 1 virtual server listening: https://10.0.0.1:10095

     

    - 1 pool servers with 2 nodes

     

    - 1 ssl client profile with certificat and key imported from end server

     

    - no ssl server profile

     

     

    When I run tests with the url: https://10.0.0.1:10095, I get the error below.

     

    It seem that the F5 is seeing http request instead of https.

     

     

    ////////////////////////

     

    Bad Request

     

    Your browser sent a request that this server could not understand.

     

     

    Reason: You're speaking plain HTTP to an SSL-enabled server port.

     

    Instead use the HTTPS scheme to access this URL, please.

     

     

    Hint: https://10.0.0.1:10095/

     

    //////////////////////

     

     

    I also create an irule redirecting http to https, but it still not working.

     

     

    when HTTP_REQUEST {

     

    If it's not an HTTPS connection, send a redirect

     

    if {not ($https)}{

     

    HTTP::redirect https://[HTTP::host]:10095

     

    }

     

    }

     

    when HTTP_RESPONSE {

     

     

    if {[HTTP::is_redirect]}{

     

    Rewrite the Location header from http to https

     

    HTTP::header replace Location [string map -nocase {http:// https://} [HTTP::header value Location]]

     

    }

     

    }

     

     

     

    Thank you for your help.

     

    Maybe, I missed something on my configuration or a mistake.

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 04, 2010
    Hi Menzo,

     

     

    See your other post for a response:

     

     

    http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/1174208/afv/topic/Default.aspx

     

     

    Aaron