Forum Discussion
NimbostratusHTTP after redirect, should be HTTPS
Hello all, here an irule newbee. The problem: Incoming is a HTTPS-request. I have a certificate installed, and so transfer HTTP to the server(s) behind the LB. They ask again other servers to do some processing. As long as THOSE servers do a HTTP-response, everything is fine and the customer doing HTTPS keeps seeing HTTPS on his screen. But when those server reply via a REDIRECT, the customer looses the HTTPS and sees plain HTTP on his screen. The connection isn't safe anymore. The question: How can I avoid/repair this? TIA!
9 Replies
- Kevin_Stewart
Employee
If it's as simple as http:// URLs bleeding through to the client from HTTP redirects, you can do something like this:
when HTTP_REQUEST { if { [HTTP::header exists Location] } { HTTP::header replace Location [string map -nocase {"http://" "https://"} [HTTP::header Location]] } }That will replace any http:// in a redirect with https://.
Huub_Dewachter1Yes, perhaps that could work! But I'd like to check the response-header to see what I have to change to what. Local 0. doesn't seem to work in a HTTP_REPONSE ... Any ideas? TIA,
Huub.
- nitass
Local 0. doesn't seem to work in a HTTP_REPONSE.
what is not working?
- nitass
this is mine.
config root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when HTTP_RESPONSE { log local0. "before \[HTTP::header Location\]=[HTTP::header Location]" if { [HTTP::header exists Location] } { HTTP::header replace Location [string map -nocase {"http://" "https://"} [HTTP::header Location]] } log local0. "after \[HTTP::header Location\]=[HTTP::header Location]" } } /var/log/ltm [root@ve11a:Active:In Sync] config tail -f /var/log/ltm Feb 6 05:39:51 ve11a info tmm[13662]: Rule /Common/myrule : before [HTTP::header Location]=http://www.domain.com/somethingelse Feb 6 05:39:51 ve11a info tmm[13662]: Rule /Common/myrule : after [HTTP::header Location]=https://www.domain.com/somethingelse - Huub_Dewachter1
I get strange results. This is my (test) iRule:
when HTTP_REQUEST { if { [string tolower [ HTTP::host ] ] equals "inkoopveerle.neck.nl" } { pool pl-dmz-cl20inkp } elseif { [string tolower [ HTTP::host ] ] equals "proef.neck.nl"} { log local0. "before1 [HTTP::header Location]=[HTTP::header Location]" if { [HTTP::header exists Location] } { HTTP::header replace Location [string map -nocase {"http://" "https://"} [HTTP::header Location] ] log local0. "after2 [HTTP::header Location]=[HTTP::header Location]" } pool pl-dmz-cl20inkp-proef } else { HTTP::respond 200 content {No such Application} }
} when HTTP_RESPONSE { log local0. "before3 [HTTP::header Location]=[HTTP::header Location]" if { [HTTP::header exists Location] } { HTTP::header replace Location [string map -nocase {"http://" "https://"} [HTTP::header Location] ] log local0. "after4 [HTTP::header Location]=[HTTP::header Location]" } }And this is the logging: Rule–ir-dmz-cl20inkp_80 : before1 [HTTP:header Location]= Rule–ir-dmz-cl20inkp_80 : before3 [HTTP:header Location]=
So: no info ... :-(
Ian_124377Setup a port 80 vip, and add an http to https redirect irule: when HTTP_REQUEST { HTTP::redirect "https://[HTTP::host][HTTP::uri]" }
- Huub_Dewachter1
Thanks! Going to try that.
ArieAltostratus
You could also do port translation (from 443 to 80); that way the client can continue to use SSL but you're using 80 behind the BIG-IP.
- Huub_Dewachter1
Thanks to everybody for all the suggestions. In our case, the HTTP::redirect worked best. Thanks again! Huub.
