For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 05, 2014

I'm certain you're obfuscating the iRule for forum consumption, but your 301 redirect is going to an HTTP URL (not HTTPS). So assuming you mean "https://efd.phx.xyz..." then consider this:

when HTTP_REQUEST {
    if { [HTTP::host] equals "abc.xyz.dev" } {
        HTTP::respond 302 Location "https://efd.phx.xyz.dev/plm/emxLogin.jsp"
    }
}

So on first request to http://abc.xyz.dev, the user is redirected to https://efd.phx.xyz.dev/plm/emxLogin.jsp, and an HTML page is rendered. Inside that page are reference URLs to various other objects, perhaps JavaScript files, CSS, and images. Because you're not rewriting any of the content inside the HTML document, the URLs are probably something like this:

http://http://abc.xyz.dev/images/my_cat.png

So when the browser makes a request for http://http://abc.xyz.dev/images/my_cat.png, the first condition is triggered (Host header equals "abc.xyz.dev") and redirects the user to the emxLogin.jsp page behind the HTTPS VIP. Not what you want.

So let's try this:

when HTTP_REQUEST {
    if { [HTTP::host] equals "abc.xyz.dev" } {
        if { [HTTP::uri] equals "/" } {
            HTTP::respond 302 Location "https://efd.phx.xyz.dev/plm/emxLogin.jsp"
        } else {
            HTTP::respond 302 Location "https://efd.phx.xyz.dev[HTTP::uri]"
        }
    }
}

In this case, if the original URI is blank (or "/") redirect to the emxLogin.jsp page under the HTTPS URL. Otherwise, redirect to the HTTPS URL and maintain the request path. Example:

https://efd.phx.xyz.dev/images/my_cat.png

I would also make one more observation. If you're doing a simple HTTP-to-HTTPS redirect for an application that 1) is listening on HTTP behind the proxy, 2) doesn't know or understand that SSL is being offloaded somewhere else, and 3) is presenting "http://" resource links in the HTML content, then you could be losing some performance as the client must make at least TWO requests for each object: an HTTP request, receives a redirect, and then an HTTPS request. To solve this you could use a STREAM profile and iRule to rewrite all of the http:// references to https:// on the way to the client.