Forum Discussion

DaveC_53879's avatar
Icon for Nimbostratus rankNimbostratus
Feb 07, 2012

http redirect changes a post to a get




I'm using a standard http to https redirect but it is changing a post transcation to a get.



Here's my rule. How do I do I leave the Post intact and still enforce SSL?



when HTTP_REQUEST { HTTP::redirect https://[HTTP::host][HTTP::uri] }



Thanks in advance.





9 Replies

  • spark_86682's avatar
    Historic F5 Account
    That's just the way that browsers typically react to redirect responses to their POST requests. I don't think there's any way around it. This question has come up several times before; try searching the forum.
  • HTTP POST redirect preserving POST data by Nat

  • Nitass,



    I got pulled into a couple of different projects. Thanks for the link. I don't see how to make this redirect. Am I missing something simple?



    Thanks, Dave
  • I don't see how to make this redirect. Am I missing something simple? it is done by javascript in response content.
  • did you see javascript in the first response from bigip?



    by the way, have you used http analyzer tool?




  • So the only way to fix this is to remove my redirect iRule "when HTTP_REQUEST { HTTP::redirect https://[HTTP::host][HTTP::uri] }" and add that big scary iRule that Nitass posted a link to? There is no tcp or http profile setting I can turn on or off?
  • There is no TCP or HTTP profile setting. This isn't an issue with the F5 it's an issue with how browsers respond to redirects. Can you not modify the webpage or application logic that's causing the POST using HTTP to use HTTPS, ultimately that is the root cause of the issue.


  • Arie's avatar
    Icon for Altostratus rankAltostratus

    I don't know the details of your situation, but it would seem that redirecting a POST to from HTTP to HTTPS would defeat the purpose of using SSL in the first place. If the user has already submitted the data (POST) it's already travelled out in the open (over port 80) and the data should be considered compromised.


    If it is not possible to fix the page you could change the HTML as it travels through the LTM and swap out the URL on the page so the POST uses the secure protocol.