Forum Discussion
NimbostratusHTTP Redirection from Web Server breaks SSL Termination
I have VS on port 443 , it has SSL profile to do SSL termination & forward to pool ( on port 80 ) .
so communication between user & F5 is HTTPS , between F5 & Web Server is HTTP .
most URLs is working fine , but for some url i can see that when i click on it i get " page cannot be displayed " & that the browser used HTTP not HTTPS .
i checked web server code & found statements redirecting to HTTP for these URLs , like the below :
getURLHome: function() {
return "http://erod.siucex.com/web/signin";
So , form above it redirects users to HTTP , which breaks HTTPS Termination .
shall i ask webserver admin to cahnge that to "https" , but he should only understand HTTP not HTTPS ???
i was expecting that BIGPIP will change it automatically to HTTPS before forwarding to nuser
5 Replies
What_Lies_Bene1Cirrostratus
Can you confirm that the user gets a redirect (a HTTP 301 or 302)? If so you can modify the HTTP Profile assigned to the VS and enable Redirect Rewrite and the F5 will indeed rewrite the response to HTTPS, but only for HTTP redirects.
If not you have four options;
1) Change the application code to https://
2) Make the links relative not absolute (change the app code again)
3) Use a stream profile to have the F5 rewrite all http:// links in server responses (including in payload)
4) Configure a port 80 VS that will redirect any http:// requests to https://Sorry Nathan ;-)
natheCirrocumulus
Doh! Just about to press Submit and get emailed saying I've been pipped by What Lies Beneath....
Was gonna suggest a Stream Profile too.
Couple of good articles on this here:
http://www.thef5guy.com/blog/2011/09/having-fun-with-stream-profiles/
https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/101/LTM-stream-profile-Multiple-replacements-regular-expressions.aspx
N
hoolioAs WLB said, the first two options are the simplest from an LTM perspective.
Here's an example for rewriting the response headers and payload as listed in 3):
https://devcentral.f5.com/wiki/iRules.HTTPS-offload-rewriting.ashx
Option 4) won't work well if the app requests the client make a POST request via HTTP on port 80. Any of the first three options should work well though.
Aaron- SSHSSH_97332Thanks Alot alll . we did 2 & 4 . both worked
- What_Lies_Bene1Wonderful. You're welcome.
