For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

HS_34947's avatar
HS_34947
Icon for Nimbostratus rankNimbostratus
Feb 20, 2011

HTTP to HTTPS and back HTTPS to HTTP

Hello Guys,

 

 

I am new in iRules so sorry for bothering you with questions.

 

 

My example :- HTTP server (1)<-- -->F5 <-- --> HTTPS server (2)

 

 

The F5 when it gets the HTTP RESPONSE from server (1) it should convert it to HTTPS so server (2) can analyze by the iRule

 

 

when HTTP_REQUEST {

 

HTTP::redirect https://[HTTP::host][HTTP::uri]

 

}

 

 

My PROBLEM When the F5 gets the RESPONSE from server (2) as HTTPS, it should convert it back to HTTP so server (1) can analyze

 

How can we do this step? And should we separate these 2 steps in different iRule or in one iRule?

 

 

Thanks ,

 

H.S
application delivery
dev
devops
iRules

7 Replies

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 20, 2011
    So I understand your flow, HTTP Server 1 is basically the client making the request and does so over HTTP. The F5 should encrypt that traffic and send it over HTTPS to server 2? Then, when server 2 responds, the F5 should decrypt the traffic and send it over HTTP to Server 1?
  • HS_34947's avatar
    HS_34947
    Icon for Nimbostratus rankNimbostratus
    Feb 20, 2011
    Yes, exactly ..

     

     

    Server 1 sends the http request like this for ex --> http://10.10.10.10:9080/index.jsp, the ip 10.10.10.10 is a virtual IP of a Pool which has more than 2 nodes

     

     

    F5 should send this http request to any of these 2 nodes, and when it gets any response from them it decrypt the traffic and send it over HTTP to Server 1.

     

     

    Could you help please ?
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 20, 2011
    Are you currently using any sort of SSL profile on your Virtual Server? A ServerSSL profile? If not, try using the default one.
  • HS_34947's avatar
    HS_34947
    Icon for Nimbostratus rankNimbostratus
    Feb 21, 2011
    I am using a HTTP profile for other tools, and if i used the default one, how this can help?
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 21, 2011
    Posted By HS on 02/21/2011 12:53 AM

     

    I am using a HTTP profile for other tools, and if i used the default one, how this can help?

     

    The HTTP Profile is separate from the SSL Profiles.

     

     

    If using a Standard Virtual Server, you have the following profiles:

     

     

     

    Protocol Profile (Client)

     

    Protocol Profile (Server)

     

    OneConnect

     

    HTTP

     

    FTP

     

    Stream

     

    XML

     

    SSL (Client)

     

    SSL (Server)

     

     

     

    Not all are required. In this case, I'd like you to change your "SSL Profile (Server) from "None" to "serverssl." That should hopefully encrypt/decrypt the traffic.

     

  • HS_34947's avatar
    HS_34947
    Icon for Nimbostratus rankNimbostratus
    Feb 21, 2011
    but this should encrypt http to https and decrypt https back to http?

     

     

    I will Try it ... :)
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Feb 21, 2011
    Posted By HS on 02/21/2011 06:23 AM

     

    but this should encrypt http to https and decrypt https back to http?

     

     

    I will Try it ... :)

     

    ClientSSL profiles are used to encrypt/decrypt between Clients and LTM. ServerSSL profiles are used to encrypt/decrypt between LTM and Pool members. In this case, as we're only interested in encrypting the traffic between LTM and the pool members, a ServerSSL profile will hopefully do the job so long as the pool members are listening on the proper ports and have certs installed.