For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RobS's avatar
RobS
Icon for Altostratus rankAltostratus
Jan 22, 2014

HTTP to HTTPS policy injecting "/Location: https:///" into URL and breaking application

We have an application I'm load balancing with my LTMs that I was initially told would just need basic load balancing and http to https redirection. Now I find out they are running it out of Citrix s...
application delivery
citrix
design
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jan 22, 2014

Well, let's back up and talk about how this should work.

  1. With the HTTP-HTTPS iRule applied to the HTTP VIP, a user might navigate to:

    http://myapp.domain.com/ibex1h.ibx?acctnum=9248789&medrec=T01275160&cibex=&pid=&ssn=Server

    which hits the HTTP VIP, which issues an immediate redirect to:

    https://myapp.domain.com/ibex1h.ibx?acctnum=9248789&medrec=T01275160&cibex=&pid=&ssn=Server

  2. That redirect sends the user to the HTTPS VIP, where the application request is served.

The really weird thing is the "Location:%20https://" string in the URI, which is what you would normally find in the header of a redirect. Example:

HTTP/1.0 302 Found
Location: https://something...
...

So I'd suspect something is either intercepting/mangling the HTTP-HTTPS redirect, or this is coming from the application. So let me ask this. From a sequence perspective, when does the client try to make this goofy request, given the following flow: