For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RobS's avatar
RobS
Icon for Altostratus rankAltostratus
Jan 22, 2014

HTTP to HTTPS policy injecting "/Location: https:///" into URL and breaking application

We have an application I'm load balancing with my LTMs that I was initially told would just need basic load balancing and http to https redirection. Now I find out they are running it out of Citrix s...
application delivery
citrix
design
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jan 24, 2014

That might just work. Going back to the original HTTP-HTTPS redirect code, when the URI looked like this:

 

/Location:%20https:///ibex1h.ibx?acctnum=9248789&medrec=T01275160&cibex=&pid=&ssn=Server:%20BigIPConnection:%20closeContent-Length:%200

You could do something like this in your HTTPS VIP:

 

when HTTP_REQUEST {
    if { [HTTP::uri] starts_with "/Location:" } {
        HTTP::uri [findstr [HTTP::uri] "///" 2]
    }
}

This will extract all of the URI string after the "///", but leave one "/" behind.