Forum Discussion
Ashley_Penney_5
Nimbostratus
NimbostratusHTTP to HTTPS redirect when 401 received.
Hi,
We have a very... awkward.. web environment here at work, and I'm hoping that I can get some help here to achieve something. We currently do all the SSL handling on the BigIP, and we're having a problem ensuring that pages with passwords always redirect to https before the client has the chance to pass in their password.
For reasons that are very very complicated, I can't easily do a rewriterule in apache to handle this, and my latest brainwave is that maybe we could write an iRule to do this. I don't even have an account on the BigIP, so I was hoping I could turn to you guys to see if my idea is fundamentally sound. Based on examples I saw scattered around the forums, I pieced together something like this:
when HTTP_RESPONSE {
Check if the server response is a 401
if {[HTTP::status] == 401}{
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
}
Would I be able to put something like that in place to ensure we never pass passwords unencrypted?
Ashley_Penney_5I spoke to someone else who suggested this:
when HTTP_REQUEST {
set host [HTTP::host]
set uri [HTTP::uri]
}
when HTTP_RESPONSE {
if [ [ HTTP::status ] == "401" ] {
HTTP::redirect "https://$host/$uri"
}
}
Sadly this broke the entire site when I tried putting it in place, but may be a step in the right direction.
hoolioCirrostratus
It's a good suggestion to explicitly save the values of HTTP::host and HTTP::uri from the request as they aren't saved by default through to the HTTP_RESPONSE event.
The syntax is slightly off though:when HTTP_REQUEST { set host [HTTP::host] set uri [HTTP::uri] } when HTTP_RESPONSE { if {[HTTP::status] == 401]}{ HTTP::redirect "https://$host/$uri" } }
I assume you have an HTTP VIP and an HTTPS VIP and that you're applying this rule to only the HTTP VIP? If you don't have a test BIG-IP, you can create test VIPs on the production BIG-IP to check the iRule.
Aaron