For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kanghis_23583's avatar
Kanghis_23583
Icon for Nimbostratus rankNimbostratus
Feb 10, 2009

http to https redirect

This is a fairly common task: a shopping cart application requires us to secure the transaction. Without the big-ip in place, the flow redirects any request to http:/this.domain.com/this/directory t...
application delivery
dev
devops
iRules
AndrewO_4840's avatar
AndrewO_4840
Icon for Nimbostratus rankNimbostratus
Feb 12, 2009

Posted By dmkang on 02/10/2009 2:19 PM 

{  HTTP::redirect https://"this.domain/"[getfield [HTTP::uri] ? 2]}   
 }

If you're trying to protect the page submission (which is implied by mentioning the form parameters) then you're wasting your time here.

By the time this connection hits your Big/IP the user has already submitted the form via (insecure) HTTP. All you're doing is saying 'oh, you should have submitted that form via (secure) HTTPS, so try again'.

From the user's security standpoint they're already blown.

You really need to catch the page before the form is submitted and make sure that the form is submitted securely in the first place (potentially by having the write rewrite the leading page to make sure the form action points to the secure URL.