Forum Discussion
KJ_50941
Nimbostratus
NimbostratusHTTP to HTTPS redirect
Hi, all
HTTPS works well, however when I applied HTTP to HTTPS irule ( see below) on 80_VIP the application began failing. The users could make a connection to HTTPS, but when they tried to log in, they received a generic error message “An error occurred in the secure channel operation.”. Looking at the event log on the server, from the time that HTTPS was required, we began receiving crypt32 errors about being able to reach the authentication server to update the certificate.
here is redirect from HTTP to HTTPS irule I used:
when HTTP_REQUEST {
HTTP::redirect ]
}
thx
14 Replies
- Kevin_Stewart
Employee
Can you test by just accessing the HTTPS VIP, that is turn off the 80 VIP and access the site directly with https://. The iRule above should only be on the 80 VIP and redirect the user to the HTTPS VIP if they've accessed with http://. It could be that components of the application are still trying to talk on port 80 (embedded objects statically linked, internal redirects, etc.). Turning off the 80 VIP and accessing https:// directly should uncover the problem. 
KJ_50941backend host are listening on port 80, so only from Client to F5 is 443 and from F5 to webserber are clear text.- Kevin_StewartI understand that, but there may be elements of the application that are telling the client to communicate on port 80. It's not unusual for applications to send resource links and redirects with http:// in the URL, simply because it thinks it's an HTTP (vs. HTTPS) application. Turning off the port 80 VIP and accessing the https:// URL directly may uncover any potential application issues.
- KJ_50941here is what app owner sent to me."I can go to https: and it works. As long as http is still enabled, I can log in through https because my login script can connect to http. Once I am logged in, everything is fine with https.The problem is, once we enforce https, the users cannot log in because my login script fails to connect to https."
please elt me know.
thx 
ArieAltostratus
Posted By KJ on 01/30/2013 08:01 AM
backend host are listening on port 80, so only from Client to F5 is 443 and from F5 to webserber are clear text.
Depending on the nature of the application, this may run afoul of security requirements (e.g. PCI-DSS, NIST).- AriePosted By KJ on 01/30/2013 08:27 AM
here is what app owner sent to me."I can go to https: and it works. As long as http is still enabled, I can log in through https because my login script can connect to http. Once I am logged in, everything is fine with https.The problem is, once we enforce https, the users cannot log in because my login script fails to connect to https."
please elt me know.
thxIs the app owner referring to a server-side or client-side script? What does Fiddler show? If you have access to a Packet Trace Analyzer I'd look at the back-end as well.
- Kevin_StewartSo if I'm understanding the app owner's statement, there's a login script that requires port 80, assuming through the BIG-IP. So you're redirect iRule would probably break that. Ultimately, the client should only need to talk to the application via HTTPS, which includes the application, objects, redirects, and this login script.
- KJ_50941beside security, I know this is on server/app site, what could be the issue?
- Kevin_StewartI would defer to Arie's recommendation. If you have the capability to do so, capture the traffic on the client side and see what the server is sending. You're looking for any object reference, redirect, or otherwise that has http:// in the URL (and that the client subsequently tries to contact). While not obvious, enabling the HTTP-to-HTTPS redirect iRule on the 80 VIP breaks the application in some way, which indicates that something is relying on that 80 VIP.
- KJ_50941beside security, I know this is on server/app site, what could be the issue?
