hi all, so we have an application that requires connecting to a specific URL, but this application only supports "http". we happen to have an "https" URL that this application needs to connect to, so I though of creating a VIP that listens on port 80, and then plugged the URL as a pool member on port 443. this seems to get the initial connection to work, but then the URL sends a redirection to the client, and Yes it is "https" so when the client attempts to connect to the VIP on 443, of course it fails. so I was wondering if there's a way to resolve this problem using an iRule. anyone can help with this :) Thanks

For your 443 virtual server, you can apply a client SSL profile and terminate the SSL at the BIG-IP. Not applying a server SSL profile will allow the BIG-IP to talk native HTTP to the server, so this should satisfy your requirement if I understand it correctly. Use the same pool for both of your virtual servers (80 and 443). Though why would the server be sending a redirect to HTTPS if it doesn't support SSL enabled connections?

I figured a picture is worth $5 so here it is. so the failure happens when the client receives an https URL and then it attempts step 4 and then it dies right there.

Okay, so the web server needs to talk SSL. So you need this: Virtual server on port 80, apply the irule _sys_https_redirect (this is a stock iRule included in all recent LTM code versions). This will redirect all HTTP to HTTPS. Virtual server on port 443. Apply an appropriate client SSL profile to handle the client side SSL. Pool with the server as a 443 member. Apply this to your 443 virtual server. That should be all you need.

I think you already have this, but ensure you also have a server SSL profile applied to your 443 virtual server.

there's only one VIP, which is the one that listens on 80 . I guess the main problem here is that the redirect comes back from the web server as https, so we'll need to somehow change this URL to http before sending it to the client.

http to https VIP | DevCentral

44 Replies

mj_almassud_136
Nimbostratus
May 13, 2014
could you please post the exact syntax for the command?
- Cory_50405
  Noctilucent
  May 14, 2014
  From tmsh, list ltm virtual virtualservername
Arie
Altostratus
May 13, 2014
Cory's iRule includes a check to see if the host value contains a string. However, the screen capture of the TCP stream shows no value for the host. Did you remove it from the image or is it indeed blank?
mj_almassud_136
Nimbostratus
May 13, 2014
I removed it to avoid violating company policies.

sorry, I should have mentioned that or replaced it with a text that says "Removed"
Arie
Altostratus
May 13, 2014
OK - makes sense. However, there doesn't seem to be a header "Content-Type" in the server response. The iRule requires it, though. Have you tried removing that check from the iRule?
mj_almassud_136
Nimbostratus
May 13, 2014
I speak through images to be precise:
Arie
Altostratus
May 13, 2014
Thanks - that is helpful.

However, it does appear that there is no HTTP Response Header "Content-Type" in the server response. This would keep the code in the if-statement from being triggered.

Cory_50405

Noctilucent

May 14, 2014

So let's modify the if statement to this and see if that makes a difference:

when HTTP_REQUEST {

    Save the requested host value
   set host [string tolower [HTTP::host]]


    Disable the stream filter by default
   STREAM::disable
}
when HTTP_RESPONSE {

    Check if response type is text and host isn't null
   if {$host ne ""}{

       Replace https://$host with http://$host
      STREAM::expression "@https://$host@http://$host@"

       Enable the stream filter for this response only
      STREAM::enable

}
}

mj_almassud_136
Nimbostratus
May 14, 2014
This seems promising and I think it'll work. I did some testing on it, but I can't do a full test right now, because I am out the rest of the week and I don't have access to all the information that I need to complete this test.

as of now, I am getting the login failed back from the server, which means that I am making all the way to the server and getting the response back as expected and it's all showing http on the browser address bar.
- Cory_50405
  Noctilucent
  May 14, 2014
  Good to hear.
mj_almassud_136
Nimbostratus
May 14, 2014
it worked beautifully.

Thank you so much for your help.

MJ
Vishu_Rao_12264
Nimbostratus
Oct 07, 2015
Hi MJ

I have the same requirement and followed suggestions made by Cory but it seems for me it did not work. Can you help me more on this?

Still my server redirecting to HTTPs not http.

-Vishu

Forum Discussion

http to https VIP

44 Replies

Recent Discussions

Mix NTLMv2 & Kerberos SSO in the same policy for different sub-URL

Nature's Leaf CBD Gummies Is Right For You See Here

Custom https health monitor

LTM - Pool members active standby failover

F5OS share APM VPN licence across tenant clusters

Related Content

HTTPS to HTTP

HTTP To HTTPS Redirect 301

Handling HTTP Requests on an HTTPS Virtual Server

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

Re: F5 XC Distributed Cloud HTTP Header manipulations and matching of the client ip/user HTTP header