http to https VIP

For your 443 virtual server, you can apply a client SSL profile and terminate the SSL at the BIG-IP. Not applying a server SSL profile will allow the BIG-IP to talk native HTTP to the server, so this should satisfy your requirement if I understand it correctly.

Use the same pool for both of your virtual servers (80 and 443).

Though why would the server be sending a redirect to HTTPS if it doesn't support SSL enabled connections?

I figured a picture is worth $5 so here it is.

so the failure happens when the client receives an https URL and then it attempts step 4 and then it dies right there.

Okay, so the web server needs to talk SSL. So you need this:

Virtual server on port 80, apply the irule _sys_https_redirect (this is a stock iRule included in all recent LTM code versions). This will redirect all HTTP to HTTPS.

Virtual server on port 443. Apply an appropriate client SSL profile to handle the client side SSL.

Pool with the server as a 443 member. Apply this to your 443 virtual server.

That should be all you need.

there's only one VIP, which is the one that listens on 80 .

I guess the main problem here is that the redirect comes back from the web server as https, so we'll need to somehow change this URL to http before sending it to the client.

Your diagram shows the redirect from the server to the client coming back as HTTPS. It seems like your server wants to use SSL, so it's best to just redirect the client to HTTPS at the BIG-IP and maintain SSL between the BIG-IP and server. This way no redirection is needed from the server.

Just create a 443 virtual server as I mentioned above and apply the iRule to your 80 virtual server.

the client is not capable of connecting over SSL, which is the reason for creating the VIP over 80 that way it always stays connected to 80 while F5 VIP is connected to 443 in the back-end.

I hope I am making sense :)

Yes, I think I understand your situation now. So it sounds like you need something to rewrite the response from the server back to the client to change HTTPS to HTTP. Something like this:

https://devcentral.f5.com/questions/rewrite-http-to-https-for-httphost-only

This will require the assignment of a stream profile to your virtual server.

This is the iRule I got from the link:

Check if response type is text if {[HTTP::header value Content-Type] contains "text"}{

   Replace http:// with https://
  STREAM::expression {@http://@https://@}

   Enable the stream filter for this response only
  STREAM::enable

  if { [HTTP::is_redirect] } {
     HTTP::respond 302 Location [string map { http:// https:// } [HTTP::header Location]]

} }

it seems as if it's doing the opposite of what I am trying to accomplish.

is it?

Yes, you'll want to swap http:// and https://

 Check if response type is text
if {[HTTP::header value Content-Type] contains "text"} {

   Replace https:// with http://
  STREAM::expression {@https://@http://@}

   Enable the stream filter for this response only
  STREAM::enable

  if { [HTTP::is_redirect] } {
     HTTP::respond 302 Location [string map { https:// http:// } [HTTP::header Location]]

} }

Entire iRule:

when HTTP_REQUEST {

    Save the requested host value
   set host [string tolower [HTTP::host]]


    Disable the stream filter by default
   STREAM::disable
}
when HTTP_RESPONSE {

    Check if response type is text and host isn't null
   if {[HTTP::header value Content-Type] contains "text" and $host ne ""}{

       Replace http://$host with https://$host
      STREAM::expression "@https://$host@http://$host@"

       Enable the stream filter for this response only
      STREAM::enable

      if { [HTTP::is_redirect] } {
         HTTP::respond 302 Location [string map "https://$host http://$host" [HTTP::header Location]]
   }
}
}