Forum Discussion
Franko_Ng_30513
Nimbostratus
Nimbostratushttp to https with POST Parameters impossible?
I had been searching for some time whether it is possible to redirect http to https with POST parameters. It seems that we are out of luck, especially we are still on 9.1.2. I notice that there is new command like HTTP::retry, HTTP::request which are only available in 9.2. Some reference saying that the POST can be pass along such as http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=27548. But I am not sure is it still valid for http to https redirection, especially they are using HTTP::retry. Any one had tried? BTW, has anyone worked out a way to do it before version 9.2?
Some also mentioned that it can be achieved with STREAM command. Since I am very new to iRule, I would be appreciated if any expert here can illustrate with some example how this can be done. Thanks!
AndyR_13000Would this not work:
rule http_redirect_rule {
when HTTP_REQUEST {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
}
I seem to believe this should work on your version.
Franko_Ng_30513No, it didn't. I tried and check the POST data is lost. Here's what I tried:
1. Use the method you suggested and redirect to another Virtual server (B)
2. At B, write a iRule to check the HTTP method and get the parameter. But it shows a GET method.
Any other suggestion, thanks anyway!
hoolioCirrostratus
As you've found, redirecting a POST request triggers the client to make a GET request to the new Location. Any POST data is lost in the process. In terms of LTM configuration, it would probably be easiest to rewrite the response which generates the POST via HTTP so that the POST is made via HTTPS.
What are you trying to accomplish by redirecting the requests to HTTPS? Are you trying to prevent sensitive data from being sent in the clear? If so, the data is potentially already being sent by the time you're trying to redirect the client requests. In this case you would want to ideally try to prevent the HTTP request before it's made. If the response which generates the HTTP request is sent to the client through LTM, you could potentially rewrite it to reference the HTTPS VIP.
Or are you redirecting because the application is now answering only for HTTPS? If so, you could try to send the request to the server(s) without redirecting them. You might be able to do this by adding a server SSL profile to the VIP and selectively enabling it for requests which need to be sent to the server encrypted, or by using HTTP::retry in 9.2+, or by using the virtual command in 9.4+.
Aaron- Franko_Ng_30513
it would probably be easiest to rewrite the response which generates the POST via HTTP
Yes, it is exactly what I am after. Would you please give me some hints, if possible example, how to achieve this? Thanks a lot!
For http to https, there is no security concern. I just want to redirect to other server which runs on https. - Franko_Ng_30513Thanks for your reply! The redirect request is still in GET, right? Is it possible to make a redirect request a POST request instead of GET? I need this because I am redirecting this to a black-box application which only accept POST request.
Nat_ThirasuttakornEmployee
yes, redirect is still GET
but you use irule to reply to that new GET request (use HTTP::respond command) with small web page that does auto POST (by javascript)
this concept wont work if the new GET request does not go through BIG-IP- Franko_Ng_30513So can we come to a conclusion that there is no way to generate POST request from BIG-IP?
- Nat_ThirasuttakornI am not sure how to answer this question.
check this
http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP_mothod_conversion.html - Franko_Ng_30513Hi natty76, we are using 9.1.2 so we don't have the "retry" command. Which version are you on? Have you tested the method you mentioned whether the request is "POST" or still a "GET"? Please also test the "retry" with another host which will simulate the case "HTTP::redirect". I am not sure whether it allows you to change the host or not when using "retry". Thx for the research!
- Nat_Thirasuttakornummm....
you won't have virtual command either.
the url that I sent uses technique called virtual targeting virtual.
http://devcentral.f5.com/wiki/default.aspx/iRules/virtual.html
so forget about it
btw, back to your original question. there is no way to create redirect with POST (somebody correct me if I am wrong)
but as I mentioned, you can use redirect...then when client send new GET to BIG-IP, this GET request does not need to forward to server. BIG-IP replies with page that contains auto-POST javascript...(use HTTP::respond)
this technique is simple and has been used by another product - FirePass also.
if you are familiar to javascript, here is something what I meant
something like..
onload=document.form.submit();
sorry if you are not familiar with javascript, I don't know of it much either.
you may do the same as me (google it)
PS: this won't work if new http request (after redirect) does not come to BIG-IP