For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

VDaya_180260's avatar
VDaya_180260
Icon for Nimbostratus rankNimbostratus
Aug 05, 2015

http urls in content rewrite to https

Hi I have an multiple web servers that I'm load balancing using an irule for pool selection based on url entered in the browser and offloading SSL to the F5. The first part (HTTP_REQUEST) looks fine to me but the second part (HTTP_RESPONSE) only works for the url entered. How can I do the same with HTTP_RESPONSE as I've done with HTTP_REQUEST - i.e using switch command --- or is there a better way to do this?

 

when HTTP_REQUEST { switch [HTTP::host] { myurl.domain.com { pool POOLSELECTION1 STREAM::disable HTTP::header remove "Accept-Encoding" } default { reject } } }

 

when HTTP_RESPONSE { if {[HTTP::header value Content-Type] contains "text"} { STREAM::expression {@} STREAM::enable } }

 

application delivery
devops
iRules
LTM
management

6 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 05, 2015

    Here's a slight variation of your code:

     

    when HTTP_REQUEST { 
    switch [HTTP::host] { 
        "myurl.domain.com" { 
            pool POOLSELECTION1 
            STREAM::disable 
            HTTP::header remove "Accept-Encoding" 
        } 
        default { 
            reject 
        } 
    } 
}
when HTTP_RESPONSE { 
    if { [HTTP::header Content-Type] contains "text" } { 
        STREAM::expression {@http://@https://@} 
        STREAM::enable 
    } 
}
  • VDaya_180260's avatar
    VDaya_180260
    Icon for Nimbostratus rankNimbostratus
    Aug 05, 2015

    Hi Kevin

     

    I tried that as well but it didn't work... hence why I'm trying to use a switch statement.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 05, 2015

    My next question would then be where and how does it break?

     

    The HTTP request event simply allows requests to myurl.domain.com ONLY, and sends to a pool and disables the stream profile. Coincidentally, since you're not using any other pool commands, you're better off just assigning the pool to the VIP and not doing it the iRule.

     

    The HTTP response is rewriting any instance of "http://" in the response payload with "https://". You may also experience http:// URLs in an HTTP redirect Location header. So really the best next step is to understand where and how the application/iRule is failing.

     

  • VDaya_180260's avatar
    VDaya_180260
    Icon for Nimbostratus rankNimbostratus
    Aug 05, 2015

    Actually... the code you post does actually work... turns out my browser was throwing cached data to me.

     

    Also, the reason I'm using the iRule is 'cos I'll be adding more pools to the irule. That way I can use a single VIP for all (or most) SSL offloaded web applications/sites. Now just one more question if you please?... how can I add SSL Client profile selection into that equation?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 05, 2015

    You want to select a different client SSL profile for each request (as in multiple URLs pointing to the same VIP)?

     

    There are at least two rather easy ways to do this:

     

    1. A single client SSL profile with a wildcard or SAN (subjectAltName) server certificate.

       

    2. Server Name Indication (SNI) configured with multiple client SSL profiles.

       

      https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html?sr=47417750

       

    Ultimately you cannot change the client SSL profile in an HTTP event because by the time you get to HTTP (OSI layer 7), SSL decryption (OSI layer 5/6) has already happened. SNI comes with one caveat in that it isn't supported on older clients that don't support the TLS ServerName extension. This generally includes Windows XP and IE6 (and below).