HTTPS -- HTTP Insert Original Protocol

Question

Guys,&nbsp;
&nbsp;We have an HTTPS virtual server which decrypts (client SSL) and forwards to an internal app server pool and a corresponding HTTP virtual server which is used for unencrypted requests. I am looking to let the back-end app servers know if the client originally connected using SSL or not. I created a bit of a kludge iRule and applied it to the HTTPS VS as follows:&nbsp;
&nbsp;when HTTP_REQUEST { 
&nbsp;    HTTP::header insert Original-Protocol HTTPS
&nbsp;}&nbsp;
&nbsp;I am wondering if there is a more elegant way to do this or best practice? I searched the forums but did not find this issue (probably did not know what to search for).&nbsp;
&nbsp;Thanks,
&nbsp;Chris

colin_walker_12 · Answer

Your approach looks like a sound one to me. There isn't a bit to flip or anything that will tell the server that the original request was HTTPS. You'll need to insert it in the header or somewhere else that the server will know how to look for it.  A header is probably the most logical in this case.&nbsp;
&nbsp;Colin

chad_roberts_21 · Answer

I want to make sure I'm understanding correctly. You're wanting to insert that header only when the client connects to the HTTPS virtual from the very beginning, right? Not when the client starts with HTTP and either clicks a link or receives a redirect to HTTPS? If you use the iRule above, that header will be inserted with every HTTPS request. Please clarify...

chris_day_10331 · Answer

Yes, we just wanted the back end server to know that the client was connected securely and ultimately raise an error if Original-Protocol does not = HTTPS for certain transaction types.&nbsp;
&nbsp;Thanks for your help guys.&nbsp;
&nbsp;Chris

chad_roberts_21 · Answer

Cool... for the record, though, if all you want to do is insert a header, you don't technically need an iRule for it. You can create an HTTP profile that you'd apply only to your HTTPS virtuals, enable the "Header Insert" option, and use the text "Original-Protocol:HTTPS" (without the quotes) to accomplish the same thing. There's nothing wrong with using an iRule for it, but I figured I'd throw that in there.

chris_day_10331 · Answer

Thanks, actually that ends up being a good/simple solution! I've implemented it on a test site and it seems to be working great.&nbsp;
&nbsp;Thanks,
&nbsp;Chris

Forum Discussion

HTTPS --> HTTP Insert Original Protocol

Recent Discussions

How to Renew F5 Device Certificate

How to export a list of paired external service providers from APM?

BIG-IP Edge Endpoint Inspection Failure pre-VPN

BIG IP LTM - Multiple application on single VIP with multiple ports allowed.

Service discovery is not happening in AS3

Related Content

Proxy Protocol v2 Initiator

F5 Distributed Cloud Origin Server Subset Rules

Proxy Protocol Initiator

BIG-IP BGP Routing Protocol Configuration And Use Cases

Proxy Protocol Receiver

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS