Forum Discussion

Misty_Spillers's avatar
Misty_Spillers
Icon for Nimbostratus rankNimbostratus
Sep 29, 2011

Https on a http site with stylesheets

Sorry I have searched and there seems like many similar questions but I can't find the one that fixes my issue. I'm far from an expert so sorry if this is newbie but I'm out of time to fix the issue ğŸ˜ž

The basics

I have a vender application that was originally setup in our DMZ on port 80. Through regulations we needed to bring it up to ssl on the front end. Easy enough. (i don't know if you really want me to describe this part but many of our sites run 80 on the back end and are just fine)

Well the site uses stylesheets that I guess generates http links (so people get the message "do you wish to display non secure content etc") and since http not not allowed it doesn't work

This is where I was not sure how to fix so if there is a better solution please let me know.

Anyway I found http://devcentral.f5.com/wiki/iRules.STREAM__disable.ashx which seemed to be what I wanted to do.

I cut and pasted (most of it, I had to add quotes or else this iRule broke the LB on version 9.4.4)


when HTTP_REQUEST {
   STREAM::disable
   HTTP::header remove "Accept-Encoding"
}
when HTTP_RESPONSE {
   if {[HTTP::header value Content-Type] contains "text"}{
      STREAM::expression "@http://@https://@"
      STREAM::enable
   }
}

I put in the default stream profile as it prompted me.

and poof it worked. Only worked too well that external links on the site are now https as well. I really only need requests directed at the site itself forced to https and I guess I don't really understand the wiki about how to do only some of the links.

Can you direct me in the correct direction?

Thanks so much

6 Replies

  • Hi Misty,

     

    There was a forumn thread that talk about you can exclude/include URLs that you want re-written.

     

     

    Here is the path to thread article.

     

     

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/1178923/showtab/groupforums/Default.aspx

     

     

    I hope this helps

     

     

    Bhattman
  • Thanks for the quick reply. I am so sorry but I may need it more spelled out than that. The first thing you link (http://devcentral.f5.com/Wiki/default.aspx/iRules/STREAM__expression) seems to bring me to a generic page. maybe if I have the examples there I could put something together.

     

     

    The example that hoolio quoted again sounds like what I need but does some really strange things to the website. (moves form input boxes around etc) and the site doesn't function right. I don't really understand this part

     

     

    Check if the matched string meets some condition that can't easily be checked for using a single regex in STREAM::expression

     

    if {[STREAM::match] starts_with "host1"}{

     

     

    and this part

     

     

    Match an http://*example.com string and replace it with nothing yet

     

    STREAM::expression {&http://.*?example\.com&&}

     

     

    I tried to add the vender site we host as best as possible but I really don't understand the significance of all the special characters, I'm assuming wildcards?

     

     

    The domain I need to match is longer than the example. like venderapp.co.county.state.us so maybe I did it wrong but I don't even know if this is what I should try to match.

     

     

    Just to restate, the 10 line code I quoted works perfectly for the vender app. It just has a few external links that I somehow need to not rewrite (in fact so few links I could match them if its easier, perfer not too incase they add more)

     

     

    I hope this all makes sense. Thanks in advance for any help sorry I have no programming skills :(
  • Hi Misty,

    One of the examples posted on the STREAM::expression Wiki page is probably what you are going to want to look into using:

     
    when HTTP_REQUEST {
     Disable the stream filter for all requests
    STREAM::disable
    }
    when HTTP_RESPONSE {
     Check if response type is text
    if {[HTTP::header value Content-Type] contains "text" } {
     Replace any http:// instance with https://, unless the original string is http://example.com
    STREAM::expression {@http:(?!//example\.com)@https://@}
    
     Enable the stream filter for this response only
    STREAM::enable
    }
    }
    

    The previous iRule will replace any http:// instance with https://, unless the original string is http://example.com.

    The special characters are Regular Expressions.

    () encapsulates the expression.

    ?! is a negative look ahead or don't replace this.

    // is part of the lookup.

    the \. is an escape character noting that the period is part of the literal compare.

    So if you add in your exception you should be good to go.

    There is a nice Regular Expression Cheat sheet here: http://www.addedbytes.com/download/regular-expressions-cheat-sheet-v2/pdf/

  • Hmmm that one just give me the whole "page can not be displayed"

     

     

    Any fundamental config I might need to change on the VIP or anything? The site still works when I pull this iRule out and put in the other one. I actually just copied it just like it is (with {@http:(?!//example\.com)@https://@}) Just to see if it would work at all.

     

     

    I didn't know this would be so tricky to do!lol

     

     

    Thanks for the info and thanks in advance for you help
  • @@ ok this seems to work.

    Could you please review and make sure I'm not getting into anything that might bite me. Remember I have to use quotes on my version 9.4.4 or I run into this problem http://support.f5.com/kb/en-us/solutions/public/7000/900/sol7988.html?sr=16791182 (I'm not sure if I'm doing it right but it seems to work but this is the line I changed "&http://*?venderapp\.co\.county\.state\.us&&")

    
    when HTTP_REQUEST {
       STREAM::disable
    }
    when HTTP_RESPONSE {  
       if {[HTTP::header value Content-Type] contains "text"}{  
          STREAM::expression "&http://*?venderapp\.co\.county\.state\.us&&"
          STREAM::enable  
       }  
    }   
    when STREAM_MATCHED {  
       if {[STREAM::match] starts_with "venderapp"}{
          STREAM::replace "[string map {http:// https://} [STREAM::match]]"
          log local0. "[IP::client_addr]:[TCP::local_port]: matched: [STREAM::match], replaced with: [string map {http:// https://} [STREAM::match]]"  
       }
    }
    
  • I apologize for the delay. After you reported back that it did not work properly I tried it myself and could not get it to work either (I'm not giving up on it, but there is always more than one way to solve a problem).

    I found the same example you posted and started to work with it. This is what i came up with that works.:

     
    when HTTP_REQUEST {
     Disable the stream filter for all requests
    STREAM::disable
    }
    when HTTP_RESPONSE {
     Check if response type is text
    if {[HTTP::header value Content-Type] contains "text" } {
     List the FQDN's that you do NOT want modified and the http:// that will cover everything else that you do.
    STREAM::expression {@http://example.com@@ @http://example2.com@@ @http://@@}
    
     Enable the stream filter for this response only
    STREAM::enable
    }
    }
    when STREAM_MATCHED {
     Take the matches from the STREAM::expression and handle them.
    if {[STREAM::match] contains "example.com" || [STREAM::match] contains "example2.com"} {
    log local0. "Stream Matched:  [STREAM::match]"
     Return and do not alter them.
    return
    }
    else {
    STREAM::replace "[string map {http:// https://} [STREAM::match]]"
     Everything not handled with get http:// replaced with https://
    log local0. "Stream Matched ELSE: [STREAM::match]"
    }
    }
    

    Hope this helps. If I find out why the original would not work then I'll post it here for everyone.