Forum Discussion

DaveC_21078's avatar
Icon for Altostratus rankAltostratus
Oct 13, 2010

https redirect without creating an http virtual server

I've always done an https redirect using an irule applied to an http virtual server that redirects to an https virtual server, which means 2 virtual servers for each site, of which I have many. Is there a good way to do this w/o creating 2 virtuals?

6 Replies

  • You need something listening on port 80 at a specific IP address that also can run an iRule. That pretty much limits you to either having a Virtual Server listening on all ports, or multiple Virtual Servers.



    Here's an iRule for the first option. This rule will reject traffic not destined for the ports you specify so it's still pretty secure.





    I'd consider the gains/benefits of using this rather than 2 separate Virtual Servers. You're trading performance for convenience. I'd also probably consider this the more complex option, primarily because you need to customize the iRule.
  • Thanks Chris. I'll look the rule over. I couldn't think of any other way to do it, and I didn't want to just open all ports and let everything through w/o some kind of control. This gives me an option.
  • FWIW, to Chris's last point, I'd absolutely go for two specific VIPs here - setup your port 80 vip with an HTTP class that redirects everything over to HTTPs (something like 'https://[HTTP::host][HTTP::uri]'). Here's why I say this:



    1) The iRule is doing a lot just to satisfy one simple requirement.


    2) It could potentially open you up more than you'd like to be. For example, a port scan against that VIP will force an iRule evaluation of every request, even if the ports don't match. This isn't ideal.


    3) With two explicitly defined virtual servers you'll have *much* more control over what specific types of behaviors you want to define.


    4) Ultimately, it's cleaner this way.



    There's a saying in the Python world that often lays nicely onto the BigIP when faced with design choices like this: "explicit is better than implicit".



    While it can be a bit of overhead to set up, once you do that port 80 VIP you'll be done and you won't have to deal with it again. Plus, it's very explicit, particularly if you name it explicitly - e.g., redirect_to_443 or similar.



  • I agree with Chris and Matt. It's simpler and more efficient to use two virtual servers rather than use an unnecessarily complex iRule on one virtual server. I should put a note on that Codeshare example that it's more for novelty than a best practice recommendation.



  • This will probably show significant ignorance but can't you just select the checkbox "Non-SSL Connections " (see advanced view) on the clientSSL profile you have configured and attached to the VIP listening for the HTTPS traffic. Of course if this cert is a starcert used by a bunch of VIPs it will add this ability to all VIPs so you may not want this.



    I haven't actually done because i only learned about it after I setup the very few instances we bother with this.



  • Hi David,



    Non-SSL connections on the virtual server would allow clients to send HTTP to the virtual server. Clients are sending HTTP encrypted in SSL. With an HTTP profile and no client SSL profile, LTM won't be able to parse the traffic. If you add a client SSL profile to the virtual server, LTM will then be able to decrypt the HTTPS and parse it as HTTP with the HTTP profile.