Forum Discussion
Mike_Rausch_628
Nimbostratus
NimbostratusHTTPS redirect
I currently use an Irule to resolve a URL when a user only type part of it. For example....they type http://www.gv.com/ and the bigip will direct them to http://www.gv.com/whatever/index.html.
I am trying to do the same thing for a HTTPS request but It will not work with the same type of rule because it want an HTTP profile associated with the virtual server. I cannot put an HTTP profile on a HTTPS virtual so how would I make this work?
Any suggestions??
THanks
Mike
hoolioCirrostratus
Hi Mike,
If you want to inspect or modify the HTTP content of an HTTPS request, you must decrypt it on the BIG-IP using a client SSL profile and add an HTTP profile.
The LTM config guide for your version on AskF5.com should have the steps for this detailed nicely.
After you decrypt the traffic and instruct BIG-IP to parse it as HTTP with an HTTP profile, you can use iRules or an HTTP class to issue redirects.
Aaron
Mike_Rausch_628I have not checked this in a bit but I have looked for something in the Config guide but could not find what I need. Could you elaborate more on what I need to do with the HTTP request. If I add an SSL profile to the VS I cannot connect to our application and if I add an HTTP profile to the VS I cannot connect to our application. The Irule needs an HTTP profile in order to work but I cannot do that. I would really appreciate any help.
Thanks
Mike- Mike_Rausch_628I have not checked this in a bit but I have looked for something in the Config guide but could not find what I need. Could you elaborate more on what I need to do with the HTTP request. If I add an SSL profile to the VS I cannot connect to our application and if I add an HTTP profile to the VS I cannot connect to our application. The Irule needs an HTTP profile in order to work but I cannot do that. I would really appreciate any help.
Thanks
Mike 
Nicolas_MenantEmployee
What you need to have is HTTP within the BIGIP so that you can update the data.
Or right now you only have HTTPS between the client and the server which makes it impossible for the bigip to modify the uri.
But if you add a clientSSL profile and a server SSL profile to the VS then you have the following
client <---SSL ---> BIGIP <--SSL--->server
But it will be two differents SSL transactions so in this case except if you import the SSL certificates from your web servers into the BIGIP, the client won't see the server's certificate.
But since you use those SSL profiles, it will be HTTP inside the BIGIP and you'll be able to assign a HTTP profile to your VS too
you should have a look at this configuration guide: Click here- Mike_Rausch_628We us an HTTPS VS but there are no profiles associated with it so all traffic passes through to the server where the certificate is located. I am not very familiar with the SSL side of things but I know that every time I place an SSL profile onto the VS I cannot connect to the application.
- Nicolas_MenantIf your servers work on port 443 you need to assign a client ssl profile AND a server ssl profile to your VS
If you just assign a client SSL profile then it will try to talk in HTTP with the servers. - Mike_Rausch_628I am sorry if I am leaving info out but like I said I am new to this.
We have the client authenticate at the server after they pass through the Bigip. No SSL profiles are present at this time. The actual server has the certificate on it and the decryption/encryption happens on the server side.
I understand that the Bigip cannot us an HTTP Irule because the information that passes through is encrypted. I tried to put an SSL Client and Server profile on the VS but could not connect to the application at all.
should the client ssl profile decrypt allowing the HTTP Irule to work and then encrypt again and send the request to the server along with the client cert??
If this is the case, how should the profiles be set up...should I have it ignore the client cert, do I need to have a cert on the bigip, or can I use the default cert on the bigip???
Thanks
Mike