Forum Discussion

AMa_3342's avatar
AMa_3342
Icon for Nimbostratus rankNimbostratus
May 24, 2012

HTTPS to HTTP redirect before SSL Termination

Hello Together,

 

 

because i am not to experienced with F5 LTM and/or SSL-Communication, i have to ask a question.

 

 

 

Is it possible somehow to redirect incoming SSL request right before SSL termination by using iRules at the F5 LTM?

 

 

 

I asking that question because i do not have a cert for one domain at my side, so that i only deliver http content therefore right now. But certainly i would like to answer incoming request which might be SSL related not only by using a reject.

 

 

 

I looked around the examples but could not find a complete solution. Examples are..."How To Avoid SSL Handshake When No Pool Member Available" or "HTTPS passthrough fallback URL" inside of the iRules section.

 

 

 

Detailed i tried these rules.

 

>>>

 

rule GLOBAL_REDIRECT_HTTPS_TO_HTTP_IRULE {

 

when CLIENT_ACCEPTED {

 

if {[active_members [LB::server pool]]<1}{

 

SSL::disable

 

reject

 

}

 

}

 

}

 

reject certainly ends the communication directly.

 

Or

 

rule GLOBAL_REDIRECT_HTTPS_TO_HTTP_IRULE {

 

when CLIENT_ACCEPTED {

 

if {[active_members [LB::server pool]]<1}{

 

SSL::enable

 

 

when HTTP_REQUEST {

 

HTTP::redirect "http://[getfield [HTTP::host] ":" 1 ][HTTP::uri]"

 

TCP::close

 

}

 

}

 

 

client receive the default ssl cert which is not handling the domain where i've try to use the rule

 

Or

 

rule GLOBAL_REDIRECT_HTTPS_TO_HTTP_IRULE {

 

when CLIENT_ACCEPTED {

 

if {[active_members [LB::server pool]]<1}{

 

 

HTTP::redirect "http://[getfield [HTTP::host] ":" 1 ][HTTP::uri]"

 

TCP::close

 

}

 

}

 

 

 

receive an error because HTTP::redirect can not be used at CLIENT_ACCEPTED.

 

<<<

 

 

 

Hope there is a way and somebody could give me a hint.

 

 

 

Thanks so far.

 

AMa

 

 

 

 

 

  • The problem here is the client is expecting to talk SSL (https) but you cannot provide it. Nothing further will happen beyond that point. You wont get the chance to send a redirect because the communication will stop right there. You need an SSL certificate of some sort on the virtual server or the F5 will never see the request because it is encrypted. When you have installed one you can send the traffic to your non-SSL server on the backend directly (no server side certificate) or use a redirect to tell them to go there. There is no need to use an iRule for the redirect. Create a httpclass and redirect everything to http://[HTTP::host][HTTP::uri] then assign it to the SSL virtual.

     

     

    Regards

     

     

    Kevin

     

     

  • Hello Kevin,

     

    thank you for your quick response. I was not quite sure if it is possible to redirect a SSL-communication before terminate it but as you explained, it is not!

     

    Because i do not want to use a SSL cert which is not specified for the one domain, i will disable HTTPS completely for that virtual server.

     

    Thank you anyway. :-)

     

    Best regards

     

    AMa