Forum Discussion
HTTPS to HTTP redirect before SSL Termination
because i am not to experienced with F5 LTM and/or SSL-Communication, i have to ask a question.
Is it possible somehow to redirect incoming SSL request right before SSL termination by using iRules at the F5 LTM?
I asking that question because i do not have a cert for one domain at my side, so that i only deliver http content therefore right now. But certainly i would like to answer incoming request which might be SSL related not only by using a reject.
I looked around the examples but could not find a complete solution. Examples are..."How To Avoid SSL Handshake When No Pool Member Available" or "HTTPS passthrough fallback URL" inside of the iRules section.
Detailed i tried these rules.
>>>
rule GLOBAL_REDIRECT_HTTPS_TO_HTTP_IRULE {
when CLIENT_ACCEPTED {
if {[active_members [LB::server pool]]<1}{
SSL::disable
reject
}
}
}
reject certainly ends the communication directly.
Or
rule GLOBAL_REDIRECT_HTTPS_TO_HTTP_IRULE {
when CLIENT_ACCEPTED {
if {[active_members [LB::server pool]]<1}{
SSL::enable
when HTTP_REQUEST {
HTTP::redirect "http://[getfield [HTTP::host] ":" 1 ][HTTP::uri]"
TCP::close
}
}
client receive the default ssl cert which is not handling the domain where i've try to use the rule
Or
rule GLOBAL_REDIRECT_HTTPS_TO_HTTP_IRULE {
when CLIENT_ACCEPTED {
if {[active_members [LB::server pool]]<1}{
HTTP::redirect "http://[getfield [HTTP::host] ":" 1 ][HTTP::uri]"
TCP::close
}
}
receive an error because HTTP::redirect can not be used at CLIENT_ACCEPTED.
<<<
Hope there is a way and somebody could give me a hint.
Thanks so far.
AMa
- Kevin_Davies_40NacreousThe problem here is the client is expecting to talk SSL (https) but you cannot provide it. Nothing further will happen beyond that point. You wont get the chance to send a redirect because the communication will stop right there. You need an SSL certificate of some sort on the virtual server or the F5 will never see the request because it is encrypted. When you have installed one you can send the traffic to your non-SSL server on the backend directly (no server side certificate) or use a redirect to tell them to go there. There is no need to use an iRule for the redirect. Create a httpclass and redirect everything to http://[HTTP::host][HTTP::uri] then assign it to the SSL virtual.
- AMa_3342NimbostratusHello Kevin,
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com