HTTPS to HTTP redirect for maintance page.

Question

We have a HTTPS virtual server that is set as a basic configuration with no iRules. For multiple reasons (security, and simplicity being the biggest) the SSL certs are terminated on the back-end servers directly, the LTM just passes the traffic directly through. &nbsp;
We have a new requirement to implement a maintenance page for one of our sites. One of the options is to write an iRule that sends the client a 302 redirect to an HTTP website while the pool is unavailable. I believe that this should be doable, but based on my understanding of the relationship between SSL/TLS and HTTP it would require that the SSL session be established before the HTTP redirect can occur, which would require that the SSL certs be moved to the LTM. Our architect disagrees and believes that we shouldn't have to house the certs on the LTM in order to implement an HTTPS to HTTP redirect. &nbsp;
I have been searching for documentation to support either positon, and I'm not having a lot of luck. Can anyone advise? &nbsp;

ryan_80361 · Answer

Heya, you are correct in thinking that the certificate will need to be placed on the LTM. If the LTM can't "see inside" the encrypted traffic then it can't modify it e.g. send the redirect that you want. You'll need to perform SSL offloading or SSL bridging (which seems more appropriate as you obviously already have pool members listening on 443 etc).

ryannnnnnnnn · Answer

Heya, you are correct in thinking that the certificate will need to be placed on the LTM. If the LTM can't "see inside" the encrypted traffic then it can't modify it e.g. send the redirect that you want. You'll need to perform SSL offloading or SSL bridging (which seems more appropriate as you obviously already have pool members listening on 443 etc).

zac_quinn · Answer

Reading the OP it looks like David just needs to redirect to a sorry page so he shouldn't need to inspect the contents as his rule is a simple passthrough rule with no L7 uri inspection. Take a look at " as this should give you a couple of ideas for the irule. You can direct to a page on another server or have the LB respond directly with an HTTP page coded in the irule.&nbsp;
Hope this helps&nbsp;
Regards&nbsp;
Zac&nbsp;

zac_quinn · Answer

Reading the OP it looks like David just needs to redirect to a sorry page so he shouldn't need to inspect the contents as his rule is a simple passthrough rule with no L7 uri inspection. Take a look at " as this should give you a couple of ideas for the irule. You can direct to a page on another server or have the LB respond directly with an HTTP page coded in the irule.&nbsp;
Hope this helps&nbsp;
Regards&nbsp;
Zac&nbsp;

david_broaddus_ · Answer

Thanks. The more I thought about it the more I was certain I was correct. The independent opinion is appreciated. &nbsp;

Forum Discussion

HTTPS to HTTP redirect for maintance page.

Recent Discussions

show system - attribute values

how does gtm/dns monitor wild-ip pool members?

Upgrade to 'BIGIP-15.1.0.5-0.0.8 (Could not access configuration source; sda, 1)

ISP Load Balancing, SNAT pool instead of Automap link self-ip, anyway to do health check ?

F5xC Migration

Related Content

https to https redirection

Simple HTTP::redirect iRule results in a reset

HTTP::redirect doesn't work for multiple conditions, URL redirect doesn't work using iRule

Redirect from Http to Https Not working

http to https redirection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS