Forum Discussion

Kevin_Davies_40's avatar
Aug 19, 2011

HTTPS VIP for HTTP Website

Given there are many ways to skin a cat. If you were setting up a https VIP for a http webserver how would you do it? Currently it seems you have to add a stream profile with an iRule to rewrite http to https on the web pages responses to make this work. Seems a bit cumbersome to me so am I missing something? Suggestions appreciated.

 

 

Kevin (Jarvil)

 

 

 

 

 

  • Hi Kevin,

     

    If you are talking about re-writing http to https within web pages, then streaming profile is the simplest to use. But if you are looking re-write many different links then you might want to take a look at the following iRule

     

     

    http://devcentral.f5.com/wiki/iRules.ProxyPassV10.ashx

     

     

    I hope this helps.

     

     

    Bhattman
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    If you have the option of modifying the application, you could make the absolute URLs relative. This avoids the need to do any payload rewriting and will work for HTTP or HTTPS. If not, I'd probably skip proxypass and just use a stream profile and iRule for this.

    Here's one recent example:

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/aff/5/afv/topic/aft/1179185/afc/1250734/Default.aspx

    
    when HTTP_REQUEST {
    
        Save the requested host value
       set host [string tolower [HTTP::host]]
    
        Disable the stream filter by default
       STREAM::disable
    }
    when HTTP_RESPONSE {
    
        Check if response type is text and host isn't null
       if {[HTTP::header value Content-Type] contains "text" and $host ne ""}{
    
           Replace http://$host with https://$host
          STREAM::expression "@http://$host@https://$host@"
    
           Enable the stream filter for this response only
          STREAM::enable
    
          if { [HTTP::is_redirect] } {
             HTTP::respond 302 Location [string map -nocase "http://$host https://$host" [HTTP::header Location]]
       }
    }
    

    Aaron
  • I suppose the underlying question here is,

     

     

    Don't people often offload SSL to their F5 because it has dedicated hardware processing? If that assumption is true then why am I writing an iRule to perform what seems to be an obvious requirement of mapping HTTPS to a HTTP website. You would think given the commonality of this requirement it would be a built-in feature.

     

     

    Kevin
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Hi Kevin,

     

     

    There's talk of doing just that. I think it's being worked on.

     

     

    Aaron
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Posted By Kevin on 08/23/2011 04:44 PM

     

    I suppose the underlying question here is,

     

     

    Don't people often offload SSL to their F5 because it has dedicated hardware processing? If that assumption is true then why am I writing an iRule to perform what seems to be an obvious requirement of mapping HTTPS to a HTTP website. You would think given the commonality of this requirement it would be a built-in feature.

     

     

    Kevin

     

    Because often there is a requirement for BOTH http and https instances... And the https site MAY need to refer to the HTTP site (In fact many do).

     

     

    If it was automatic, that wouldn't work any more... Although admittedly if it were just an automated way of adding in an optional stream processing config that would work too...