Forum Discussion
Kevin_Davies_40
Nacreous
NacreousHTTPS VIP for HTTP Website
Given there are many ways to skin a cat. If you were setting up a https VIP for a http webserver how would you do it? Currently it seems you have to add a stream profile with an iRule to rewrite http to https on the web pages responses to make this work. Seems a bit cumbersome to me so am I missing something? Suggestions appreciated.
Kevin (Jarvil)
5 Replies
- The_Bhattman
Nimbostratus
Hi Kevin,
If you are talking about re-writing http to https within web pages, then streaming profile is the simplest to use. But if you are looking re-write many different links then you might want to take a look at the following iRule
http://devcentral.f5.com/wiki/iRules.ProxyPassV10.ashx
I hope this helps.
Bhattman 
hoolioCirrostratus
If you have the option of modifying the application, you could make the absolute URLs relative. This avoids the need to do any payload rewriting and will work for HTTP or HTTPS. If not, I'd probably skip proxypass and just use a stream profile and iRule for this.
Here's one recent example:
http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/aff/5/afv/topic/aft/1179185/afc/1250734/Default.aspxwhen HTTP_REQUEST { Save the requested host value set host [string tolower [HTTP::host]] Disable the stream filter by default STREAM::disable } when HTTP_RESPONSE { Check if response type is text and host isn't null if {[HTTP::header value Content-Type] contains "text" and $host ne ""}{ Replace http://$host with https://$host STREAM::expression "@http://$host@https://$host@" Enable the stream filter for this response only STREAM::enable if { [HTTP::is_redirect] } { HTTP::respond 302 Location [string map -nocase "http://$host https://$host" [HTTP::header Location]] } }
Aaron- Kevin_Davies_40I suppose the underlying question here is,
Don't people often offload SSL to their F5 because it has dedicated hardware processing? If that assumption is true then why am I writing an iRule to perform what seems to be an obvious requirement of mapping HTTPS to a HTTP website. You would think given the commonality of this requirement it would be a built-in feature.
Kevin - hoolioHi Kevin,
There's talk of doing just that. I think it's being worked on.
Aaron 
HamishCirrocumulus
Posted By Kevin on 08/23/2011 04:44 PM
I suppose the underlying question here is,
Don't people often offload SSL to their F5 because it has dedicated hardware processing? If that assumption is true then why am I writing an iRule to perform what seems to be an obvious requirement of mapping HTTPS to a HTTP website. You would think given the commonality of this requirement it would be a built-in feature.
Kevin
Because often there is a requirement for BOTH http and https instances... And the https site MAY need to refer to the HTTP site (In fact many do).If it was automatic, that wouldn't work any more... Although admittedly if it were just an automated way of adding in an optional stream processing config that would work too...
