For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Davies_40's avatar
Kevin_Davies_40
Icon for Nacreous rankNacreous
Aug 19, 2011

HTTPS VIP for HTTP Website

Given there are many ways to skin a cat. If you were setting up a https VIP for a http webserver how would you do it? Currently it seems you have to add a stream profile with an iRule to rewrite http to https on the web pages responses to make this work. Seems a bit cumbersome to me so am I missing something? Suggestions appreciated.

 

 

Kevin (Jarvil)

 

 

 

 

 

config
design

5 Replies

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Aug 19, 2011
    Hi Kevin,

     

    If you are talking about re-writing http to https within web pages, then streaming profile is the simplest to use. But if you are looking re-write many different links then you might want to take a look at the following iRule

     

     

    http://devcentral.f5.com/wiki/iRules.ProxyPassV10.ashx

     

     

    I hope this helps.

     

     

    Bhattman
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 19, 2011
    If you have the option of modifying the application, you could make the absolute URLs relative. This avoids the need to do any payload rewriting and will work for HTTP or HTTPS. If not, I'd probably skip proxypass and just use a stream profile and iRule for this.

    Here's one recent example:

    http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/aff/5/afv/topic/aft/1179185/afc/1250734/Default.aspx 

    
when HTTP_REQUEST {

    Save the requested host value
   set host [string tolower [HTTP::host]]

    Disable the stream filter by default
   STREAM::disable
}
when HTTP_RESPONSE {

    Check if response type is text and host isn't null
   if {[HTTP::header value Content-Type] contains "text" and $host ne ""}{

       Replace http://$host with https://$host
      STREAM::expression "@http://$host@https://$host@"

       Enable the stream filter for this response only
      STREAM::enable

      if { [HTTP::is_redirect] } {
         HTTP::respond 302 Location [string map -nocase "http://$host https://$host" [HTTP::header Location]]
   }
}

    Aaron
  • Kevin_Davies_40's avatar
    Kevin_Davies_40
    Icon for Nacreous rankNacreous
    Aug 23, 2011
    I suppose the underlying question here is,

     

     

    Don't people often offload SSL to their F5 because it has dedicated hardware processing? If that assumption is true then why am I writing an iRule to perform what seems to be an obvious requirement of mapping HTTPS to a HTTP website. You would think given the commonality of this requirement it would be a built-in feature.

     

     

    Kevin
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 24, 2011
    Hi Kevin,

     

     

    There's talk of doing just that. I think it's being worked on.

     

     

    Aaron
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Aug 24, 2011
    Posted By Kevin on 08/23/2011 04:44 PM

     

    I suppose the underlying question here is,

     

     

    Don't people often offload SSL to their F5 because it has dedicated hardware processing? If that assumption is true then why am I writing an iRule to perform what seems to be an obvious requirement of mapping HTTPS to a HTTP website. You would think given the commonality of this requirement it would be a built-in feature.

     

     

    Kevin

     

    Because often there is a requirement for BOTH http and https instances... And the https site MAY need to refer to the HTTP site (In fact many do).

     

     

    If it was automatic, that wouldn't work any more... Although admittedly if it were just an automated way of adding in an optional stream processing config that would work too...