Forum Discussion
Robert_Pagano_7
Nimbostratus
Nimbostratusimmediate redirect when client attempts to access an HTTPS URL that will be going away
This is probably a silly question but I am going to ask it anyway ...
We have a HTTPS site that we will be retiring in the near future.
We want to redirect clients who attempt to browse to that site to be redirected to the new HTTPS site.
I have done something similar to this in the past; but it has been with HTTP requests using the "when HTTP_REQUEST ..." and "HTTP::redirect ..." syntax.
The wrinkle, this time, is that we do not want to maintain (i.e. pay for) the SSL certificate for the old site.
So, is it possible to send a redirect to a client as soon as it attempts to access an HTTPS URL? Something along the lines of a "when HTTPS_REQUEST ..."?
If not, is there any other way to implement such a redirect?
Any guidance at all will be very much appreciated!
naladar_65658Altostratus
That is a good question. You would use the when HTTP_REQUEST syntax and use the http::redirect command. Something like this:when HTTP_REQUEST { if { ([string tolower [HTTP::host]] contains "your.websitename.com")} { HTTP::redirect "https://www.yournewwebsitename.com[HTTP::uri]" } }- Chris_MillerAre you basically saying that a user will hit an SSL Virtual Server which has an expired Cert? I'm not sure what you meant by "stop paying for."
Robert_Pagano_7Chris:
Yes, that is the issue. I should have been more clear. The current SSL certificate is a Verisign cert and the company does not want to pay to renew it (since the site will no longer exist). So, to give the clients some time to adjust to the fact that the site moved from https://www.originalsite.example.com/ to https://www.newsite.example.com/ , I would like the LTM to redirect the clients to the new site as soon as it sees an HTTPS connection to the "originalsite" VIP (i.e. no SSL handshaking, etc.). I just don't know if that is possible. (Whether or not it should be possible is another question, of course. Even if it is do-able, a little voice keeps whispering, "Major security no-no!").
Thank you.- Chris_MillerRobert - since "HTTP::redirect" is limited to events that would have occurred after the SSL handshake has been completed at your expired-cert VIP, I don't really see any options here. If others have ideas, please chime in...
- Hi Robert,
There is no way around a certificate error when it has expired. You also can't redirect from one HTTPS virtual to another without getting a certificate error. When I have ran into this in the past, I usually respond with a small page that explains the circumstances and provides a link to the new site.rule new_site_redirect { when HTTP_REQUEST { HTTP::respond 200 content "example.com has moved \ Example.com has moved to its new home at "
}
}
I don't know if this is what you were looking for, but it has been a nice work around for me in the past.
-George - Apparently the forum clobbered my HTML code, but you get the idea. Just respond with a page that has a link to the new site.
-George - Robert_Pagano_7Thank you all for your replies. The business has decided to renew the SSL certificate for another year. So, I can do the redirect on the LTM after it handles the client SSL session setup. If, after a year, folks don't realize they have been redirected to a new site ... (Well, I'll just leave it at that!)
Thanks again, all! 
hoolioCirrostratus
As Chris suggested, you need LTM to decrypt the SSL in order to send an HTTP response back to the client. If you want to avoid a browser warning for an expired or mismatched cert, you'd need to use a valid cert which matches the host name that clients make requests to.
Aaron
