Forum Discussion

davis16_81740's avatar
davis16_81740
Icon for Nimbostratus rankNimbostratus
Jan 22, 2015

Irule for redirecting https to http

I have an old web site that I still ocasionally get querys on which I want to redirect to a page that gives people an idea of what happened to the old site. Unfortunately the irule below only works for http queries NOT https: ---- irule -----

 

when HTTP_REQUEST { if { ([HTTP::host] eq "oldwebsite.com") and ([HTTP::uri] eq "") } { HTTP::redirect "https://newwebsite.com/sadsotory.html" } }

 

When someone requests http://oldsite.com they are successfully redirected to the correct page but when they request https://oldwebsite.com nothing happens and the transaction doesn't even get logged! The important points are that the https://oldsite.com virtual server/address still exists but, there is no certificate. ( I tried just selecting clientssl and that didn't work)

 

So to reiterate.... is there any way to redirect https://oldsite.com to https://newwebsite.com/sadsotory.html without installing a new certificate ?????

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
LTM
security

5 Replies

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus
    Jan 22, 2015

    Is the iRule assigned to the VIP for the HTTPS-site (port 443)?

     

    Either way, you'll need an external certificate for this VIP and terminate SSL on the BIG-IP to run the iRule. In addition, if it's not a valid cert (matching the hostname) the users will receive certificate errors before they're redirected.

     

  • davis16_81740's avatar
    davis16_81740
    Icon for Nimbostratus rankNimbostratus
    Jan 22, 2015

    Thanks for the quick response.

     

    When I test this I do not see any certificate errors is there a log I should see them in ? I was sure this situation comes up all the time ... I guess Im wrong.

     

    • shaggy's avatar
      shaggy
      Icon for Nimbostratus rankNimbostratus
      Jan 22, 2015
      @arie means browser certificate errors since it's likely the certificate on VIP newsite_https has a different common name/SANs than oldsite_https. is oldsite.com hosted on your f5 as well?
    • davis16_81740's avatar
      davis16_81740
      Icon for Nimbostratus rankNimbostratus
      Jan 22, 2015
      Yes, I stopped paying for the cert, got rid of the pools and then someone argued that we should reroute all potential requests.
  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus
    Jan 22, 2015

    If you want to redirect HTTPS traffic to HTTP you'll have to get another (matching) cert to avoid browser errors. You don't need a pool if all you want to do is redirects, but you will need a VIP for port 443 (along with said cert).

     

    The SSL handshake takes place before you can send an HTTP-redirect.