irule http to https redirect with a little nuance

Question

Hi Everyone, 
I was hoping for a hand, I'm working on a irule that says:
if you reach http://sysdev redirect to https://sysdev.x.com/login.aspx
otherwise, if someone has a bookmark to http://sysdev/form1.aspx redirect to https://sysdev.x.com/form1.aspx
So this is what I have:
when HTTP_REQUEST {
   if { [HTTP::uri] == "/" } {
      HTTP::redirect https://sysdev.x.com/login.aspx 
   }
    else {
        HTTP::redirect https://sysdev.x.com[HTTP::uri]
    }
}

Would this work? I cant find much documentation on 'else' only on 'elseif' - any help would be appreciated.

afedden_1985 · Answer

if you want to redirect all HTTP to HTTPs for the VIP you could do this,  it preserves the host and URI and tells them to come back using HTTPS.&nbsp;
when HTTP_REQUEST {
    HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}&nbsp;
OR&nbsp;
if you only needed to enforce specific URIs for a VIP to enforce HTTPS this works.  This rule is applied to the HTTP VIP only and inspects the URI and looks into the external data group called SSLREQUIRED
if a match is found a redirect is sent to the client,  non matching URIs get passed as HTTP.&nbsp;
when HTTP_REQUEST {
  set uri_status [class match [string toupper [HTTP::uri]] starts_with SSLREQUIRED]
  if { $uri_status ne "0" } {
    HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
  } 
}&nbsp;

jon_singh · Answer

I believe that the top solution would work for one part of the solution, the only issue I have is this:

we have users that have bookmarked something like this: http://sysdev, this currently automatically redirects to http://sysdev.x.com/login.aspx we want it now to redirect to httpS://sysdev.x.com/login.aspx

so I figured merging the two directives into one 1 irule would make sense hence why i thought of the original idea, would there be an easy way to merge the login redirect with your first solution?

arie · Answer

Jon,&nbsp;
You mentioned the host "sysdev" in the phrase about the bookmark. Did you mean "sysdev" or "sysdev.x.com"?Keep in mind that "/" can usually also be accessed as "/default.aspx". You'll want to plan for both.The Big-IP can be a great tool for forcing people to certain destinations, but in this case I'm wondering if the best solution wouldn't be to configure the log-in in the web.config file.

Forum Discussion

irule http to https redirect with a little nuance

3 Replies

Recent Discussions

Recommendation for Adv. Lab

Cloud Apps Protection

Illigal Parameter addition as custom signature set wanted to Unblock

CPU load when Prometheus is scraping metrics from F5 BIG-IP LTM

Connection Rate Limit with log output

Related Content

F5 HTTPS Redirect 2025

The Tale of Little Bobby Tables

iHealth Upgrade Advisor: Making upgrades a little easier

BIGdiff - A Little Help For Software Upgrades

A Little Introduction