For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nathan_Andrews_'s avatar
Nathan_Andrews_
Icon for Nimbostratus rankNimbostratus
Dec 06, 2013

iRule required to rewrite the form HTTP POST to use port 443

Hi,

 

I have an issue at present whereby I cannot login to a web app that is currently load balanced. I currently have an HTTP class profile that redirects HTTP clients to use HTTPS.

 

I logged a case with F5 and they advise me that the redirect functionality is applied to HTTP 301, 302, 303, 305, or 307 redirects and not to application data found within HTML streams. They diagnosed that my server is hard coded to request that clients connect using HTTP. This causes a continuous HTTP to HTTPS redirect loop hence I cannot login to my web app.

 

F5 advise that I need to create an iRule to perform the following:

 

(1) Redirect client HTTP connections to use HTTPS (2) Re-write the HTTP form POST from the server to use port 443

 

Has anyone ever implemented this? If so could you share your iRule?

 

Many thanks,

 

Nathan

 

application delivery
devops
iRules

6 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 06, 2013

    There is a fairly common problem, where a server that doesn't understand that it's behind an SSL offloading proxy, will continue to send HTTP absolute URLs. There is at least two places where a server can tell the client to talk to it on HTTP vs HTTPS.

     

    1. In the response headers - a redirect is caused by a 30x type resoonse message and a Location header. The easiest way to overcome this is with the Redirect Rewrite setting in the HTTP profile. Enabling this tells the LTM to replace any HTTP Location header references with HTTPS for 30x responses.

       

    2. In the response payload - when the returned page contains absolute URL references to document elements (ie. images, JavaScript, CSS, etc.), your best bet is a fairly straight forward STREAM iRule applied to the VIP. Assign an empty STREAM profile (the parent profile will do) and your iRule. Take a look at the example on the STREAM::expression wiki page.

       

      https://devcentral.f5.com/wiki/iRules.STREAM__expression.ashx

       

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 06, 2013

    Can I merely add this statement into the one iRule?

     

    Why would you need to do this?

     

    Also which VIP would I associate the Stream iRule with? The one listening on port 443 or port 80?

     

    You shouldn't need a port 80 VIP. You're forcing all traffic through 443, so the goal is to not have any traffic traversing port 80.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 06, 2013

    Oh I see. Yes, you can still do that. Just create a port 80 VIP. Assign an HTTP profile and the built-in _sys_https_redirect iRule.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 09, 2013

    You need to apply a STREAM profile to the VIP. Depending on version, the option should be right above the client SSL profile selection in the GUI. When using an iRule to do STREAM processing you can just use the default parent STREAM profile.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 11, 2013

    If you can, load up a client side HTTP analysis tool like Fiddler or HTTPWatch and examine the HTTP conversation between the browser and LTM port 443 VIP. What you're for is any HTTP header or HTML content that references the HTTP:// URL versus the HTTPS:// URL, and then where is breaks (what request comes immediately before the failure).