Forum Discussion
Isaac_105703
Nimbostratus
NimbostratusiRule to maintain POST data for redirect
Hi there,
I have a web page that has username/password fields. A "login" button performs a POST of that data to a file on the site (/cgi-bin/login.cgi) for authentication.
I want to force all requests made for my cgi file to be sent over SSL.
Here's what I have so far:
when HTTP_REQUEST {
if {
[HTTP::uri] contains ".cgi"
} then {
HTTP::redirect https://[HTTP::host][HTTP::uri]
}
}
This doesn't work correctly. The client gets redirected fine, but the POST data is empty. Is there a way to capture that POST data and include it for the redirect?
Thanks,
-Isaac
hoolioCirrostratus
Hi Isaac,
As you've found, redirecting a POST request triggers the client to make a GET request to the new Location. Any POST data is lost in the process. In terms of LTM configuration, it would probably be easiest to rewrite the response which generates the POST via HTTP so that the POST is made via HTTPS.
If you are trying to prevent sensitive data from being sent in the clear it's too late by the time the POST request is sent with the login credentials. The data is already being sent in cleartext. Ideally you would try to prevent the HTTP request before it's made. If the response which generates the HTTP request is sent to the client through LTM, you could potentially rewrite it to reference the HTTPS VIP using a stream profile and STREAM::expression iRule (Click here). Or more ideally, you could change the application to reference https instead of http.
Aaron
Isaac_105703Hey Aaron,
Thanks for the good info. I'll have to find another way to solve this.
Thanks,
-Isaac