Irule to prevent mixed content

Question

Hi - We have what looks like a fairly simple issue, but it I can't crack it. We are trying to send all HTTP traffic to HTTPS with this irule:  
&nbsp;  
&nbsp; On VIP-80 
&nbsp; when HTTP_REQUEST {  
&nbsp;    if { [HTTP::uri] starts_with "/paymentoptionshome/payments" } {  
&nbsp;      HTTP::redirect "https://[HTTP::host][HTTP::uri]"  
&nbsp;    }  
&nbsp;  } 
&nbsp;  
&nbsp; Then send all HTTPS traffic to HTTP using this irule:  
&nbsp; On VIP-443 
&nbsp; when HTTP_REQUEST {  
&nbsp;    if  { (!( [HTTP::uri] starts_with "/paymentoptionshome/payments")) and ([TCP::local_port] == 443) } {  
&nbsp;      HTTP::redirect "http://[HTTP::host][HTTP::uri]"  
&nbsp;    }  
&nbsp;  }   
&nbsp;  
&nbsp; Having this second irule in place forcing mixed content when accessing the uri /paymentoptionshome/payments. We can't have mixed content as the padlock doesn't show and the business is not keen to not show the padlock. Ideally we want the irule to look something like this:  
&nbsp;  
&nbsp; class file_extensions  { 
&nbsp;    ".gif" 
&nbsp;    ".htm" 
&nbsp;    ".html" 
&nbsp;    ".jpg" 
&nbsp;    ".js" 
&nbsp;    ".css" 
&nbsp;    ".swf" 
&nbsp;    ".jpeg" 
&nbsp;    ".pdf" 
&nbsp; } 
&nbsp; when HTTP_REQUEST {  
&nbsp;    if  { (!( [HTTP::uri] starts_with "/paymentoptionshome/payments") and [matchclass $uri ends_with $::file_extensions] &gt; 0 ) and ([TCP::local_port] == 443) } {  
&nbsp;      HTTP::redirect "http://[HTTP::host][HTTP::uri]"  
&nbsp;    }  
&nbsp; } 
&nbsp;  
&nbsp; But this doesn't work. Can anyone help?  
&nbsp;  
&nbsp; Thanks 
&nbsp; Kate 
&nbsp;

hoolio · Answer

Hi Kate, 
&nbsp;  
&nbsp; Why do you want to not serve that specific URI via HTTPS?  As you've found, most browsers will generate an insecure content warning and none will show the padlock if the client is redirected to HTTP.  The simple solution is to not redirect requests to that URI to HTTP. 
&nbsp;  
&nbsp; Aaron

katekattar_4936 · Answer

Perhaps I have the entire logic incorrect. What we are trying to do is force SSL when using part of our website (to enter card details), and ensure users cant get to SSL at any other time. So we want all requests for /paymentoptionshome/payments to be HTTPS, and everything else HTTP.  
&nbsp;  &nbsp;

dennypayne · Answer

You would have to not redirect any element on the page to avoid the mixed content problem.  Right now your logic prevents redirecting /paymentoptionshome/payments but that probably only covers the html on the page.  I suspect that the images, css, etc. on that page have a different URI and are thus getting redirected to HTTP, causing the mixed content warning (understand that every element on the page is a separate GET and thus a separate connection that passes through the iRule). 
&nbsp;  
&nbsp; Denny

Forum Discussion

Irule to prevent mixed content

Recent Discussions

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

Related Content

iRule to modify a content-security-policy header

Operationlizing Online Fraud Detection, Prevention, and Response

Guarding Large Language Models: Advanced Approaches to Preventing Model Theft

Layer 7 Content Routing in F5 XC

DevCentral Content Highlights

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS