Irule to redirect https to http

Question

Situation: 
&nbsp;  
&nbsp; There is a hardcoded URL that goes to https://junk.domain.com/ in an application.  I want the f5 to redirect any traffic destined to that domain to a different site located else where on the internet via http://realjunk.domain.com/  But I don't want the expense of adding a certificate to my f5 and I cannot change the software application with the hard coded https url. 
&nbsp;  
&nbsp; Can this be done? 
&nbsp;  
&nbsp; I have done a simple vitual host with a redirect rule and it works if I use one of my existing ssl profiles but I get the error that the cert does not match.  Which is true but ultimately I am really redirecting to a non ssl site. 
&nbsp;  
&nbsp; Thoughts?

hoolio · Answer

Hi there, 
  
 Is this the same scenario as the last post (Click here)?  If so, you can use a stream profile and STREAM::expression based iRule to rewrite the response content to the correct domain.  This would avoid the issue of the client making a request to the old domain. 
  
 You can check the STREAM::expression wiki page for examples (Click here).

when HTTP_RESPONSE {

Check if response type is text 
    if {[HTTP::header value Content-Type] contains "text"}{ 
  
        Replace https://junk.domain.com with https://realjunk.domain.com 
       STREAM::expression {@https://junk.domain.com@https://realjunk.domain.com@} 
  
        Enable the stream filter for this response only 
       STREAM::enable 
  
    } else { 
        Disable the stream filter by default 
       STREAM::disable 
    } 
 }

This will work if the response is going to the client through the BIG-IP.  If that's not the case, there aren't any simple fixes you can make on the BIG-IP to prevent the browser alert.  By design of HTTPS, if a request comes in via HTTPS to a VIP and you don't have an SSL cert valid for that domain or subdomain, the browser will generate an invalid or mismatched cert warning.  You could either get a valid cert for junk.domain.com or for *.domain.com. 
  
 Aaron

dennypayne · Answer

The problem is that you can't invoke HTTP events such as redirects in an iRule without using an http profile on the virtual, and to do that, you've got to decrypt, which means handling the SSL cert first.   
  
 The only other option would be to process something in the CLIENT_ACCEPTED event, and there's no redirection there 
  
 Maybe something like this would work (haven't tried this):

when CLIENT_ACCEPTED { 
     SSL::disable 
     pool myPool 
 }

Where myPool would have the new domain's server as a pool member, but that's still not going to change the domain that the browser asked for.  So, you'd likely get an SSL cert error when it did connect to the new server anyway. 
  
 So unfortunately, I don't think there's a way to do this. 
  
 Denny

Forum Discussion

Irule to redirect https to http

2 Replies

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

F5 Academies Are Back – And We’re Coming to a City Near You

Recent Discussions

Failed to set RDP launch token timeout

AWAF - Do not log Geolocation violations from the Event Log

Load Balancing IIS Servers

remove www from domain

Front azure traffic from F5 LTM onpremises

Related Content

Hey DeepSeek, can you write iRules?

Anchor Link Redirect

issue with irule redirecting with # string

iRule for Logging a HTTP::header

iRule assistance for subfolder redirect

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS