For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

FSC-IT_27241's avatar
FSC-IT_27241
Icon for Nimbostratus rankNimbostratus
Oct 20, 2008

Irule to redirect https to http

Situation:

 

 

There is a hardcoded URL that goes to https://junk.domain.com/ in an application. I want the f5 to redirect any traffic destined to that domain to a different site located else where on the internet via http://realjunk.domain.com/ But I don't want the expense of adding a certificate to my f5 and I cannot change the software application with the hard coded https url.

 

 

Can this be done?

 

 

I have done a simple vitual host with a redirect rule and it works if I use one of my existing ssl profiles but I get the error that the cert does not match. Which is true but ultimately I am really redirecting to a non ssl site.

 

 

Thoughts?
application delivery
dev
devops
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 20, 2008
    Hi there,

    Is this the same scenario as the last post (Click here)? If so, you can use a stream profile and STREAM::expression based iRule to rewrite the response content to the correct domain. This would avoid the issue of the client making a request to the old domain.

    You can check the STREAM::expression wiki page for examples (Click here). 

     
 when HTTP_RESPONSE { 
  
  
     Check if response type is text 
    if {[HTTP::header value Content-Type] contains "text"}{ 
  
        Replace https://junk.domain.com with https://realjunk.domain.com 
       STREAM::expression {@https://junk.domain.com@https://realjunk.domain.com@} 
  
        Enable the stream filter for this response only 
       STREAM::enable 
  
    } else { 
        Disable the stream filter by default 
       STREAM::disable 
    } 
 }

    This will work if the response is going to the client through the BIG-IP. If that's not the case, there aren't any simple fixes you can make on the BIG-IP to prevent the browser alert. By design of HTTPS, if a request comes in via HTTPS to a VIP and you don't have an SSL cert valid for that domain or subdomain, the browser will generate an invalid or mismatched cert warning. You could either get a valid cert for junk.domain.com or for *.domain.com.

    Aaron
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Oct 20, 2008
    The problem is that you can't invoke HTTP events such as redirects in an iRule without using an http profile on the virtual, and to do that, you've got to decrypt, which means handling the SSL cert first.

    The only other option would be to process something in the CLIENT_ACCEPTED event, and there's no redirection there

    Maybe something like this would work (haven't tried this): 

     
 when CLIENT_ACCEPTED { 
     SSL::disable 
     pool myPool 
 }

    Where myPool would have the new domain's server as a pool member, but that's still not going to change the domain that the browser asked for. So, you'd likely get an SSL cert error when it did connect to the new server anyway.

    So unfortunately, I don't think there's a way to do this.

    Denny