iRule to rewrite payload to HTTPS
Hi, I'm working on making a website secure - the site is pretty archaic and has hard coded references to objects under http:// paths. I need to rewrite the payload so any "; references become ";.
I've tried two different methods for doing this:
The first one was to use the STREAM function.
when HTTP_RESPONSE {
if { !$manipulate } {
return }
if { [HTTP::is_redirect] } {
HTTP::header replace Location [string map { "http://" "https://" } [HTTP::header Location]]
}
STREAM::disable
Apply stream profile against text responses from the application
if { [HTTP::header value Content-Type] contains "text" }{
Look for http:// and replace it with https://
STREAM::expression {@http://@https://@}
Enable the stream profile
STREAM::enable
}
}
This pretty much worked, but I noticed that each time the URL fired, it didn't modify the content length. This meant the below HTML:
http://www.google.com
http://www.bbc.co.uk
http://www.google.com
http://www.bbc.co.uk
http://www.google.com
http://www.bbc.co.uk
http://www.google.com
9876543210
...correctly had each link amended to https://www.google.com, but ended at 9876 and lost the remaining numbers (ie, one character was removed for each subsitution).
A colleague then suggested I tried the HTTP Payload replace function - this seemed to work pretty well on basic HTML (ie, my google/bbc page above loaded perfectly), although it seemed to balk at more complicated pages (ie, large JSPs). I have an error in ltm:
May 25 13:19:43 longgos-dc-comm-lb-bip-02a err tmm1[21928]: 01220001:3: TCL error: /Nova/stream_development3 - Out of bounds (line 1) invoked from within "HTTP::payload replace 0 $content_length $newdata "
I believe this may be due to the fact our content is encoded as UTF-8 - there is a caveat on the Wiki page for HTTP::payload:
Note that the argument will be interpreted as a byte array. If it is actually a UTF-8 string with multibyte characters, the output will not be what you expect. In order to prepare a UTF-8 string for use as input to HTTP::payload replace, you should first run 'binary scan c* throwawayvariable'.
But I don't know where to put this directive. Regardless of whether I put it in the HTTP_REQUST, HTTP_RESPONSE or HTTP_RESPONSE_DATA sections, all connections to my VIP fail.
Has anyone had any success implementing this sort of irule?