Forum Discussion

damian_19221's avatar
damian_19221
Icon for Nimbostratus rankNimbostratus
May 25, 2017

iRule to rewrite payload to HTTPS

Hi, I'm working on making a website secure - the site is pretty archaic and has hard coded references to objects under http:// paths. I need to rewrite the payload so any "; references become ";.

I've tried two different methods for doing this:

The first one was to use the STREAM function.

when HTTP_RESPONSE {

if { !$manipulate } {
    return }

  if { [HTTP::is_redirect] } {
        HTTP::header replace Location [string map { "http://" "https://" } [HTTP::header Location]]
    }
STREAM::disable
    Apply stream profile against text responses from the application
   if { [HTTP::header value Content-Type] contains "text" }{

       Look for http:// and replace it with https://
      STREAM::expression {@http://@https://@}

       Enable the stream profile
      STREAM::enable
   }
}

This pretty much worked, but I noticed that each time the URL fired, it didn't modify the content length. This meant the below HTML:

http://www.google.com
http://www.bbc.co.uk 
http://www.google.com
http://www.bbc.co.uk 
http://www.google.com
http://www.bbc.co.uk 
http://www.google.com
9876543210

...correctly had each link amended to https://www.google.com, but ended at 9876 and lost the remaining numbers (ie, one character was removed for each subsitution).

A colleague then suggested I tried the HTTP Payload replace function - this seemed to work pretty well on basic HTML (ie, my google/bbc page above loaded perfectly), although it seemed to balk at more complicated pages (ie, large JSPs). I have an error in ltm:

May 25 13:19:43 longgos-dc-comm-lb-bip-02a err tmm1[21928]: 01220001:3: TCL error: /Nova/stream_development3 - Out of bounds (line 1) invoked from within "HTTP::payload replace 0 $content_length $newdata "

I believe this may be due to the fact our content is encoded as UTF-8 - there is a caveat on the Wiki page for HTTP::payload:

Note that the argument will be interpreted as a byte array. If it is actually a UTF-8 string with multibyte characters, the output will not be what you expect. In order to prepare a UTF-8 string for use as input to HTTP::payload replace, you should first run 'binary scan c* throwawayvariable'.

But I don't know where to put this directive. Regardless of whether I put it in the HTTP_REQUST, HTTP_RESPONSE or HTTP_RESPONSE_DATA sections, all connections to my VIP fail.

Has anyone had any success implementing this sort of irule?

application delivery
BIG-IP
irule
LTM
payload
security
ssl
stream
  • Anesh's avatar
    Anesh
    Icon for Cirrostratus rankCirrostratus
    May 25, 2017

    With regards to your first option, is stream disabled in the request, like below:

    when HTTP_REQUEST {
 Disable the stream filter for client requests
STREAM::disable
}