Is HTTP to HTTPS redirection Secure?

Hi Jinshu,

 

To limit Man in the Middle attack on HTTP traffic, you can enable "HTTP Strict Transport Security"

 

This is a new feature in version 12.0 but you can enable it with an irule on previous version:

 

https://devcentral.f5.com/articles/implementing-http-strict-transport-security-in-irules

 

This feature tell the browser to always request HTTPS instead of HTTP even if the user entered http://www.company.com.

 

In this case, the browser will automatically request https://www.company.com for every new requests until HSTS Max-age expires.

 

Thanks Stanislas,

I have done this with below Irule on 11.5.3 version.

On HTTPS url,

  when HTTP_RESPONSE {
    HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains"
}

On http url

when HTTP_REQUEST {
set my_loc "https://[HTTP::host][HTTP::uri]"
TCP::respond "HTTP/1.1 301 Moved Permanently\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n"
TCP::close
}

-Jinshu

Use HTTP::respond instead of TCP::respond in HTTP_REQUEST irule

when HTTP_REQUEST { 
    HTTP::respond 301 noserver Location https://[getfield [HTTP::host] ":" 1][HTTP::uri] Connection close Content-Length 0
}

Perhaps a seemingly trivial distinction, but "forwarding" is not the same as "redirection".

 

HTTP Redirection is accomplished by having the server (or a proxy device like the BIG-IP) issue a 301 or 302 response. The client then makes a new request based on the location specified by the redirect directive.

 

Forwarding means that the original request is honored and maintained, but the destination is manipulated in some way by the proxy device.

 

By the way, any particular reason you're using

TCP::respond

instead of the more common

HTTP::respond

?

Using the latter the rule would look like this (some optimization added by removing the variable):

when HTTP_REQUEST {
     HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}