For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DaveC_53879's avatar
DaveC_53879
Icon for Nimbostratus rankNimbostratus
May 29, 2012

Marking server traffic secure

Hi, We have a pretty typical setup; most sites on the F5 support SSL between the client the F5, and some enforce SSL, but traffic between the F5 and the servers is not secure. Is there a way of mark the request sent to the server as secure so that it knows that the traffic is secure? Our developers have asked for this so that they can change the response behavior for http vs. https requests. Thanks in advance, again.

 

 

DaveC

 

application delivery
dev
devops
iRules

7 Replies

  • George_Watkins_'s avatar
    George_Watkins_
    Historic F5 Account
    May 30, 2012
    Hi DaveC,

     

     

    You can use a Stream profile to replace instances of http://mysite.com with https://mysite.com in the HTTP response. There is an example of this functionality under the "Examples" section of the STREAM::expression wiki page. Hope that helps,

     

     

    -George
  • DaveC_53879's avatar
    DaveC_53879
    Icon for Nimbostratus rankNimbostratus
    May 30, 2012
    Hi George,

     

     

    Thanks for the response. I don't think I want to replace http with https because I only support http to the server. The developer ideally would like to insert a new header, something like the x-forwarded-for header, to have some way for the site/app to know the connection to the client is secure. I already know absolutely if the connection is secure because the VS it goes through only supoorts https to the client. I'm not sure what to even ask for, let alone how to do it.

     

     

    Dave
  • Brian_69413's avatar
    Brian_69413
    Icon for Nimbostratus rankNimbostratus
    May 30, 2012
    This is what we do on the HTTP and HTTPS virtuals respectively: 

    
when HTTP_REQUEST {
if { [HTTP::header exists "HTTP_X_FORWARDED_PROTO"] }{
HTTP::header replace "HTTP_X_FORWARDED_PROTO" "http"
}
else {
HTTP::header insert "HTTP_X_FORWARDED_PROTO" "http"
}
}

    when HTTP_REQUEST {

    if { [HTTP::header exists "HTTP_X_FORWARDED_PROTO"] }{

    HTTP::header replace "HTTP_X_FORWARDED_PROTO" "https"

    }

    else {

    HTTP::header insert "HTTP_X_FORWARDED_PROTO" "https"

    }

    }
  • Brian_69413's avatar
    Brian_69413
    Icon for Nimbostratus rankNimbostratus
    May 30, 2012
    That looks nasty, sorry. For the HTTPS virtual: 

    
when HTTP_REQUEST {
if { [HTTP::header exists "HTTP_X_FORWARDED_PROTO"] }{
HTTP::header replace "HTTP_X_FORWARDED_PROTO" "https"
}
else {
HTTP::header insert "HTTP_X_FORWARDED_PROTO" "https"
}
}
  • Brian_69413's avatar
    Brian_69413
    Icon for Nimbostratus rankNimbostratus
    May 30, 2012
    For the HTTP virtual: 

    
when HTTP_REQUEST {
if { [HTTP::header exists "HTTP_X_FORWARDED_PROTO"] }{
HTTP::header replace "HTTP_X_FORWARDED_PROTO" "http"
}
else {
HTTP::header insert "HTTP_X_FORWARDED_PROTO" "http"
}
}
  • DaveC_53879's avatar
    DaveC_53879
    Icon for Nimbostratus rankNimbostratus
    May 30, 2012
    I figured it out. It was really pretty easy. Just needed the time to think and investigate it. The rule below works correctly. Thanks for all the responses.

     

     

    when HTTP_REQUEST {

     

    HTTP::header insert IsSecureConnection True

     

    }
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 31, 2012
    You could also do this with a custom HTTP profile: 

    
ltm profile http IsSecureConnection_http {
    defaults-from http
    header-erase IsSecureConnection
    header-insert "IsSecureConnection: True"
    insert-xforwarded-for enabled
}

    Aaron