For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jason_LaRocque_'s avatar
Jason_LaRocque_
Icon for Nimbostratus rankNimbostratus
Jan 10, 2008

On 302 to client, ensure TCP port is 443, if not, make it 443

Greetings-

 

We have a security product that can run SSL, but we've offloaded SSL at BIGIP. When we request an object that requrires authentication, a forms based login is sent back to the client over SSL. On the POST and authentication, a 302 is sent back to the client with the absolute location of where the request was intended. The absolute URL is based on the protocol the security product understands - which is HTTP as SSL if offloaded. We have several solutions in the pipe. Our tactical solution was to use an iRule to look for a 302 status on HTTP response, ensure TCP port is 443, if not, make it 443. Any ideas?

 

 

Thanks!!

 

Jason
application delivery
dev
devops
iRules

4 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 10, 2008
    Hello,

     

     

    You should be able rewrite 302 redirects to HTTPS without an iRule by enabling 'rewrite redirects' on the HTTP profile of the VIP. For more info on this, try searching askf5.com for 'rewrite redirects'.

     

     

    Else, if you want to use a rule, try searching the forum for "rewrite 302". Here is one example which shows how to rewrite the Location header and/or references to HTTP in the content: (Click here).

     

     

    Reply if you have any questions...

     

     

    Aaron
  • Jason_LaRocque_'s avatar
    Jason_LaRocque_
    Icon for Nimbostratus rankNimbostratus
    Jan 10, 2008
    Thanks Aaron-

     

    Question: Using the profile approach seems the most simple, but it appears the BIG IP version needs to be 9.4 (we're at 9.2.5). Am I correct?

     

     

    Thanks again!!

     

    Jason
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 10, 2008
    I'm pretty sure redirect rewrites has been an option since 9.x was released. HTTP classes were added for LTM in 9.4, but that's not what I was referring to.

     

     

    SOL6912 has steps to enable the HTTP profile option (Click here).

     

     

    Aaron
  • Jason_LaRocque_'s avatar
    Jason_LaRocque_
    Icon for Nimbostratus rankNimbostratus
    Jan 10, 2008
    Thanks everyone. I've landed on using the profile as it seems intrinsically more efficient than an iRule. I did use information from the forum on creating an iRule for this situation, here's what works:

     

     

    when HTTP_RESPONSE {

     

    if {[HTTP::status] starts_with "3"}{

     

    HTTP::header replace Location [string map {http: https:} [HTTP::header value Location]]

     

    }

     

    }

     

     

    Again, thanks for your help!!

     

    Jason
Related Content