Forum Discussion

zafarabu_194078's avatar
zafarabu_194078
Icon for Nimbostratus rankNimbostratus
Jul 26, 2016

Only login will be https and everything else http

I'm unable to find the F5 config to meet below requirements: - Only landing page will be https - Once user log in to the landing page every other url will be http(80) only As a example, you are in the test.com home page which will force to https://test.com after you log in click any url which will be http only, lets say http://test.com/contact

 

I'm unable to find any config to meet above requirements. Please help. Thank you.

 

application delivery
BIG-IP
devops
irule
iRules
LTM

5 Replies

  • ekaleido's avatar
    ekaleido
    Icon for Cirrus rankCirrus
    Jul 26, 2016

    Pardon the aside, but why would you ever NOT want to utilize https?

     

  • zafarabu_194078's avatar
    zafarabu_194078
    Icon for Nimbostratus rankNimbostratus
    Jul 26, 2016

    Well current app without the F5 has been configured that way so they like to meet the same requirements with F5 configuration but eventually they will move to https sooner or later.

     

  • ekaleido's avatar
    ekaleido
    Icon for Cirrus rankCirrus
    Jul 26, 2016

    when HTTP_REQUEST {

     

    if { [HTTP::uri] ne "/" } {

     

    HTTP::redirect http://[HTTP::host][HTTP::uri]

     

    }

     

    }

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 26, 2016

    To add to ekaleido's comments, this is the absolute worst thing you can do. At the very least you're breaking rule 2 in the OWASP Top 10: Broken Authentication and Session Management: https://www.owasp.org/index.php/Top_10_2013-Top_10, not to mention putting an easy target on your head for several other vulnerabilities, including XSS and XSRF.

     

    It's probably fair to say that your application, once authenticated, will pass a token to the user, or in some other way maintain a session, and that data will be exposed in cleartext traffic after switching back to HTTP. Please don't do this. Industry best practice suggests that if you have anything on your site worth protecting, you should protect the whole thing.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 26, 2016

    To add to ekaleido's comments, this is the absolute worst thing you can do. At the very least you're breaking rule 2 in the OWASP Top 10: Broken Authentication and Session Management: https://www.owasp.org/index.php/Top_10_2013-Top_10, not to mention putting an easy target on your head for several other vulnerabilities, including XSS and XSRF.

     

    It's probably fair to say that your application, once authenticated, will pass a token to the user, or in some other way maintain a session, and that data will be exposed in cleartext traffic after switching back to HTTP. Please don't do this. Industry best practice suggests that if you have anything on your site worth protecting, you should protect the whole thing.