Forum Discussion

Jason_Miller_40's avatar
Jason_Miller_40
Icon for Nimbostratus rankNimbostratus
Nov 01, 2005

Post Method Redirect

I have a question pertaining to HTTP Post Method Redirection. I support an application that the client connects via HTTPS but the client sends HTTP form Posts back to the server. The connection does not connect back because we only allow HTTPS through the F5. Is there anything that I can do in a IRule to send a reply back to the client to issue a HTTPS Post instead? I have read a couple places on that net that says HTTP 1.1 Specifically denies HTTP Post redirection unless it is requested by the client issusing the HTTP Post. Is this correct? The RFC touched on this but did not see anywhere that says "HTTP Posts are not allowed to be redirected" LOL Sometimes I need Crayola to write me directions.

 

 

Thank you in Advance,

 

Jason
application delivery
dev
devops
iRules
v4
  • Martin_Machacek's avatar
    Martin_Machacek
    Historic F5 Account
    Nov 01, 2005
    Jason,

     

     

    I have to disappoint you. iRules in v4.x unfortunately do not provide any mechanism for modifying server responses.

     

     

    The root cause of your problem is most likely an absolute reference (URI containing protocol and server) in the HTML code (e.g. in a form action attribute) that makes the client issue the POST requests. The best way how to fix the problem is to fix the web application. I understand that this may not be an option :-(.

     

     

    BIG-IP v9.x may come to the rescue because it allows (almost) arbitraty manipulation of server responses. You may be able to use this feature to remove the offending absolute reference (or replace it with https://... equivalent) from the page that triggers the POST.

     

     

    AFAICT, there is nothing in RFC 2616 (HTTP/1.1) that would explicitly forbid redirection of POST requests. However, redirection of POST requests simply does not work because the client (browser) won't resend the body of the POST after receiving the 302 or 301 response. It simply issued GET request to the URI returned in the "Location" header of the redirect response. BTW, BIG-IP v4.x "redirect to" statement always generates 302 response.

     

     

    As a side note: if confidentiality of data is your concern than you must prevent the POST request from being sent over HTTP in the first place. Redirecting it after the fact is too late because at that point sensitive data have already been transmitted without encryption.