Forum Discussion
4 Replies
- Max_Q_factorCirrocumulus
If the virtual servers are on the same port it may be tricky. If I had to do this I would start with this article that Colin wrote that talks about how use an iRule to scan for SSL/TLS data and go from there:
Multiple Certs, One VIP: TLS Server Name Indication via iRules
- nitassEmployee
I would like to reach both http://abc.com:1234/bla/foo & https://abc.com:1234/bla/foo (The SSL client profile should be on the LTM).
there is allow-non-ssl setting in clientssl profile. anyway, i do not think it is a good idea.
allow-non-ssl Enables or disables non-SSL connections. Specify enabled to allow non-SSL connections to pass through the traffic management system as clear text.
- TejasTh_307036Nimbostratus
I have the same requirement, if user try the URL with HTTPS, no change in URL. If user try to access with HTTP, should redirect to https, I am also using non-standard port URLS.
https://abc.com:8888 ==> no change
http://abc.com:8888 ==> redicet to https://abc.com:8888
With below config its perfectly working fine.
I have created SSL Client profile with allowing Non-SSL Connections ( You need to modify default config) I have created VIP with 8888 port and use SSL client profile Configure below iRule
when HTTP_REQUEST {
if { [URI::protocol [HTTP::uri]] eq "http" } {
HTTP::redirect https://[getfield [HTTP::host] ":" 1]:[TCP::local_port][HTTP::uri]
}
- svsCirrus
This iRule cannot work as described. HTTP::uri only contains the URI, which means only the part after the host within the URL. There will never be a scheme, which may be processed by URI::protocol. In the F5 docs the word URI is often mixed up with URL, which is just wrong. So in the docs for URI::protocol it needs "uri" as parameter, but in the exmaples URLs are given in a list. HTTP::uri will not work here.
I've did some tests in my lab (TMOS 13.1.x) to proove this behavior, because I needed this behavior. I came up with the following iRule:
when CLIENT_ACCEPTED { set DEBUG 1 set ConnectionProtocol "http" } when CLIENTSSL_HANDSHAKE { set ConnectionProtocol "https" } when HTTP_REQUEST { if { $ConnectionProtocol eq "http" } { if {$DEBUG} {log local0. "Redirecting non-SSL connection (Check: $ConnectionProtocol) for [HTTP::host] on URI [HTTP::uri] to HTTPS."} HTTP::redirect https://[getfield [HTTP::host] ":" 1]:[TCP::local_port][HTTP::uri] } else { if {$DEBUG} {log local0. "SSL connection ($ConnectionProtocol) for [HTTP::host] on URI [HTTP::uri]. No action required."} } }
This works perfectly for me.
Cheers,
svs