Forum Discussion
NimbostratusRediect http to https on a non-standard port when LTM has the SSL Client profile
Hi there,
how can i get HTTP and HTTPS work for the same URL that uses a non-standard port and LTM has the client SSL profile?
For example, I would like to reach both http://abc.com:1234/bla/foo & https://abc.com:1234/bla/foo (The SSL client profile should be on the LTM).
Thanks
4 Replies
Max_Q_factorCirrocumulus
If the virtual servers are on the same port it may be tricky. If I had to do this I would start with this article that Colin wrote that talks about how use an iRule to scan for SSL/TLS data and go from there:
Multiple Certs, One VIP: TLS Server Name Indication via iRules
- nitass
Employee
I would like to reach both http://abc.com:1234/bla/foo & https://abc.com:1234/bla/foo (The SSL client profile should be on the LTM).
there is allow-non-ssl setting in clientssl profile. anyway, i do not think it is a good idea.
allow-non-ssl Enables or disables non-SSL connections. Specify enabled to allow non-SSL connections to pass through the traffic management system as clear text. 
TejasTh_307036I have the same requirement, if user try the URL with HTTPS, no change in URL. If user try to access with HTTP, should redirect to https, I am also using non-standard port URLS.
https://abc.com:8888 ==> no change
http://abc.com:8888 ==> redicet to https://abc.com:8888
With below config its perfectly working fine.
I have created SSL Client profile with allowing Non-SSL Connections ( You need to modify default config) I have created VIP with 8888 port and use SSL client profile Configure below iRule
when HTTP_REQUEST {
if { [URI::protocol [HTTP::uri]] eq "http" } {
HTTP::redirect https://[getfield [HTTP::host] ":" 1]:[TCP::local_port][HTTP::uri]
}}
- svs
Cirrostratus
This iRule cannot work as described. HTTP::uri only contains the URI, which means only the part after the host within the URL. There will never be a scheme, which may be processed by URI::protocol. In the F5 docs the word URI is often mixed up with URL, which is just wrong. So in the docs for URI::protocol it needs "uri" as parameter, but in the exmaples URLs are given in a list. HTTP::uri will not work here.
I've did some tests in my lab (TMOS 13.1.x) to proove this behavior, because I needed this behavior. I came up with the following iRule:
when CLIENT_ACCEPTED { set DEBUG 1 set ConnectionProtocol "http" } when CLIENTSSL_HANDSHAKE { set ConnectionProtocol "https" } when HTTP_REQUEST { if { $ConnectionProtocol eq "http" } { if {$DEBUG} {log local0. "Redirecting non-SSL connection (Check: $ConnectionProtocol) for [HTTP::host] on URI [HTTP::uri] to HTTPS."} HTTP::redirect https://[getfield [HTTP::host] ":" 1]:[TCP::local_port][HTTP::uri] } else { if {$DEBUG} {log local0. "SSL connection ($ConnectionProtocol) for [HTTP::host] on URI [HTTP::uri]. No action required."} } }This works perfectly for me.
Cheers,
svs
