Forum Discussion

Martin_Kaiser_1's avatar
Martin_Kaiser_1
Icon for Nimbostratus rankNimbostratus
May 18, 2011

Redirect http client to https on same non-default port

Hi guys,

 

 

I have a customer request of which I'm unsure whether it can be done at all or not:

 

 

I have a virtual https server on a BigIP running 10.2.0HF2. The virtual server is not running on port 443, but on non-default port 12345, balancing on a pool of development servers (plain http, SSL handling done by BigIP). Now, the customer requests a redirect from http to https in case the developers mistype http://some.site.net:12345 instead of https://some.site.net:12345

 

 

The problem is: you'll have to use an iRule event which is triggered very early during the transaction (e.g. CLIENT_CONNECTED or RULE_INIT), but I'm not sure how to make the iRule realize that there is a plain HTTP request following WITHOUT prior SSL handshake and then issue a SSL::DISABLE followed by an HTTP::REDIRECT...

 

 

Any ideas on that? Many thanks in advance!

 

 

Martin

 

application delivery
dev
devops
iRules

14 Replies

Sort By
Show More
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 15, 2011
    Can you clarify what doesn't work in v11? sorry to confuse. it is 10.2.3. client never got redirection. i do not think the irule logic is wrong. maybe there is some change in 10.2.3. what do you think? 

    [root@ve1023:Active] config  b rule myrule list
rule myrule {
   when HTTP_REQUEST {
        log local0. "\[SSL::cipher version\]: [SSL::cipher version]"
        log local0. "\[catch {SSL::cipher version} result\]: [catch {SSL::cipher version} result]"
        log local0. "\$result: $result"

        if {$result equals "None"}{
                log local0. "\$result is None"
                HTTP::redirect "https://[HTTP::host][HTTP::uri]"
        } else {
                log local0. "\$result is not None"
        }
}
}

 curl -I http://172.28.65.152:443/
...nothing...

[root@ve1023:Active] config  ssldump -Aed -nni 0.0 port 443
New TCP connection 1: 172.28.19.253(38400) <-> 172.28.65.152(443)
1321331913.0099 (0.0030)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8r zlib/1.2.3 libidn/0.6.5
Host: 172.28.65.152:443
Accept: */*
---------------------------------------------------------------

[root@ve1023:Active] config  cat /var/log/ltm
Nov 14 20:38:29 local/tmm notice tmm[4766]: 013e0001:5: Tcpdump starting bcast on :::0 from 127.1.1.1:40426
Nov 14 20:38:33 local/tmm info tmm[4766]: Rule myrule : [SSL::cipher version]: None
Nov 14 20:38:33 local/tmm info tmm[4766]: Rule myrule : [catch {SSL::cipher version} result]: 0
Nov 14 20:38:33 local/tmm info tmm[4766]: Rule myrule : $result: None
Nov 14 20:38:33 local/tmm info tmm[4766]: Rule myrule : $result is None
Nov 14 20:41:59 local/tmm notice tmm[4766]: 013e0002:5: Tcpdump stopping on 127.1.1.2:1441 from 127.1.1.1:40426
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jan 04, 2012
    Hey Nitass,

     

     

    The redirect didn't work in 10.2.3 due to BZ372985.

     

     

    Aaron
  • TejasTh_307036's avatar
    TejasTh_307036
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2017

    I have the same requirement, if user try the URL with HTTPS, no change in URL. If user try to access with HTTP, should redirect to https, I am also using non-standard port URLS.

     

    https://abc.com:8888 ==> no change

     

    http://abc.com:8888 ==> redicet to https://abc.com:8888

     

    1)I have created SSL Client profile with allowing Non-SSL Connections ( You need to modify default config)

     

    2)I have created VIP with 8888 port and use SSL client profile

     

    3)Configure below iRule

     

    when HTTP_REQUEST {

     

    if { [URI::protocol [HTTP::uri]] eq "http" } {

     

    HTTP::redirect https://[getfield [HTTP::host] ":" 1]:[TCP::local_port][HTTP::uri]

     

    }

     

    }