Forum Discussion
Martin_Kaiser_1
Nimbostratus
NimbostratusRedirect http client to https on same non-default port
Hi guys,
I have a customer request of which I'm unsure whether it can be done at all or not:
I have a virtual https server on a BigIP running 10.2.0HF2. The virtual server is not running on port 443, but on non-default port 12345, balancing on a pool of development servers (plain http, SSL handling done by BigIP). Now, the customer requests a redirect from http to https in case the developers mistype http://some.site.net:12345 instead of https://some.site.net:12345
The problem is: you'll have to use an iRule event which is triggered very early during the transaction (e.g. CLIENT_CONNECTED or RULE_INIT), but I'm not sure how to make the iRule realize that there is a plain HTTP request following WITHOUT prior SSL handshake and then issue a SSL::DISABLE followed by an HTTP::REDIRECT...
Any ideas on that? Many thanks in advance!
Martin
14 Replies
- nitass
Employee
Can you clarify what doesn't work in v11? sorry to confuse. it is 10.2.3. client never got redirection. i do not think the irule logic is wrong. maybe there is some change in 10.2.3. what do you think?[root@ve1023:Active] config b rule myrule list rule myrule { when HTTP_REQUEST { log local0. "\[SSL::cipher version\]: [SSL::cipher version]" log local0. "\[catch {SSL::cipher version} result\]: [catch {SSL::cipher version} result]" log local0. "\$result: $result" if {$result equals "None"}{ log local0. "\$result is None" HTTP::redirect "https://[HTTP::host][HTTP::uri]" } else { log local0. "\$result is not None" } } } curl -I http://172.28.65.152:443/ ...nothing... [root@ve1023:Active] config ssldump -Aed -nni 0.0 port 443 New TCP connection 1: 172.28.19.253(38400) <-> 172.28.65.152(443) 1321331913.0099 (0.0030) C>S --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8r zlib/1.2.3 libidn/0.6.5 Host: 172.28.65.152:443 Accept: */* --------------------------------------------------------------- [root@ve1023:Active] config cat /var/log/ltm Nov 14 20:38:29 local/tmm notice tmm[4766]: 013e0001:5: Tcpdump starting bcast on :::0 from 127.1.1.1:40426 Nov 14 20:38:33 local/tmm info tmm[4766]: Rule myrule : [SSL::cipher version]: None Nov 14 20:38:33 local/tmm info tmm[4766]: Rule myrule : [catch {SSL::cipher version} result]: 0 Nov 14 20:38:33 local/tmm info tmm[4766]: Rule myrule : $result: None Nov 14 20:38:33 local/tmm info tmm[4766]: Rule myrule : $result is None Nov 14 20:41:59 local/tmm notice tmm[4766]: 013e0002:5: Tcpdump stopping on 127.1.1.2:1441 from 127.1.1.1:40426 
hoolioCirrostratus
Hey Nitass,
The redirect didn't work in 10.2.3 due to BZ372985.
Aaron- nitassthanks Aaron!
TejasTh_307036I have the same requirement, if user try the URL with HTTPS, no change in URL. If user try to access with HTTP, should redirect to https, I am also using non-standard port URLS.
https://abc.com:8888 ==> no change
http://abc.com:8888 ==> redicet to https://abc.com:8888
1)I have created SSL Client profile with allowing Non-SSL Connections ( You need to modify default config)
2)I have created VIP with 8888 port and use SSL client profile
3)Configure below iRule
when HTTP_REQUEST {
if { [URI::protocol [HTTP::uri]] eq "http" } {
HTTP::redirect https://[getfield [HTTP::host] ":" 1]:[TCP::local_port][HTTP::uri]
}}
