For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Yugandhar's avatar
Yugandhar
Icon for Nimbostratus rankNimbostratus
Aug 13, 2018

Redirect HTTP Traffic to HTTPS on a Nonstandard Port.

Hi,

 

Could you please help on this requirement:-

 

Traffic to http or http://test7883.com:80 has to be forwarded to https://test7883.com:8900

 

HTTP::redirect "https://[getfield [HTTP::host] : 1][HTTP::uri]"

 

Suppose if the HTTPS VIP is configured on a nonstandard port say 8900 then can the above redirect statement forward the traffic to https://test7883.com:8900 as the command [getfield [HTTP::host]: 1 would extract only test7883.com but not the port number

 

Thanks,

 

Yugandhar.

 

application delivery
BIG-IP
iRules

6 Replies

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for Noctilucent rankNoctilucent
    Aug 14, 2018

    You can't run http and https on the same ports (8900).

    Update: I stand corrected, looks like it can be done,

     when CLIENT_ACCEPTED { 
     Set a variable to track whether this is an HTTPS request 
    set https 0 
 } 
 when CLIENTSSL_HANDSHAKE { 
     There was a client side SSL handshake, so update the variable 
    set https 1 
 } 
 when HTTP_REQUEST { 
     If it's not an HTTPS connection, send a redirect 
    if {not ($https)}{ 
       HTTP::redirect https://[getfield [HTTP::host] : 1][HTTP::uri]
    } 
 }
  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for Noctilucent rankNoctilucent
    Aug 14, 2018

    So something like below I feel,

     when CLIENT_ACCEPTED { 
     Set a variable to track whether this is an HTTPS request 
    set https 0 
 } 
 when CLIENTSSL_HANDSHAKE { 
     There was a client side SSL handshake, so update the variable 
    set https 1 
 } 
 when HTTP_REQUEST { 
     If it's not an HTTPS connection, send a redirect 
    if {not ($https)}{ 
       HTTP::redirect https://[getfield [HTTP::host] : 1]:8900[HTTP::uri]
    } 
 }
  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Aug 14, 2018

    Instead of creating 3 VIPs, only one VIP(443) is enough to redirect connection.

     

    Above iRule is correct but only iRule will not help to solve issue. You need to enable non-SSL connections on SSL profile.

     

    Follow the link

     

    • Yugandhar's avatar
      Yugandhar
      Icon for Nimbostratus rankNimbostratus
      Aug 15, 2018

      Thank you .. if we apply the iRule

       

      HTTP::redirect "https://[getfield [HTTP::host] : 1][HTTP::uri]"

       

      on the VIP http ... will this redirect the traffic to https://test7883.com:8900

       

      Here we have a HTTP VIP on port 8900 and HTTPS VIP running on a nonstandard port (8900).. So traffic coming to HTTP VIP i.e http://test7883.com:8900 should be forwarded to HTTPS VIP i.e. https://test7883.com:8900 which accepts https connections on port 8900.