For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

iamcejiro_16285's avatar
iamcejiro_16285
Icon for Nimbostratus rankNimbostratus
May 02, 2017

Redirect HTTPS to HTTP

Hi,

 

Can I ask for a configuration guide on how I can redirect https traffic to http?

 

I have 1 VS on port 443 but back-end server is running on port 80.

 

Do I need to create another VS for redirection? Can anyone help to verify if below rule is correct?

 

when HTTP_REQUEST { HTTP::redirect http://[getfield [HTTP::host] ":" 1][HTTP::uri]

 

Also, when we try to telnet the VS using PC on the same network (telnet 10.2.x.x 443) it wont go through.

 

Below is the VS config:

 

ltm virtual VS_FuelCareer {
    address-status yes
    app-service none
auth none
auto-lasthop default
bwc-policy none
clone-pools none
cmp-enabled yes
connection-limit 0
description none
destination 10.2.x.x:https
enabled
fallback-persistence none
flow-eviction-policy none
gtm-score 0
ip-intelligence-policy none
ip-protocol tcp
last-hop-pool none
mask x.x.x.x
metadata none
mirror disabled
mobile-app-tunnel disabled
nat64 disabled
partition Common
per-flow-request-access-policy none
persist none
policies none
pool FuelCareer
profiles {
    Fuel_Career {
        context clientside
    }
    http {
        context all
    }
    tcp {
        context all
    }
}
rate-class none
rate-limit disabled
rate-limit-dst-mask 0
rate-limit-mode object
rate-limit-src-mask 0
related-rules none
rules none
security-log-profiles {
    "Log all requests"
}
service-down-immediate-action none
service-policy none
source 0.0.0.0/0
source-address-translation {
    pool none
    type none
}
source-port preserve
syn-cookie-status not-activated
traffic-classes none
translate-address enabled
translate-port disabled
urldb-feed-policy none
vlans none
vlans-disabled
vs-index 4

`Code`

Thanks!

 

iRules
LTM
security

3 Replies

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    May 02, 2017

    You don't need another VS. The VS running on port 443, needs a clientside ssl profile. And your configuration shows that you have one called 

    Fuel_Career
    . Since you don't have a serverside ssl profile attached, SSL will be offloaded. However, you need to enable 
    translate-port
    , since there needs to be a translation from 443, to 80.

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    May 03, 2017

    You need to set up another virtual server, say, VS_FuelCareer_80, on the same virtual IP address but on port 80, and apply that irule to it.

     

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    May 03, 2017

    OK I see. There seems to be a confusion about the meaning of "redirect" here, which I see often here at my workplace as well. :-(

     

    When we say "redirect", it usually means "HTTP redirect" in the context of using HTTP protocol directives. In your case, you probably mean to "pass/forward traffic from F5 to a backend application server", and what you need, as far as F5 is concerned, is really SSL-Offloading.

     

    You will need to remove the irule from the virtual server.

     

    You will most likely also need to configure "Source Address Translation" to "SNAT automap".