For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Otto_Kretzer_68's avatar
Otto_Kretzer_68
Icon for Nimbostratus rankNimbostratus
Feb 02, 2006

Redirect Needed.. please help

Im not a programmer but here is what i understand is the problem, f5 support say i need a irule and directed me to this site. I hope my explanation makes sense, here is what is happening     ...
application delivery
dev
devops
iRules
Joe_Pruitt's avatar
Joe_Pruitt
Feb 07, 2006
Earnie, can you explain exactly what you mean when you are referring to "changing the scheme"?. If the BIG-IP is terminating an SSL connection and sending clear HTTP to the backend server the process goes like this:

 

 

1. Client establishes a HTTPS connection which the BIG-IP intercepts.

 

2. This is sent over port 443 (unless specifically configured otherwise).

 

3. The BIG-IP decrypts the GET/POST request.

 

 

4. BIG-IP opens a HTTP connection to the backend server on port 80.

 

5. The BIG-IP sends a new GET/POST request to the backend server.

 

6. The unencrypted data is sent to the backend server.

 

 

In no point is the protocol scheme "https or http" sent as part of the HTTP request. That is implied in the connection port and how the client and server negotiatate over that port. So, BIG-IP can't make the server think it's getting SSL when it's not.

 

 

But, If you are asking whether the BIG-IP can re-encrypt the data to your backend server, then the answer is yes. By adding a serverssl profile to your virtual server, the BIG-IP can decrypt the incoming connection and then re-encrypt it to your server. But this would defeat the purpose of utilizing BIG-IP to offload the decryption.

 

 

I'm not quite sure exactly where your issue is. Typically, in SSL offloaded situations like this, a common issue is that the backend server embeds fully qualified urls in the response payload (ie. http://server/path) instead of relative urls (ie. /path). Relative url's fix themselves as the browser will match them to the current host:port. Fully qualified urls are another story. If the client is connecting through a virtual setup for HTTPS but the server is returning a payload that contains a HTTP link then the link won't make it back to the server. In this case, you have a couple of options.

 

 

1. Use a stream profile (v9.2) to convert "http://server" to "https://server" in your responses. Here's a good forum thread on the stream profile:

 

 

http://devcentral.f5.com/Default.aspx?tabid=28&view=topic&forumid=5&postid=5097

 

Click here

 

 

2. Create an iRule to do 1 (1 is more optimial though).

 

 

3. Create a HTTP Virtual that redirects to the HTTPS counterpart. (this is probably your last option as it will require many round trips causing an unfavorable user experience.

 

 

Hope this helps...

 

 

-Joe