For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

chells2_241915's avatar
chells2_241915
Icon for Nimbostratus rankNimbostratus
Feb 08, 2016

Redirect URL to different hostname after SSL offloading

Hi,   I have a doubt on how to configure irules such that it will redirect the https://website1.com/acd URL to http://website.com/acd   SSL offloading is done for the URL https://website1.com i...
application delivery
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Feb 08, 2016

It depends on what you're redirecting to and why. Let's start with a simple example where you own both sites, under a single domain (ex. web1.domain.com, web2.domain.com) and either of the applications deploys domain cookies. A redirect from the HTTPS to HTTP site will potentially transmit that (session) cookie in the clear to the HTTP site. I'm assuming chells2 isn't simply redirecting to some external non-affiliated site (ex. Google), but rather some other site within the larger organization, or affiliate organization. In which case you should be very worried about what information is available in the clear and how an attacker can take advantage of that unencrypted channel. It probably begs some clarification of intentions, but I see this use case far more often than I'd hope.