Forum Discussion
CSA
Nimbostratus
NimbostratusRedirections HTTP to HTTPS (for login) to HTTP (for usage)
Hello all,
We use BigIPs for many applications used over a WAN. Our WAN has some boxes to compress/accelerate HTTP traffic, but they can't do it with HTTPS. We don't want to send the login/password in clear text over the network, so we want to use HTTPS for this.
So we would like to use the BigIPs like this :
- if someone use http (and is not logged in), redirect him to https
- each time someone has to authenticate, https is compulsory.
- once the authentication is done, use HTTP
What is the best way to do this ?
Is it this one :
- irule to redirect http to https when the application shows the login page (it shows it each time the user wants to load a protected page : this is handled by the application itself)
- irule to redirect https to http when it's not the login page (meaning the user is already authenticated from an application point of view)
Is there a smarter way ? Is it ok or the BigIP session mechanism ?
And second question : some applications just change the content to ask for the credentials, but the page name can be anything: is it possible to check in the content of the page for some strings and are the ressources used to do this acceptable ?
Thanks !
--
LB
6 Replies
- The_BhattmanWe ran into this very issue several years ago. This is where we did not want to spend the extra $$ for a module on the BIGIP. The problem we encoutered was that the BIGIP didn't know when a client had successfuly logged in. So we decided that once the login page successfully authorized, the client is redirected the client over to HTTP.
So yes we found a solution, but it wasn't a bigip solution
As for your second question if you refering to monitoring then use you can monitor for strings in a page which is a common technique to use.
Hope that helps
CB 
qcontinuum00_74Hello Bhattman,
I would sincerely appreciate if you could please post how you implemented the solution. We have exactly the same situaion posted by LB.
Regards,
qcontinuum- The_BhattmanOur core application design team had a Siteminder license which allowed them to anthenticate via HTTPS but then redirected them over to HTTP.
Bhattman 
Raj_Zucre_RamirGuys,
I have similar issues, we have created a HTTPS health monitor and we are using the username and password to login onto the server. However, we can only use a corporate domain account with the COMPANY\username prefix. We woudl like to use a local server username and password validate. Is this possible?
Thanks!- Raj_Zucre_Ramir
Just to add:
SOL5483: Testing an HTTPS Monitor with user authentication from the command line
https://support.f5.com/kb/en-us/solutions/public/5000/400/sol5483.html?sr=10763589
HTTPS Monitor definitions will appear similar to the following example:
monitor ssl_test {
type https
use "https"
interval 5
timeout 16
dest *:*
send "GET /testpage.asp HTTP/1.0\nAuthorization: Basic dGVzdHVzZXI6dGVzdHBhc3N3b3Jk\n"
recv "matchthis"
username "testuser" <-----< missing company\
password "testpassword"
}
Here's another SOL, but needs APM, which we dont have:
SOL11446: Overview of HTTP authentication
https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11446.html?sr=10763589
Hope to hear you ideas. Thanks! 
hoolioCirrostratus
Hi Raj,
Can you change the send string to include the domain\ as part of the base64 encoded user
ass and remove the username and password field values from the monitor definition?
Send string:
GET /testpage.asp HTTP/1.0\r\nAuthorization: Basic RE9NQUlOXHRlc3R1c2VyOnRlc3RwYXNzd29yZA==\r\n\r\n
where RE9NQUlOXHRlc3R1c2VyOnRlc3RwYXNzd29yZA== is the base64 encoding of DOMAIN\testuser:testpassword
Also, here is a solution related to the \r\n's at the end of the send string:
SOL10655: Change in Behavior: CR/LF characters appended to the HTTP monitor Send string
http://support.f5.com/kb/en-us/solutions/public/10000/600/sol10655.html
Aaron
