Forum Discussion
CSA
Nimbostratus
NimbostratusRedirections HTTP to HTTPS (for login) to HTTP (for usage)
Hello all,
We use BigIPs for many applications used over a WAN. Our WAN has some boxes to compress/accelerate HTTP traffic, but they can't do it with HTTPS. We don't want to send the login/password in clear text over the network, so we want to use HTTPS for this.
So we would like to use the BigIPs like this :
- if someone use http (and is not logged in), redirect him to https
- each time someone has to authenticate, https is compulsory.
- once the authentication is done, use HTTP
What is the best way to do this ?
Is it this one :
- irule to redirect http to https when the application shows the login page (it shows it each time the user wants to load a protected page : this is handled by the application itself)
- irule to redirect https to http when it's not the login page (meaning the user is already authenticated from an application point of view)
Is there a smarter way ? Is it ok or the BigIP session mechanism ?
And second question : some applications just change the content to ask for the credentials, but the page name can be anything: is it possible to check in the content of the page for some strings and are the ressources used to do this acceptable ?
Thanks !
--
LB
6 Replies
- The_BhattmanWe ran into this very issue several years ago. This is where we did not want to spend the extra $$ for a module on the BIGIP. The problem we encoutered was that the BIGIP didn't know when a client had successfuly logged in. So we decided that once the login page successfully authorized, the client is redirected the client over to HTTP.
So yes we found a solution, but it wasn't a bigip solution
As for your second question if you refering to monitoring then use you can monitor for strings in a page which is a common technique to use.
Hope that helps
CB 
qcontinuum00_74Hello Bhattman,
I would sincerely appreciate if you could please post how you implemented the solution. We have exactly the same situaion posted by LB.
Regards,
qcontinuum- The_BhattmanOur core application design team had a Siteminder license which allowed them to anthenticate via HTTPS but then redirected them over to HTTP.
Bhattman 
Raj_Zucre_RamirGuys,
I have similar issues, we have created a HTTPS health monitor and we are using the username and password to login onto the server. However, we can only use a corporate domain account with the COMPANY\username prefix. We woudl like to use a local server username and password validate. Is this possible?
Thanks!- Raj_Zucre_Ramir
Just to add:
SOL5483: Testing an HTTPS Monitor with user authentication from the command line
https://support.f5.com/kb/en-us/solutions/public/5000/400/sol5483.html?sr=10763589
HTTPS Monitor definitions will appear similar to the following example:
monitor ssl_test {
type https
use "https"
interval 5
timeout 16
dest *:*
send "GET /testpage.asp HTTP/1.0\nAuthorization: Basic dGVzdHVzZXI6dGVzdHBhc3N3b3Jk\n"
recv "matchthis"
username "testuser" <-----< missing company\
password "testpassword"
}
Here's another SOL, but needs APM, which we dont have:
SOL11446: Overview of HTTP authentication
https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11446.html?sr=10763589
Hope to hear you ideas. Thanks! 
hoolioCirrostratus
Hi Raj,
Can you change the send string to include the domain\ as part of the base64 encoded user:pass and remove the username and password field values from the monitor definition?
Send string:
GET /testpage.asp HTTP/1.0\r\nAuthorization: Basic RE9NQUlOXHRlc3R1c2VyOnRlc3RwYXNzd29yZA==\r\n\r\n
where RE9NQUlOXHRlc3R1c2VyOnRlc3RwYXNzd29yZA== is the base64 encoding of DOMAIN\testuser:testpassword
Also, here is a solution related to the \r\n's at the end of the send string:
SOL10655: Change in Behavior: CR/LF characters appended to the HTTP monitor Send string
http://support.f5.com/kb/en-us/solutions/public/10000/600/sol10655.html
Aaron
