Forum Discussion
joelvs_45274
Nimbostratus
Nimbostratusredirects before ssl on an ssl virtual server
I have a developer that has requested a redirect for his SSL protected site. I have tried multiple things with irules and not had any success.
The scenario is that we have a site https://www.xyz.com. The certificate was generated for www.xyz.com. However, users are hitting the site via https://xyz.com. Being as the www isn't in the hostname and error comes up that the cert doesn't match the hostname.
On the http virtual server, I added an iRule that redirects to www.xyz.com if the www doesn't exist. On the https virtual server, the certificate error comes up prior to it getting to the redirect. If I accept the certificate manually, it will redirect me to https://www.xyz.com
Is there a way to make the redirect happen before the ssl certificate is provided? The other option I had thought of is to use the iRule to enable ssl after the redirection, but I haven't been able to make that work successfully either.
Any suggestions would be greatly appreciated. I have done quite a bit with iRules, but am not an expert by any stretch of the imagination.
Kevin_Sanders_5I am also very interested in this. Let me know if you figure it out.
We have clients hit our main site https://www.xyz.com by several names but marketing folks do not expect them to type in https (nor do they put it in the ads). I simply point external DNS to a "redirector" address. Much like your http://xyz.com, it redirects any incoming host requests to https://www.xyz.com. From there the server reads the original url (somehow) and redirects to a virtual url under the https host. (eg. if the other domain is www.abc.com, the DNS for www.abc.com points to my redirector VIP and that redirects to https://www.xyz.com. The server replies as https://www.xyz.com/abc).
This doesn't cover if someone types in https://xyz.com or https://www.abc.com.
I guess this work-around would kind of cheat the whole certificate buying process as you could have multiple domains with a single cert but it's got to be possible to redirect before the SSL handshake.I guess this work-around would kind of cheat the whole certificate buying process as you could have multiple domains with a single cert but it's got to be possible to redirect before the SSL handshake.
That's the crux of the issue. If the data is encrypted, you must un-encrypt it before you can do anything else. To un-encrypt it, you must go through the SSL handshake, which is based off of a key, built for a specific host name. It's very much a chicken and egg situation, unfortunately. There's no way to issue an HTTP redirect into a still encrypted data stream, but by the time you decrypt the transaction so you CAN send the redirect, the error will have already occurred if it's going to.
This isn't a BIG-IP or iRules issue, this is something inherent in the protocol.
Colin
hoolioCirrostratus
Assuming you're administratively able to, you can actually get a single cert which is valid for www.abc.com, abc.com and even xyz.com using subject alternate names (SANs). (Click here) for details. As Colin notes, you cannot read or modify the HTTP content encrypted within the HTTPS.
Aaron
