Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

george_burtz_31's avatar
george_burtz_31
Icon for Nimbostratus rankNimbostratus
Feb 02, 2005

requiring client SSL based on URI

Question about writing an iRule for v 903.

 

 

Our developers have created a web app that is listed as www.domain.com/folder. When you hit that site, IIS does a redirect to www.domain.com/secure-folder where the application lives.

 

 

We want to use the LTM to offload the SSL processing from the server. I also want to use the LTM to do the redirects - that seems to work OK w/ a basic iRule.

 

 

I can't get the SSL to work based on the URI /secure-folder. Is that possible? Anyone have an idea how to do this?

2 Replies

  • rapmaster_c_127's avatar
    rapmaster_c_127
    Historic F5 Account
    Feb 04, 2005
    Have you tried setting up two virtual servers, one on port 80 using profile http, and tcp, and the other using profile http, clientssl and tcp and using a rule?

    Something like 

      
  virtual http-www.example.com {  
      destination 192.168.1.1:80  
      ip protocol tcp  
      profile http tcp oneconnect 
      pool non-secure  
      rule redir  
  }  
    
  virtual https-www.example.com {  
      destination 192.168.1.1:443  
      ip protocol tcp  
      profile myclientssl tcp  
      pool secure  
  }  
    
  rule redir {  
      when HTTP_REQUEST {  
          if {[HTTP::uri] starts_with "/folder"} {  
              HTTP::redirect "https://www.example.com/secure-folder"  
          }  
      }  
  }

    This should work ok based on what you've described. What are the failure symptoms you're seeing?

    Also, quick thing to check: are you sure that /secure-folder URI shouldn't be /secure-folder/ ? If the back end server issues a 3xx redirect, it's likely sending your client to an http://node url again. If that's the case, you can easily solve this by associating your ssl virtual with a new http profile and enabling the 

    redirect rewrite matching

    parameter on it.

  • george_burtz_31's avatar
    george_burtz_31
    Icon for Nimbostratus rankNimbostratus
    Feb 04, 2005
    Thanks!!!! Adding the trailing / on the redirect did it. The original problem was that when the redirect happened, the SSL was not working. Here's the actual config in the box now.

     

     

    The 2 V-servers

     

     

    virtual TEST-V-SERVER-LACR {

     

    destination 50.1.1.11:http

     

    ip protocol tcp

     

    profile https-redirect-test tcp

     

    pool TEST-POOL-11

     

    rule lacr-secure-redirect

     

    }

     

    virtual TEST-V-SERVER-LACR-SECURE {

     

    destination 50.1.1.11:https

     

    ip protocol tcp

     

    profile landamcredit.com tcp

     

    pool TEST-POOL-11

     

     

    The iRule...

     

     

    rule lacr-secure-redirect {

     

    when HTTP_REQUEST {

     

    if { [HTTP::uri] ends_with "/credit" } {

     

    HTTP::redirect "https://www.lacr.com/credit-secured/"

     

    log local0. "Connect from IP [IP::remote_addr] destined for [HTTP::uri] redirected to secured site"}

     

     

    You referred to a command "redirect rewrite matching". That is not enabled now. How would that relate to this kind of situation?