Forum Discussion
NimbostratusRewrite http to https
Hi Everyone,
Is this possible thru iRule or anything with F5:
Two VS: 1. vs_443 2. vs_80
VS: 1. vs_443 is used to redirect traffic to vs_80 2. vs_80 contains pool running in port 80
Access right now: When user enter on his url it will be redirected to and the user will see on his url link ""
Is it possible for the user to see https? I mean when the user enter on his url be redirected to vs_80 but he will see on his url is on "https"?
7 Replies
- Kevin_Stewart
Employee
I guess I'd first ask why you need an HTTP (vs_80) VIP at all. If you want the user to do HTTPS and the servers are on port 80 HTTP, then it's a simple SSL offload VIP with port translation enabled.
- Kevin_Stewart
we have an issue for port 443 on those servers
Can you elaborate?
Are you saying that the servers (pool members) cannot do HTTPS 443? They don't have to.
Or are you saying that the servers need to be behind an HTTP 80 VIP because it doesn't appear to work through an HTTPS 443 VIP?
- Kevin_Stewart
Okay, so I think we're talking about the first thing - the server listening on HTTP 80. So that's what I was talking about in my first response. With a client SSL profile applied to the HTTPS 443 VIP, port translation enabled on the VIP, and a pool of servers listening on HTTP port 80, you're essentially offloading the HTTPS SSL at the VIP and doing HTTP 80 from the F5 to the servers. You don't need a separate port 80 VIP.
client -> port 443 -> BIG-IP -> port 80 -> server - Kevin_Stewart
The absolute bare minimum for this to work is:
-
A standard VIP listening on port 443
-
Client SSL profile
-
A pool that defines your servers listening on port 80 (HTTP)
If you have all of that, then you have to start looking at and questioning other things:
-
From the BIG-IP shell, can you access the HTTP servers with cURL
curl -v http://[server IP] -
From the client's perspective, does it fail completely or do you see some of the content?
-
If you watch network traffic, do you see anything on the server side of the BIG-IP (BIG-IP to server)?
-
In the above cURL request, do you get an immediate 30x redirect?
-
- Kevin_Stewart
For question number 3, you need to be in the BIG-IP shell to do a tcpdump capture:
tcpdump -lnni 0.0 host 172.16.2.190Test it again. Do you see traffic coming from the BIG-IP to the server? If so, how is the server responding?
Do your servers have a route to the client's subnet without going through the BIG-IP? If so, you'll also need a SNAT profile (SNAT Automap preferred) applied to the VIP.
- Kevin_Stewart
Makes no difference. You have a standard VIP listening on port 443 with a client SSL profile to offload the client side SSL, port translation enabled by default, and a pool of servers on basically any port you want. The server port number has no bearing on the BIG-IP's ability to pass traffic, other than it being an actual listening port on the server.
- Kevin_Stewart
will this also work?
Absolutely. HTTPS only defaults to port 443, but you can put SSL on any port.
So it probably doesn't matter now since you have it working, but the fix (creating a port 80 redirect VIP) implies that something was trying (and failing) to access the application on HTTP port 80. If you were to do a client side capture with a tool like Fiddler or HTTPWatch, you'd likely see the browser attempting to access some http:// URL. And it would likely be doing that because of some response immediately preceding that request.
