Forum Discussion

Antonio_Varni's avatar
Antonio_Varni
Icon for Nimbostratus rankNimbostratus
May 09, 2008

rewrite server redirect back to client to HTTPS _if_ the original client request was also HTTPS

Strange that I need to write an iRule to do this (I'd think this would be a fairly common need) - but I have a webapp that I want to migrate over to SSL using the LTM. While we get our CA certs pushed out to our clients - we need to support people using this webapp both over HTTP and HTTPS. Without help from the LTM people browsing to this webapp originally as https:// will get kicked out back to HTTP as the webapp issues HTTP redirects.

 

 

This is the iRule I've written to accomplish this (LTM v9.2.3):

 

 

 

---

 

rewrite redirects to HTTP back to HTTPS if the connection was HTTPS originally

 

 

when HTTP_REQUEST {

 

collect variables

 

set vip_port [TCP::local_port]

 

}

 

 

when HTTP_RESPONSE {

 

if { [HTTP::is_redirect] and $vip_port == 443 and [HTTP::header exists Location]} {

 

set location [HTTP::header Location]

 

if {$location starts_with "http://"} {

 

set newlocation "https://[substr $location 7 ";"]"

 

log local0.info "rewriting ssl server to client Location redirect from $location to $newlocation"

 

HTTP::header replace Location $newlocation

 

}

 

 

}

 

}

 

---

 

 

... and this seems to work fine. Is there a better / simpler method to accomplishing the above though? Any optimizations? I searched the 'CodeShare' list of commonly used iRules and didn't see anything that had this behavior.

 

 

 

TIA!
dev
devops
iControl

1 Reply

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    May 09, 2008
    I've seen a few people doing something similar, but that's a pretty clean example. I'd make a couple of small changes, though

     

     

    1. You can avoid extra overhead by getting rid of un-needed variables, such as $location, $vip_port and $newlocation.

     

    2. You can use the HTTP::host command to carry over the requested hostname and HTTP::uri for the uri, instead of using the substr command.

     

    3. By using the appropriate TCP command in the right context, you can skip the HTTP_REQUEST event code all together.

     

     

    The updated rule would look like:

     

     

      
  when HTTP_RESPONSE {  
    if { [HTTP::is_redirect] and ([TCP::server_port] == 443) and ([HTTP::header Location] starts_with "http://")} {  
      log local0.info "rewriting ssl server to client Location redirect from [HTTP::header Location] to https://[HTTP::host][HTTP::uri]"  
      HTTP::header replace Location https://[HTTP::host][HTTP::uri]  
    }  
  }

     

     

    HTH,

     

    Colin