Forum Discussion
andyr0ck_5031
Nimbostratus
NimbostratusSelective SSL rewrite by hostname
Hi,
I'm running a Blackboard e-learning system with SSL offload using a simple rewrite rule to only encrypt text/html (due to problems with binary formats) and I need to also exclude any traffic from a certain domain from that rewrite as it looks like the rewrite is causing issues.
Would I change the existing rewrite iRule or write another seperate rule to do the other check?
Here's the exisisting rule:
when HTTP_RESPONSE {
HTTP::header remove "Pragma"
if { [HTTP::header Content-Type] contains "text/html;charset=UTF-8" } {
STREAM::expression "@http://system.college.ac.uk@https://system.college.ac.uk@"
}
}
Cheers,
Andy Rock
HamishCirrocumulus
What do you mean problems with binary formats? Is only encrypting the text/html going to be sufficient for privacy?
andyr0ck_5031Certain content types aren't rendering properly in IE (namely SCORM content with Flash zipped up) and that rewrite was suggested to me by another sys admin. Security-wise, I wouldn't have thought this was _too_ bad as the traffic worth snooping is encrypted.- HamishTo answer your original question, it's six of one, half dozen of the other with regards to whether you should rewrite the existing iRule, or create another... Personally, I try & keep a set of generic rules, and only when necessary create specific ones for doing things like re-writing.
However I see what you're doing (Altering content within the stream, I understand now why you're having problems with binary) I prefer not to rewrite references within the body if at all possible (I know, sometimes it just isn't).
On the other hand, most browsers will complain if you're running mixed Secure/NonSecure content on the same page (Or should do). - andyr0ck_5031yeah, browsers are complaining a little. on the whole, though, the nag box is a lesser evil so we're going with it.
- andyr0ck_5031this is the rule i came up with (my TCL is awful!) but i get syntax errors:
when HTTP_RESPONSE {
HTTP::header remove "Pragma"
if { [HTTP::header Content-Type] contains "text/html;charset=UTF-8" and [IP::addr [IP::remote_addr] not_equals 208.57.158.0/255.255.255.0 ] } {
STREAM::expression "@http://system.college.ac.uk@https://system.college.ac.uk@"
}
}
can anybody help with this? have i got the logic completely wrong? 
hoolioCirrostratus
It would be good to disable the stream filter by default and then enable it for specific responses. This ensures that the stream filter isn't applied on subsequent HTTP responses on the same TCP connection.
I'm not sure if you're trying to check the client IP address or the server IP address. IP::remote_addr in a serverside event context (like HTTP_RESPONSE) will return the server IP. If you want to check the client IP, you can use IP::client_addr (in any context).when HTTP_RESPONSE { Remove the Pragma header HTTP::header remove "Pragma" Disable the stream filter by default if { [HTTP::header Content-Type] contains {text/html;charset=UTF-8} and not ([IP::addr [IP::remote_addr] equals 208.57.158.0/255.255.255.0]) } { Set a stream expression STREAM::expression "@http://system.college.ac.uk@https://system.college.ac.uk@" Enable the stream profile for this response STREAM::enable } }
Aaron- andyr0ck_5031Thanks, Aaron. Yes, it's the client IP we're after. The problem wasn't with this rule, it was with a 'catch-all' rule we had listening on the insecure port to redirect all traffic to the SSL port. Turnitin seems to require to connect on 80 then renegotiate to 443. I hashed together this out of your code:
when HTTP_REQUEST {
Remove the Pragma header
HTTP::header remove "Pragma"
if { ([IP::addr [IP::client_addr] equals 208.57.158.0/255.255.255.0]) } {
} else { HTTP::redirect https://[HTTP::host][HTTP::uri]
}
}
cheers,
Andy