Forum Discussion
csyvenky_18355
Nimbostratus
NimbostratusSSL only some of the time, non-SSL for the rest
Production Ver: BIG-IP 9.4.6 Build 401.0 Final
The issue(s): IE6 prompts users "this page contains both secure and nonsecure items" if they have browsed from SITE1 to SUBSITE1 then back to SITE1 pages in that order. Further to this some of the SharePoint CMS capabilities will fail if authors try to use the text editor if they have entered the authoring session via this same pattern.
The goal: We would like to have the LTM device direct users to an SSL session if they intend to use SUBSITE1, but, direct them to a non-SSL session if they want to use anything else.
Today's Setup:
=========================
Virtual Servers
=========================
NamePort
Site_443 443
Site_80 80
The vast majority of traffic use the Site_80 Virtual Server. That is unless they try to access SUBSITE1, at which point they get redirected via the 'subsite1_ssl' iRule. Of course this iRule simply redirects to the browser to a SSL session. At this point all traffic would be using the Site_443 Virtual Server.
====================================
Staging - 'subsite1_ssl' iRule
====================================
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] starts_with "/subsite1/folder" } {
HTTP::redirect "https://site1.fqdn.com[HTTP::uri]"
}
}
We tried to solve this with reverse logic. Basically stated what we had tried was to add the opposite logic to this on the port 443 Virtual Server. Therefore, if a user is going to SUBSITE1 insist SSL (443), if they are going anywhere else insist non-SSL (80). Sounds easy, right?
What we found when this was implemented was that these rules seem to conflict with each other to the point where endless loops could be entered. In the time we had to troubleshoot, we figured this was because the CMS system presents page resources via different techniques (that we don't really have control over). Some resources have hard-wired references to http://site1/// and others are relational to the current position.
csyvenky_18355Thanks Aaron. I will review those other posts. This switching is not related to authentication. We simply have an Intranet at http://site1 and a subsite at http://site1/subsite2 that can process CCs. There is simply no reason for SSL session up at the http://site1 or http://site1/subsite2 levels.- csyvenky_18355I've had a chance to review the recent postings. It's somewhat dis-concerning to see that it doesn't appear that anyone has solved this issue. The logic appears to be sound and basically the same in all cases, the fact that the two virtual servers directly conflict with each other seems to put a quick end to this implementation approach.
hoolioCirrostratus
I don't think this is a problem with implementing a solution in LTM configuration or iRules--it's a problem with identifying what content you want served via HTTP and which you want served via HTTPS, and then coding an iRule to handle the different references the application might have to HTTP and HTTPS. A poster in the "Mixed noSSL/SSL site" post was able to do this for his specific scenario.
I'd suggest you reproduce the configuration in a test environment or with test VIPs and then use a browser plugin like HttpFox for Firefox or Fiddler for IE to determine exactly which references you want to rewrite and where. Once you figure that out, we can help you implement the logic in an iRule.
Aaron