For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Patty_Cl_159208's avatar
Patty_Cl_159208
Icon for Nimbostratus rankNimbostratus
Jul 25, 2014

SSL Redirect with Exclusions of Other Sites

Hi, I have a vs with the http redirect profile added (redirect rewrite set to all). I need share.abc.com to redirect to https and it works. Other sites on the pool members (site1.abc.com, site2.abc.com) need to be excluded and remain HTTP. I was searching DevCentral for similar iRules but not sure the options for \folder exclusions would work. I thought maybe something similar to this might work but it was unsuccessful. On LTM ver 11.4.0.

 

when HTTP_REQUEST { if { [string tolower [HTTP::uri]] starts_with "site1" } { HTTP::respond 301 Location "http://site1.abc.com[HTTP::uri]" } elseif { [string tolower [HTTP::uri]] starts_with "site2" } { HTTP::respond 301 Location "http://site2.abc.com[HTTP::uri]" } } Thanks for any recommendations. Patty

 

application delivery
availability
devops
iRules
LTM
management

1 Reply

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 25, 2014

    The function of the redirect rewrite option is to rewrite the protocol scheme (http:// to https://) for any HTTP redirect responses from the server. A redirect is a 30x type message with a Location header that tells the client where to go. That's all that it does, and you can achieve the same, with more precision, in an iRule:

    when HTTP_RESPONSE {
    if { [HTTP::header exists Location] } {
        HTTP::header replace [string map -nocase {"http://" "https://"} [HTTP::header Location]]
    }
}

    If the response contains a Location header (which is indicative of a redirect), the above will replace the protocol scheme so that the resulting URL is an https:// address. If you need to be more precise, as in you only want to replace certain redirects, you can simply alter your string map:

    [string map -nocase {"http://share.abc.com" "https://share.abc.com"} [HTTP::header Location]]

    so that only share.abc.com redirects are rewritten. The HTTP profile's Redirect Rewrite Matching option will do basically the same - only replace the scheme if the redirect host matches the requested host. It's important to stress though, that both of these methods only deal with the HTTP headers, of which there's usually only ever one that has a value to be replaced (Location). The other place that URLs can show up is in the HTTP payload - the actual HTML document as object reference links (ie. images, css, js, etc.). For this you'd want to use a STREAM profile and iRule to selectively replace these URLs, much like you did with the headers.

    STREAM::expression {@http://share.abc.com@https://share.abc.com@}