For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 25, 2014

The function of the redirect rewrite option is to rewrite the protocol scheme (http:// to https://) for any HTTP redirect responses from the server. A redirect is a 30x type message with a Location header that tells the client where to go. That's all that it does, and you can achieve the same, with more precision, in an iRule:

when HTTP_RESPONSE {
    if { [HTTP::header exists Location] } {
        HTTP::header replace [string map -nocase {"http://" "https://"} [HTTP::header Location]]
    }
}

If the response contains a Location header (which is indicative of a redirect), the above will replace the protocol scheme so that the resulting URL is an https:// address. If you need to be more precise, as in you only want to replace certain redirects, you can simply alter your string map:

[string map -nocase {"http://share.abc.com" "https://share.abc.com"} [HTTP::header Location]]

so that only share.abc.com redirects are rewritten. The HTTP profile's Redirect Rewrite Matching option will do basically the same - only replace the scheme if the redirect host matches the requested host. It's important to stress though, that both of these methods only deal with the HTTP headers, of which there's usually only ever one that has a value to be replaced (Location). The other place that URLs can show up is in the HTTP payload - the actual HTML document as object reference links (ie. images, css, js, etc.). For this you'd want to use a STREAM profile and iRule to selectively replace these URLs, much like you did with the headers.

STREAM::expression {@http://share.abc.com@https://share.abc.com@}