Forum Discussion
Roman_80473
Nimbostratus
NimbostratusSSL Termination with clear text response from web server
Hi folks,
This might be a silly question:
We terminate SSL and send traffic to non-secured web servers. We're having some issues encrypting clear text responses on proxy servers before returning them back to client. Is there a way to encrypt a clear text response from target servers on F5 itself?
Any help is appreciated
Thanks, Roman
13 Replies
- nitass
Employee
it is not a silly question but i am sorry i do not understand what the issue is. could you please explain us a little bit more? or can you give us some example? - You want to SSL encrypt a response on the LTM before sending it back to the client? Is that correct?
Colin 
Roman_80473Hi nitass,
This is the deal (I don't know all the details): when user comes in via GTM/LTM, we terminate ssl w client cert, and have an irule look into traffic to forward to the appropriate pool of non-secured web servers on port 80. I don't know details about the web server layer, but the end result should be that the web server or proxy encrypts response and sends it back to the F5, so that user can login via secured page. Instead, we get clear text http response back to F5. I was wondering if it was possible to encrypt web server response on the F5 layer. I hope it makes sense
Thanks, Roman- Roman_80473Colin,
That's pretty much it, you got it. Is there a way?
Thanks, Roman 
hoolioCirrostratus
Hi Roman,
It sounds like the web app is using http:// references to itself instead of https:// in the response headers and/or payload. To fix this, you could look for configuration options in the web app itself to tell the app that it's being SSL proxied. Or you could rewrite the http:// references to https:// using a STREAM::expression based iRule:
http://devcentral.f5.com/wiki/iRules.stream__expression.ashx
Aaron- hoolioHere's an example which uses a stream profile to rewrite the response headers and/or payload to https://:
when HTTP_REQUEST { Save the requested host value set host [string tolower [HTTP::host]] Disable the stream filter by default STREAM::disable } when HTTP_RESPONSE { Check if response type is text and host isn't null if {[HTTP::header value Content-Type] contains "text" and $host ne ""}{ Replace http://$host with https://$host STREAM::expression "@http://$host@https://$host@" Enable the stream filter for this response only STREAM::enable } Rewrite the Location header in redirects to https:// if { [HTTP::is_redirect] && [string tolower [HTTP::header Location]] starts_with "http://$host"} { HTTP::header replace Location [string map -nocase "http://$host https://$host" [HTTP::header Location]] } }
Aaron - Roman_80473Hi Aaron,
I've tried the suggested code with default stream profile, but to no avail. Can it be the client cert issue (using default one)?
Thanks Roman - hoolioCan you use a plugin like Fiddler2 to trace the session and see where the http:// request is being triggered from? Basically, you'd look for the first bad http:// request and go back from there to see where the http:// link is coming from.
Aaron - nitassshould we remove Accept-Encoding header in the request?
- hoolioIf the web app is using compression, then use you should either disable it to use a stream profile to rewrite the response content or remove the Accept-Encoding request header.
I was hoping to see where the http:// reference(s) were before suggesting anything else to tweak with an iRule.
Aaron
