For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kj07208_118528's avatar
kj07208_118528
Icon for Cirrus rankCirrus
Aug 26, 2015

(Urgent) iRule for Http to Https on non-standard port

I have a web site that only takes requests on port 99 (I have no control over this). In the web page the developers have hardcoded http links (once again no control :( ). I also have a APM application to the Virtual Server. I need an iRule to redirect the the requests from http to https. I'm struggling because http and https are going to the same port so I can create another VS and do _sys_https_redirect iRule.

 

I also tried the following iRule but it getting a Secure Connection Failed/Client closed. I guess the trick is to redirect before the VS fully parses the response and gets an error.

 

First iRule when HTTP_REQUEST { if { [SSL::mode] == 0 } { HTTP::redirect https://[HTTP::host]:99[HTTP::uri] } }

 

Second Attempt when HTTP_REQUEST_SEND { if { [SSL::mode] == 0 } { HTTP::redirect https://[HTTP::host]:99[HTTP::uri] } }

 

application delivery
devops
iRules

6 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 26, 2015

    So just to clarify, is that HTTP and HTTPS on the same IP and port? If the application only supports port 99, does it matter that the VIPs can be 80 and 443?

     

  • kj07208_118528's avatar
    kj07208_118528
    Icon for Cirrus rankCirrus
    Aug 26, 2015

    I've tried making the pool & node use service port 99 while using 80 & 443 in two VS's. The application is IIS and it's using host header so it expects an FQDN with someapp.corp.com:99 . Unless I'm missing something.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 26, 2015

    Well, it's pretty straight forward to replace the Host header.

    when HTTP_REQUEST {
    HTTP::header replace Host "someapp.corp.com:99"
}

    Given that and the fact the pool members are physically listening on port 99, the application shouldn't have any idea that there's a proxy in front doing 443 or 80.

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 27, 2015

    You can use a rewrite profile or a STREAM iRule, but ultimately you have to catch these bad URLs in server responses and rewrite them to match the external FQDN.

    when HTTP_REQUEST {
    HTTP::header remove Accept-Encoding
    STREAM::disable
}
when HTTP_RESPONSE {
    if { ( [HTTP::header exists Location] ) and ( [HTTP::header Location] contains ":99" ) } {
        HTTP::header replace Location "https://someapp.corp.com/"
    }
    if { [HTTP::header Content-Type] contains "text" } {
        STREAM::expression {@http://someapp.corp.com:99@https://someapp.corp.com@}
        STREAM::enable
    }
}
  • TejasTh_307036's avatar
    TejasTh_307036
    Icon for Nimbostratus rankNimbostratus
    Jan 25, 2017

    I have the same requirement, if user access the URL with HTTPS, no change in URL. If user access the URLwith HTTP, should redirect to https, I am also using non-standard port URLS.

     

    https://abc.com:8888 ==> no change

     

    http://abc.com:8888 ==> redicet to https://abc.com:8888

     

    It's perfectly working fine with below config

     

    1) Create SSL Client profile with allowing Non-SSL Connections ( You need to modify default config)

     

    2) Create VIP with 8888 port and use SSL client profile

     

    3) Configure below iRule

     

    when HTTP_REQUEST {

     

    if { [URI::protocol [HTTP::uri]] eq "http" } {

     

    HTTP::redirect https://[getfield [HTTP::host] ":" 1]:[TCP::local_port][HTTP::uri]

     

    }

     

    }