For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

pwoll_74049's avatar
pwoll_74049
Icon for Nimbostratus rankNimbostratus
Dec 13, 2011

WebDAV and SSL Problem

I am implementing a document management system (OpenText) with SSL offload on the LTM. I have an iRule that sends a redirect to https for any http traffic. The redirect works fine until WebDAV starts being used. In captures, I see the browser sending, for example,

 

http://www.xxx.com/contentserverdav/License.pptx with HEAD /contentserverdav/License.pptx HTTP/1.1\r\n. The LTM sends a redirect with Location:https://www.xxx.com/contentserverdav/License.pptx\r\n. But the browser ignores the redirect. Any information you could provide on whether this is normal, or ways to make SSL work with WebDAV would be greatly appreciated.

 

application delivery
dev
devops
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 14, 2011
    Hi,

     

     

    I'm not familiar with the OpenText app, but here are a few possible solutions in order of efficiency for LTM:

     

     

    Set a native OpenText configuration option which tells the web app that it should refer to itself using https:// instead of http:// references. This is something you could check OpenText documentation for. I assume most web apps support SSL proxying by now.

     

     

    Configure LTM to insert an HTTP header which LTM inserts which tells the web app that it should refer to itself using https:// instead of http:// references.

     

     

    Use an iRule and stream profile to rewrite the response headers and content from http:// to https:// so that the client will make requests to https:// only.

     

     

    Aaron
  • pwoll_74049's avatar
    pwoll_74049
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2012
    Thanks to your help, I was able to resolve this. I used the third approach above to use an iRule to rewrite the responses as follows:

     

     

    when HTTP_RESPONSE {

     

     

    Check if response type is text

     

    if {[HTTP::header value Content-Type] contains "text"}{

     

     

    Replace http:// with https://

     

    STREAM::expression {@http://mydomain.com@https://mydomain.com@}

     

    Enable the stream filter for this response only

     

    STREAM::enable

     

    }

     

     

    Check if server response is a redirect

     

    if { [HTTP::header is_redirect]} {

     

    Log original and updated values

     

    log local0. "Original Location header value: [HTTP::header value Location],\

     

    updated: [string map -nocase "http:// https://" [HTTP::header value Location]]"

     

     

    Do the update, replacing http:// with https://

     

    HTTP::header replace Location [string map -nocase "http:// https://" [HTTP::header value Location]]

     

    }

     

    }

     

     

    At first I thought that the second portion of this code to rewrite the Location entries was unnecessary. However, I learned that the stream profile does not affect the Location information, thus the addition. Elsewhere, I only had to enable the stream profile on the Virtual Server.