F5 HTTPS Redirect 2025
An updated HTTP to HTTPS redirect iRule for F5 BIG-IP that fixes the issues with the legacy redirect solution.
The Problem with Legacy Redirect iRules
F5's old _sys_https_redirect iRule is simple and gets the job done, but it's starting to show its age:
Always sends HTTP 302 redirects - This changes POS...
Updated Sep 04, 2025
Version 2.0Tony_Marfil
Employee
Joined January 09, 2020
Juergen_Mang
MVP
Sep 01, 2025@Tony_Marfil: Thank you for sharing this peace of code. I think it is a good idea to write and publish a battle tested iRule for redirection.
I do not use the _sys_https_redirect iRule due to the issues described above and I have my own iRule that enforces security headers and valid hostnames.
In my opinion the iRules above has some issues:
- X-XSS-Protection should not be used anymore: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-XSS-Protection
- Global Variables in iRules can have a severe performance impact and should no be used: Getting Started with iRules: Variables | DevCentral
- HTTP::remove and HTTP::insert should be used, HTTP::replace replaces only the first occurrence of a header.
- The HSTS header has no effect on none secure connections
- You should check the host header before redirection: https://my.f5.com/s/article/K000141035
- I would prefer an iRule that do one thing properly - redirection and not mix it with inserting security headers in responses.
Tony_Marfil
Employee
Sep 01, 2025Thumbs up. Excellent feedback. I will incorporate all of the improvements you suggested in the next release. Thanks!