HTTPS offload rewriting

hooleylist · ‎18-Mar-2015

Problem this snippet solves:

This iRule shows how to rewrite an HTTP web application's self references from http:// to https:// to avoid insecure content warnings.

Note if the response content size is changed like it would be with this iRule you must use a custom HTTP profile with response chunking set to rechunk.

Code :

when HTTP_REQUEST {

# Save the requested host value
set host [string tolower [HTTP::host]]

# If the HTTP host header is blank, use the VS IP address
# If the VS IP is not routable for clients, hard code a routable IP
# to replace [IP::local_addr]
if {$host eq ""}{set host [IP::local_addr]}

# Disable the stream filter by default
STREAM::disable
}
when HTTP_RESPONSE {

# Check if response type is text and host isn't null
if {[HTTP::header value Content-Type] contains "text" and $host ne ""}{

# Replace http://$host with https://$host
STREAM::expression "@http://$host@https://$host@"

# Enable the stream filter for this response only
STREAM::enable

}
# Rewrite the Location header in redirects to https://
if { [HTTP::is_redirect] && [string tolower [HTTP::header Location]] starts_with "http://$host"} {
HTTP::header replace Location [string map -nocase "http://$host https://$host" [HTTP::header Location]]
}
}

r_dynamo_79563 · ‎13-Aug-2015

Hi Aaron, There are some HTTP references that are not being displayed at all using above iRule (HTTPS VIP) even after enabling mixed content on the browser. I have a HTTP & HTTPS VIP. Streaming is enabled on the HTTPS VIP, and the HTTP VIP has a generic http to https redirect: when HTTP_REQUEST { HTTP::redirect https://[HTTP::host][HTTP::uri] } Both the VIPs have a custom http profile with Server Response set to "Rechunk," and a custom destination address persistence profile to match across pools in different virtual Servers. Any further suggestions will be highly appreciated.

hooleylist · ‎28-Sep-2015

Hi R, Can you add debug logging to the iRule and post the anonymized log output and a sample of the server response payloads which are not being rewritten? Thanks, Aaron

sprashanthac_81 · ‎17-Mar-2016

There seems to be a natural behaviour to change the post request as get request. The access method is being altered when using http to https rule. Is there a way to have it fixed. don't want to alter the http method and keep it intact when HTTP_REQUEST { HTTP::redirect https://[HTTP::host][HTTP::uri] } changes the method for POST to GET and breaking our application is there a way to fix it. Seems like this is the usual behavior of F5

AndresG_241389 · ‎18-May-2016

A 301/2 redirect will instruct the requester to reissue the request as a GET... You must a 307

subrud_297411 · ‎30-Oct-2016

Where to paste this code?

Tewfik_Megherbi · ‎30-May-2017

If you get errors from browser about XMLHttpRequest response server being send over http.

Error message might be : Mixed Content: The page at 'https:/xxxx.com/zzz.html' was loaded over HTTPS, but requested an insecure resource 'http://xxxx.com/b/ttt.css'. This request has been blocked; the content must be served over HTTPS."

Make sure you assign a compression profile to the VS that runs this irule.

This is because STREAM function requires that server response to be decompressed before hand.

kazeem_yusuf1 · ‎05-Jun-2017

Hello Hoolio. I used the irule after application owner was getting a 'Blocked loading mixed active content" on his webpage.

However,after applying the Your irule, i get error https://agilitycareuat.kazeem.com.ng:80/UserManagement/com/ericsson/usermanagement/userlogin/fetchLo....

It appends a port 80,after making a request with test user "testuser1". If however,i remove the port 80. The request goes fine.

What is the solution to this?

DevCentral

HTTPS offload rewriting