09-Mar-2022 02:38 - edited 09-Mar-2022 02:49
We have a port 80 and 443 VIP configured for 301 redirections to send sites to specific pages on a target branding site. We use 301 redirects and it works just fine via irule.
However, for this to work for HTTPS requests, we need a cert and SSL profile to decrypt the request and then redirect it. The same irule is in use for both the 80 and 443 VIPs
I'm wondering whether it's possible to do a basic 'when client_accept/connect' irule to force ALL connections to the VIP to go to the port 80 version so that we don't need to keep purchasing certs for 'old' websites.
Perhaps another option would be to set a single client_ssl profile on the 443 VIP, use a 'when clientssl_handshake' iRule and try redirect to 80 that way, but I have my doubts. This is a bit beyond my current iRule skills....
Hello, I don't really get the statement about purchasing certs, if your HTTPS certificates expire client will have warning popups, regardless if this certificate is presented to the client by F5 via an sslprofile or by your server in a SSL pass-through scenario. What I usually see in these cases is using wildcard certificates for top level domain, that can be a match for multiple SNI's.
This being said, if you need to modify traffic HTTPS or perform actions based on informations that are encrypted, you need SSL offloading since your iRule will likely require HTTP profile to retrieve such information and that won't work if traffic is encrypted. Without profiles, you're limited to L4 functionality so you could load balance request to port 80 on the backend, however this will still give SSL issues if F5 doesn't offload SSL connection on itself using a certificate.
Instructions like an HTTP::redirect cannot be issued in a CLIENT_ACCEPTED event, once again because you will need HTTP profile to correctly parse traffic and identify informations. You can check valid events for HTTP::redirect instruction here.
Another thing that I don't get is why you should configure a 443 Virtual Server if you plan to only use HTTP over port 80: if you already decided HTTPS protocol will be no more on the websites, just close port 443 completely.