cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Cert warning with irule https to http

Bob_10976
Nimbostratus
Nimbostratus

Hello all.. We have an issue where we need to redirect the request https://www.domain.com to https://domain.com. We have an irule in place, see below, that does this, however when the end user goes to https://www hey get a cert warning. We do not have a www.domain.com SSL cert, though we do have a domain.com SSL cert and the end users do not receive a warning when accessing that URL. Is there a way to keep them from getting the cert warning, someway to rewrite the URI or modify the request in some manner so when they visit https://www a rule or function takes place and they get redirected to the non www version. Obviously we could purchase a cert with the www version, but were trying to avoid that cost, if possible. Any suggestions or thoughts would be greatly appreciated

 

when HTTP_REQUEST { switch "[string tolower [HTTP::host]]" { "www.domain.com" { HTTP::respond 301 Location "https://domain.com" } } }

 

Thanks, Bob

 

5 REPLIES 5

nitass
F5 Employee
F5 Employee

unfortunately, http redirection is done after ssl handshake. i understand you need www.domain.com certificate.

 

Kevin_Stewart
F5 Employee
F5 Employee

Just to amplify, the problem is unavoidable in its current state. You need a certificate with the correct server subject name. A few options are:

 

  1. A wildcard cert
  2. A Subject Alt Name - SAN cert
  3. Server Name Indicator - SNI with separate certs (> winXP)
  4. Separate VIPs and separate certs

Bob_10976
Nimbostratus
Nimbostratus

Thanks nitass and Kevin..

 

Kevin_Stewart
F5 Employee
F5 Employee

So I have a SAN cert with alternate name without www. How do I get traffic forwarding from both http://mysite.com to http://www.mysite.com and https://mysite.com to https://www.mysite.com

 

You're HTTP (port 80) VIP would be the simplest, and you probably don't care what URI they're using to get there:

 

when HTTP_REQUEST { HTTP::redirect "https://www.mysite.com[HTTP::uri]" }

And then the HTTPS (port 443) VIP would simply need to catch anything going to "mysite.com" and redirect to "www.mysite.com":

 

when HTTP_REQUEST { if { [string tolower [HTTP::host]] equals "mysite.com" } { HTTP::redirect "https://www.mysite.com[HTTP::uri]" } }

The SAN certificate that you apply to the HTTPS VIP should include both the "www.mysite.com" and "mysite.com" subject names.

 

AP_129594
Nimbostratus
Nimbostratus

Work like a charm...thank you!!!