cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

ssl offloading for microsoft TFS

Mohanad
Cirrostratus
Cirrostratus

Hello

 

i'm trying to implement ssl offloading for Microsoft Team Foundation Server (TFS) application, currently it's working over http 8080, so i created a virtual server with tcp, http & client ssl profile only (Client -- ssl:8080 --> F5 -- http:8080 --> TFS:8080), but it's not working.

 

I found that first four requests are sent by google chrome over https:8080 but the rest of requests around 70 requests (js & css) is over http:8080!, i used the dev tool to check the issue it was blocked by chrome because mixed contents is blocked by default, i allowed it but still not working because F5 is expecting ssl traffic not clear text, to overcome this issue i configured new http VS with redirect irule (http to https), but i got another error which is "too many redirects".

 

how to solve this issue & why google chrome is behaving like that, sending clear text request after the first request, maybe the server is send instructions to the client to use http?

 

irule workaround (too many redirects)

when HTTP_REQUEST { HTTP::redirect https://[getfield [HTTP::host] ":" 1]:8080[HTTP::uri] }

 

first request:

request headers:

Request URL: https://tfsapp:8080/tfs/DefaultCollection/Jakss%20Ticket%20System/_workitems/edit/78757

Request Method: GET

Status Code: 200 OK

Remote Address: 192.168.20.110:8080

Referrer Policy: strict-origin-when-cross-origin

 

response headers:

ActivityId: 5fba6c55-c70e-4e16-bb79-ca542327a100

Cache-Control: public, no-store, max-age=0

Content-Encoding: gzip

Content-Type: text/html; charset=utf-8

Date: Thu, 28 Oct 2021 11:31:20 GMT

Expires: Thu, 28 Oct 2021 11:31:21 GMT

Last-Modified: Thu, 28 Oct 2021 11:31:21 GMT

Lfs-Authenticate: NTLM

P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"

Persistent-Auth: true

Transfer-Encoding: chunked

Vary: *

WWW-Authenticate: Negotiate oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqcnP7VnRAy2Y9a8LtnH/YImA1Y6pfoH1Sl/DGvqBxo1lCn4bMJi91Gi5YjuUMT59dmSYbLAMd0NKnkHFGs7oSTRl6S8t2hfk/YxDWyB3twFrDMpjF4mgwOL8Oqipvo+doMWhIjIjOEOckRg==

X-Content-Type-Options: nosniff

X-FRAME-OPTIONS: SAMEORIGIN

X-TFS-ProcessId: a5fdd0f9-0e98-4894-8c84-0d0c73345cb7

X-TFS-Session: 5fba6c55-c70e-4e16-bb79-ca542327a100

X-VSS-E2EID: 5fba6c55-c70e-4e16-bb79-ca542327a100

X-VSS-UserData: 7e4446cd-b2d6-4b4a-8929-107b9ad7bc9c:m.abcd

 

 

Next requests: (clear http)

0691T00000F6UlTQAV.png

 

 

Before allowing mixed content

 

0691T00000F6Uk7QAF.png

 

 

After allowing mixed content

 

0691T00000F6Uk8QAF.png

 

Thanks,

Mohanad

3 REPLIES 3

Hi Mohanad,

 

Can you try this iRule instead of the redirect iRule.

when HTTP_REQUEST { STREAM::disable HTTP::header remove "Accept-Encoding" }   when HTTP_RESPONSE { if { [HTTP::header value Content-Type] contains "text" } { STREAM::expression {@http://@https://@} STREAM::enable } }

https://support.f5.com/csp/article/K31100432

Mohanad
Cirrostratus
Cirrostratus

Thank you so much Enes, this i irule made the website loaded but still not fully functional, hereunder the devtool logs

cannot fetch the events and status code is 500

0691T00000F6a2KQAR.png

Mohanad
Cirrostratus
Cirrostratus

i tried to access the same page without F5, status code is 204, and as per MDN wiki The HTTP 204 No Content success status response code indicates that a request has succeeded, but that the client doesn't need to navigate away from its current page. This might be used, for example, when implementing "save and continue editing" functionality for a wiki site.

 

it's true because i want to edit a ticket, but the full content of the page is not displayed.