HTTPS offload rewriting

Problem this snippet solves:

This iRule shows how to rewrite an HTTP web application's self references from http:// to https:// to avoid insecure content warnings.

Note if the response content size is changed like it would be with this iRule you must use a custom HTTP profile with response chunking set to rechunk.

Code :

when HTTP_REQUEST {

# Save the requested host value
set host [string tolower [HTTP::host]]

# If the HTTP host header is blank, use the VS IP address
# If the VS IP is not routable for clients, hard code a routable IP
# to replace [IP::local_addr]
if {$host eq ""}{set host [IP::local_addr]}

# Disable the stream filter by default
STREAM::disable
}
when HTTP_RESPONSE {

# Check if response type is text and host isn't null
if {[HTTP::header value Content-Type] contains "text" and $host ne ""}{

# Replace http://$host with https://$host
STREAM::expression "@http://$host@https://$host@"

# Enable the stream filter for this response only
STREAM::enable

}
# Rewrite the Location header in redirects to https://
if { [HTTP::is_redirect] && [string tolower [HTTP::header Location]] starts_with "http://$host"} {
HTTP::header replace Location [string map -nocase "http://$host https://$host" [HTTP::header Location]]
}
}
Published Mar 18, 2015
Version 1.0

Was this article helpful?

7 Comments

  • Hi Aaron, There are some HTTP references that are not being displayed at all using above iRule (HTTPS VIP) even after enabling mixed content on the browser. I have a HTTP & HTTPS VIP. Streaming is enabled on the HTTPS VIP, and the HTTP VIP has a generic http to https redirect: when HTTP_REQUEST { HTTP::redirect https://[HTTP::host][HTTP::uri] } Both the VIPs have a custom http profile with Server Response set to "Rechunk," and a custom destination address persistence profile to match across pools in different virtual Servers. Any further suggestions will be highly appreciated.
  • Hi R, Can you add debug logging to the iRule and post the anonymized log output and a sample of the server response payloads which are not being rewritten? Thanks, Aaron
  • There seems to be a natural behaviour to change the post request as get request. The access method is being altered when using http to https rule. Is there a way to have it fixed. don't want to alter the http method and keep it intact when HTTP_REQUEST { HTTP::redirect https://[HTTP::host][HTTP::uri] } changes the method for POST to GET and breaking our application is there a way to fix it. Seems like this is the usual behavior of F5
  • A 301/2 redirect will instruct the requester to reissue the request as a GET... You must a 307
  • If you get errors from browser about XMLHttpRequest response server being send over http.

     

    Error message might be : Mixed Content: The page at 'https:/xxxx.com/zzz.html' was loaded over HTTPS, but requested an insecure resource 'http://xxxx.com/b/ttt.css'. This request has been blocked; the content must be served over HTTPS."

     

    Make sure you assign a compression profile to the VS that runs this irule.

     

    This is because STREAM function requires that server response to be decompressed before hand.

     

  • Hello Hoolio. I used the irule after application owner was getting a 'Blocked loading mixed active content" on his webpage.

     

    However,after applying the Your irule, i get error https://agilitycareuat.kazeem.com.ng:80/UserManagement/com/ericsson/usermanagement/userlogin/fetchLoginLoc.do?username=testuser1.

     

    It appends a port 80,after making a request with test user "testuser1". If however,i remove the port 80. The request goes fine.

     

    What is the solution to this?