Confusion on if to use SSL server profile with iRule or not
- Apr 22, 2016
The scheme part of the URL is for the benefit of the user-agent only. That is, if you type http://www.example.com in your browser, your browser opens a TCP connection to www.example.com on port 80, and sends the following:
GET / HTTP/1.1 Host: www.example.com
Notice that the "http" part is nowhere to be found. On the other hand, if you type https://www.example.com in your browser, your browser opens a TCP connection to www.example.com on port 443, completes a TLS handshake, then sends exactly the same data as above. Again, the scheme ("https") is absent.
As such, as long as the uri-query part (the path and query parameters) are unchanged between the client- and server-side, then there is no need to perform a rewrite. Furthermore, if the Host header is unchanged, then there is no need to change headers. As you say, you need only apply a server-side SSL profile for condition 1. And, as you say, you need to perform a Host header rewrite for condition 2. You can either use an iRule or you can use a Local Traffic Policy.