Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

HTTP to HTTPS redirect when 401 received.

Hi,

We have a very... awkward.. web environment here at work, and I'm hoping that I can get some help here to achieve something. We currently do all the SSL handling on the BigIP, and we're having a problem ensuring that pages with passwords always redirect to https before the client has the chance to pass in their password.

For reasons that are very very complicated, I can't easily do a rewriterule in apache to handle this, and my latest brainwave is that maybe we could write an iRule to do this. I don't even have an account on the BigIP, so I was hoping I could turn to you guys to see if my idea is fundamentally sound. Based on examples I saw scattered around the forums, I pieced together something like this:

when HTTP_RESPONSE {
# Check if the server response is a 401
if {[HTTP::status] == 401}{
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
}

Would I be able to put something like that in place to ensure we never pass passwords unencrypted?
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I spoke to someone else who suggested this:

when HTTP_REQUEST {
set host [HTTP::host]
set uri [HTTP::uri]
}

when HTTP_RESPONSE {
if [ [ HTTP::status ] == "401" ] {
HTTP::redirect "https://$host/$uri"
}
}


Sadly this broke the entire site when I tried putting it in place, but may be a step in the right direction.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
It's a good suggestion to explicitly save the values of HTTP::host and HTTP::uri from the request as they aren't saved by default through to the HTTP_RESPONSE event.

The syntax is slightly off though:

 
when HTTP_REQUEST {
set host [HTTP::host]
set uri [HTTP::uri]
}

when HTTP_RESPONSE {
if {[HTTP::status] == 401]}{
HTTP::redirect "https://$host/$uri"
}
}


I assume you have an HTTP VIP and an HTTPS VIP and that you're applying this rule to only the HTTP VIP? If you don't have a test BIG-IP, you can create test VIPs on the production BIG-IP to check the iRule.

Aaron
0