Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Rediect http to https on a non-standard port when LTM has the SSL Client profile

Hi there,

how can i get HTTP and HTTPS work for the same URL that uses a non-standard port and LTM has the client SSL profile?

For example, I would like to reach both http://abc.com:1234/bla/foo & https://abc.com:1234/bla/foo (The SSL client profile should be on the LTM).

Thanks

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If the virtual servers are on the same port it may be tricky. If I had to do this I would start with this article that Colin wrote that talks about how use an iRule to scan for SSL/TLS data and go from there:

Multiple Certs, One VIP: TLS Server Name Indication via iRules

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I would like to reach both http://abc.com:1234/bla/foo & https://abc.com:1234/bla/foo (The SSL client profile should be on the LTM).

there is allow-non-ssl setting in clientssl profile. anyway, i do not think it is a good idea.

  allow-non-ssl                        Enables or disables non-SSL connections. Specify enabled to allow non-SSL
                                       connections to pass through the traffic management system as clear text.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have the same requirement, if user try the URL with HTTPS, no change in URL. If user try to access with HTTP, should redirect to https, I am also using non-standard port URLS.

https://abc.com:8888 ==> no change

http://abc.com:8888 ==> redicet to https://abc.com:8888

With below config its perfectly working fine.

I have created SSL Client profile with allowing Non-SSL Connections ( You need to modify default config) I have created VIP with 8888 port and use SSL client profile Configure below iRule

when HTTP_REQUEST {

if { [URI::protocol [HTTP::uri]] eq "http" } {

HTTP::redirect https://[getfield [HTTP::host] ":" 1]:[TCP::local_port][HTTP::uri]
}

}

0
Comments on this Answer
Comment made 06-Jul-2018 by svs 358

This iRule cannot work as described. HTTP::uri only contains the URI, which means only the part after the host within the URL. There will never be a scheme, which may be processed by URI::protocol. In the F5 docs the word URI is often mixed up with URL, which is just wrong. So in the docs for URI::protocol it needs "uri" as parameter, but in the exmaples URLs are given in a list. HTTP::uri will not work here.

I've did some tests in my lab (TMOS 13.1.x) to proove this behavior, because I needed this behavior. I came up with the following iRule:

when CLIENT_ACCEPTED {
set DEBUG 1
set ConnectionProtocol "http"
}

when CLIENTSSL_HANDSHAKE {
set ConnectionProtocol "https"
}

when HTTP_REQUEST {
if { $ConnectionProtocol eq "http" } {
    if {$DEBUG} {log local0. "Redirecting non-SSL connection (Check: $ConnectionProtocol) for [HTTP::host] on URI [HTTP::uri] to HTTPS."}
    HTTP::redirect https://[getfield [HTTP::host] ":" 1]:[TCP::local_port][HTTP::uri]
} 
else {
    if {$DEBUG} {log local0. "SSL connection ($ConnectionProtocol) for [HTTP::host] on URI [HTTP::uri]. No action required."}
}
}

This works perfectly for me.

Cheers,

svs

0