Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Redirect HTTPS request to Second HTTPS server, before SSL

I've seen a number of questions like this in the various forums, but I just cannot seem to make this work. Use case is to use an iRule to perform a redirection from a request for 'http://server.server1.com' to send the browser to 'https://server.server2.com'.

What seems to be happening is that the original request spawns a 'Your Connection is not Private - bad certificate' error in the browser at initial connection (presumably before the actual 'redirection')

The iRule I'm trying looks like this:

when HTTP_REQUEST { if { [string tolower [HTTP::host]] eq"server.server1.com" } { HTTP::redirect https://server.server2.com[HTTP::uri] } }

I'm kinda getting desperate here.

Thanks !

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Https is http protocol inside tls tunnel...

Http redirect requires the http request received by the server (bigip there)

Https flow is the following

  1. Tcp handshake to tcp port 443
  2. TLS handshake initiated by the client
    1. client send client hello
    2. server send certificate
    3. Next tls handshake packets ...
  3. Client send request
  4. Server respond with a 302 respond code and location header which contains new url...

So you can see this is not possible to redirect before certificate validation (hopefully... this should be a huge security issue if we can!!!)

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

As the previous answer explains, the TLS handshake needs to be completed before the https virtual server can look at the http request.

Do 'server.server1.com' and 'server.server2.com' resolve to the same IP address?

One thing you could do is to replace the certificate used on the https virtual server where you want to do the redirects on, to include both 'server.server1.com' and 'server.server2.com'. The handshake would then complete successfully and then you could do the http redirect.

Otherwise an iRule based on the http_request event won't work without security warning errors on the browsers.

0