Forum Discussion

neeraj_130680's avatar
neeraj_130680
Icon for Nimbostratus rankNimbostratus
Jul 23, 2013

Removal of "s" from HTTPS loads page in HTTP

I am facing security problem in my website. My website starts from HTTP page (Searching for product, selecting it and proceed to payment and User's information). My user's information page and thereafter every page till purchase confirmation page are HTTPS pages.

 

But when I remove "s" from https in browser URL and press enter, whole page gets load in HTTP mode which is security breach for my site.

 

I don't know how to stop that. What I need is if user removes "s" from url and enter, either it should restrict the user to do so and load page again as HTTPS or redirect user to error page.

 

My application runs on IIS server with certificate installed at load balancer. Please help me with solution. Thanks.

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jul 24, 2013
    Hi Neeraj,

    You know your website better than I, but generally those sections of the site are on different physical pages (take you down into an entirely different area of the site).

    Example:

    For normal shopping and browsing - HTTP - http://www.website.com/shoping

    For purchases - HTTPS - https://www.website.com/purchase

    I would suggest writing an iRule that basically looks for the secure area's of the site (based on the URI) and forces HTTPS.

    An iRule something like what is below. This will detect the "Secured Area URI" and see if the communication is on the Secured Port. If so, send it to the servers normally. If not, redirect them to the same exact location in the Secure Area: 

     
when HTTP_REQUEST {
switch [string tolower [HTTP::uri]] {
"/purchase*" {
if { [TCP::local_port] == 443 } {
Purchase Area Requires Security
pool secure.pool.servers
}
else {
If not on Secure Port, force Redirect
HTTP::redirect "https://[HTTP::host][HTTP::uri]"
}
}
}
}

    Hope this helps.
  • AtulAnand's avatar
    AtulAnand
    Icon for Altostratus rankAltostratus
    May 29, 2019

    You can create a VIP on F5 LTM with same IP but port 80 and use a simple iRule to redirect the URL to port 443.