Forum Discussion

Mike_27130's avatar
Mike_27130
Icon for Nimbostratus rankNimbostratus
Jun 18, 2010

Having trouble with mangled https:// request

 

I have a site where a large scale communication was sent to go to mysite.com instead of www.mysite.com.

 

 

It is a secure SSL site

 

 

I wrote to try to fix the lack of the "www" this works on the redirect for

 

 

"http://mysite.com"

 

 

but not for

 

 

"https://mysite.com" --- This generates an ssl cert error before the irule change the host

 

 

I believe the host must be changed before the SSL connection is established. Is there a way to do this?

 

 

when HTTP_REQUEST{

 

 

if { not (HTTP::host] starts_with "www." ) } {

 

 

HTTP::redirect "https://www.[HTTP::host][HTTP::uri]"

 

 

}else{

 

 

HTTP::respond 301 Location "https://[getfield[HTTP::host] :1 [HTTP::uri]"

 

 

}

 

}

 

application delivery
dev
devops
iRules

3 Replies

Sort By
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Jun 18, 2010
    Unfortunately the situation you are in can’t be fixed by an iRule.

     

     

    An iRule can’t be run on encrypted traffic, so it must be unencrypted first. If the SSL Certificate is for https://www.website.com and the HTTPS Request is for http://website.com then you are going to get an SSL Certificate Error before the iRule can run and modify the URL.

     

     

    iRule Event Order:

     

    RULE_INIT

     

    CLIENT_ACCEPTED

     

    CLIENTSSL_HANDSHAKE

     

    CLIENTSSL_CLIENTCERT

     

    HTTP_REQUEST

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jun 18, 2010
    As Michael suggested, you can't fix this with an iRule which redirects to the correct hostname. You could either rewrite the references to https://mysite.com to https://www.mysite.com before the client makes a request to the wrong hostname, or you could get a UCC cert which is valid for www.mysite.com and mysite.com.

     

     

    Here are a few related posts:

     

    http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=19136&ptarget=19143

     

    http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/aff/5/aft/62114/afv/topic/Default.aspx62143

     

     

    Aaron
  • Mike_27130's avatar
    Mike_27130
    Icon for Nimbostratus rankNimbostratus
    Jun 18, 2010
    Thanks - It makes sense now. Bad news but makes sense.

     

     

    I'll probably end up getting a new cert.