Forum Discussion

Greg_Harris_111's avatar
Greg_Harris_111
Icon for Nimbostratus rankNimbostratus
Feb 02, 2006

Redirect to HTTPS with no HTTP site

I see in the forums that redirect has been covered a lot. But here is my issue: can I force a client coming in to BIG-IP with http://www.domain.com to https://www.domain.com without have an http vip listening? All our servers are https and we currently have to make one additional vip at port 80 for the iRule to work, thus doubling the number of virtual servers. Am I missing something?

 

Thanks in advance,

 

 

Greg
application delivery
dev
devops
iRules

4 Replies

Sort By
  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Feb 02, 2006
    no, you're not missing anything. That is the approach you'll need to take.

     

     

    /deb
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    Feb 02, 2006
    Deb's right on this one. You have to have something listening on port 80 to receive the HTTP traffic, and respond to the client, telling it to re-negotiate on port 443 at the appropriate address.

     

     

    -Colin
  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Feb 02, 2006
    You could make a wildcard virtual on port 80 and have the iRule generically redirect to the same virtual on https:

    
virtual generic_http {
   destination 0.0.0.0:80
   mask 0.0.0.0
   ip protocol tcp
   profile tcp http
   rule generic_redirect
}
rule generic_redirect {
   when HTTP_REQUEST {
      if { [HTTP::header exists host] }
         HTTP::redirect https://[HTTP::host][HTTP::uri]
      } else {
         HTTP::redirect https://[IP::local_addr][HTTP::uri]
      }
   }
}

    This would allow you to only make the one virtual and rule that generically redirects all http traffic to your https virtuals.

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Feb 02, 2006
    To expand on Colin's response, you have the option of setting up a wildcard virtual server that listens on all ports, then use iRules to pick up the ones you are interested in. Here's some sample code to get you started.

     

     

    
rule http_redirect {
   when CLIENT_ACCEPTED {
    if { [TCP::local_port] == 443 } {
      set serverport https
    } elseif { [TCP::local_port] == 80 } {
        set serverport http
    } else { discard }
}
when HTTP_REQUEST {
  if { [TCP::local_port] == 80 } {
    redirect https://[HTTP::host][HTTP::uri]
  }
}