Forum Discussion

Richard__Harlan's avatar
Richard__Harlan
Historic F5 Account
Jul 24, 2006

SSL offload with PHP

We have a Home grown PHP app that is now moveing behind our BigIP. We want to move all SSL processing of the Server and let the BigIP do it for us. The problem is in the PHP code they are useing $_SERVER['HTTPS']. This varable is being picked up through Apachie, if it is set it is useing HTTPS other wise it is useing HTTP. Does anyone know of a way to get around this? Thanks
application delivery
dev
devops
iRules

5 Replies

Sort By
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Jul 24, 2006
    Is this just a matter if passing in a HTTP Header with a name of "HTTPS"? I believe the default HTTP header for SSL connections is:

    "HTTPS" = "on"

    If so, it might be as simple as inserting the header with the "HTTP::header insert" command.

    when HTTP_REQUEST {
  HTTP::header insert "HTTPS" "on"
}

    -Joe
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Jul 24, 2006
    I just re-read your post and maybe I didn't get your question correct? My solution shows how to insert the HTTPS header when one isn't present. I'm not sure now if that is what you are getting at.

     

     

    -Joe
  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account
    Jul 24, 2006
    Long story short we have a homegrown application that was running at an outside hosting site. The application is a PHP application that useing SSL. When SSL is run on the Server there is no problem. If I off load SSL to the BigIP the Script will redirect back to SSL since it thinks it is talking over HTTP. Of corse it works just fine with ServerSSL profile, but the whole goal is to remove SSL overhead from the server all together for this app. The problem comes when the application check for HTTP it uses if !(isset ($SERVER[HTTPS])) {redirect to https something like that. What I am hopeing to find is a way to make the application think it is talking over 443 even it uses 80. If it can not be done there is a mojor upgrade off the application late this year and I will get it changed then.

     

     

    If I add the header HTTPS on apache knows something is wrong and throws the following error.

     

     

    Your browser sent a request that this server could not understand.

     

    Reason: You're speaking plain HTTP to an SSL-enabled server port.

     

    Instead use the HTTPS scheme to access this URL, please.

     

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Jul 24, 2006
    That's the only way I can think to bypass your application logic. If Apache is choking when you pass HTTP traffic with the HTTPS header value set, then and that is the value that your application is checking for to determine whether to redirect or not, then I'm not sure there is anything you can do outside of modifying your application to remove this check.

     

     

    Anyone else have any ideas?

     

     

    -Joe
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jul 24, 2006
    Is the only issue that the app uses HTTPS in links and redirects, if you use the BIG-IP to decrypt the SSL and send HTTP traffic to the app?

     

     

    If so, I think you could either change the app to use relative links or hard code the app to use HTTPS. If this isn't possible, you could use a stream profile on the BIG-IP to rewrite the HTTP links in the content to HTTPS and rewrite the Location header in redirects using a rule.

     

     

    If I'm missing something, please provide more detail on the issue(s) you find when having the BIG-IP decrypt the traffic.

     

     

    Aaron