SSL and partial page encryption

Hi,

 

 

Yes, I think this is possible. You would want to configure a client SSL profile with the SSL certificate and attach that to an HTTPS VIP. You would also create an HTTP VIP to handle the HTTP requests.

 

 

You could then use a stream profile (most efficient) or write a rule that would replace text within the HTML in the HTTP response of the server to force the client to make requests for HTTPS for some of the content. Depending on what content you want to rewrite you may need to attach a stream profile to rewrite the content to both the HTTP and the HTTPS VIPs.

 

 

For details on the stream profile, check this post and the ones it links to:

 

Click here

 

 

And keep Deb's tip in mind:

 

 

Don't forget that if you use the stream profile with different length source and target values, and your servers are sending data unchunked, you'll need to enable re-chunking on the HTTP profile, otherwise the Content-Length header will still contain the original (now incorrect) content length value (headers are sent before the stream replacement is performed)

 

 

 

Aaron

OK,

 

 

So it looks like it's possible. This leads me to the next question; is it prudent? It seems that it would be easier to simply force client requests into HTTPS for specific URLS, (e.g. login pages or sign up pages etc.) and just allow everything on that page to be encrypted. Is there anything to be gained by doing partial page encryption if the SSL offloading is occurring on the BigIP. In running through some cursory thought experiments I don't see any advantages.

 

 

Your thoughts?

 

 

Thanks much.