Force "www." redirect if missing from HTTPS requests

Question

I am looking for help in writing an iRule that will be used on an HTTPS virtual server.  I would like the LTM to examine the HTTP request and if the URL does not include "www." then redirect the browser to come back to the same URL/URI as found in the original request, only with www. put on the front of the URL.  I am doing this so that the requested URL will always match the URL on the digital certificate.  I'd like the iRule to be generic so that it can be applied to any virtual server regarding any URL/URI.&nbsp;
&nbsp;Example:&nbsp;
&nbsp;If an HTTP(S) request comes in for fred.flintstone.com/pebbles/dino...&nbsp;
&nbsp;then redirect the browser to come back as: https://www.fred.flintstone.com/pebbles/dino...&nbsp;
&nbsp;If the HTTP(S) request comes in for www.fred.flintstone.com/pebbles/dino... then don't take any further action because the requested URL matches the URL on the digital certificate.&nbsp;
&nbsp;Thanks.&nbsp;
&nbsp;Glenn&nbsp;&nbsp;&nbsp;

colin_walker_12 · Answer

For this kind of a rule all you'd need is something like:
when HTTP_REQUEST {
  if { ! ( [HTTP::host] starts_with "www." ) } {
    HTTP::redirect "https://www.[HTTP::host][HTTP::uri]"
  }
}
Keep in mind, though, that you'll have to have a Client SSL profile assigned to this Virtual, which will decrypt the data to allow TMoS to inspect it.
HTH,
Colin

glenn_ruffus_10 · Answer

Thanks, Colin.  I have not had the time (obviously) to learn about the iRules so I have no skill.  Sorry if this question is a stupid one.  &nbsp;
&nbsp;It looks to me like the iRule that you are suggesting reads along the lines of: when there is an HTTP request, look at it and if you *do* find www. then redirect back to www.[URL][URI].  I'm sorry if I'm wrong about this.  Our certs use the www. and I am looking for an iRule that will leave things alone if the use comes in with the www. in the request but will redirect them to come back with the cert-matching www. if they don't have it in their request.&nbsp;
&nbsp;Would you please clarify?&nbsp;
&nbsp;Thanks much!&nbsp;
&nbsp;Glenn&nbsp;

hooleylist · Answer

Hi Glenn,&nbsp;
&nbsp;The exclamation point in the condition check negates the test.  So it's looking for host values not starting with "www.".  If you want to make it more clear you could replace the ! with 'not':&nbsp;
&nbsp;if { not ( [HTTP::host] starts_with "www." ) } {&nbsp;
&nbsp;Aaron

glenn_ruffus_10 · Answer

Thanks, Aaron.&nbsp;
&nbsp;I now have this iRule in place on the HTTPS virtual server:&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;  if { not ( [HTTP::host] starts_with "www." ) } {
&nbsp;    HTTP::redirect "https://www.[HTTP::host][HTTP::uri]"
&nbsp;  }
&nbsp;}&nbsp;
&nbsp;The iRule works *once it is invoked* but it is invoked *after* the SSL handshake occurs.  It is an HTTP_REQUEST iRule so the SSL session negotiation happens before the HTTP request is processed.  Part of the SSL negotiation involves comparing the requested URL with the URL defined on the cert.  So, the security alert comes up based on a mismatch between the requested URL (with no www.) and the URL on the cert (with the www.)  &nbsp;
&nbsp;Is there a way to make the above iRule get invoked *before* the SSL negotiation?  Doesn't seem like it but I thought that I would ask.&nbsp;
&nbsp;Thanks.&nbsp;
&nbsp;Glenn&nbsp;

colin_walker_12 · Answer

Ahh, I was a little concerned this is the turn this thread would take. :-/&nbsp;
&nbsp;The short answer is: Unfortunately, no, there is no way that we can get the iRule to do host inspection before the SSL negotiation.&nbsp;
&nbsp;A slightly longer version: If you think about the data that you're trying to inspect when reading the HTTP host name, you're trying to access information that is inside the HTTP headers. Those headers are encrypted via SSL for security. So until you decrypt the transaction with the proper SSL negotiation, that data is unreadable.&nbsp;
&nbsp;This is a question we've been asked a lot, and is very much a chicken and egg scenario.&nbsp;
&nbsp;I wish I could be of more help.&nbsp;
&nbsp;Colin

Forum Discussion

Force "www." redirect if missing from HTTPS requests

6 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

Redirect all request except few path

Logging DNS Requests

Distributed caching of authentication requests with NGINX Ingress Controller

Anchor Link Redirect

Using Client Subnet in DNS Requests