Forum Discussion

diana_24252's avatar
diana_24252
Icon for Nimbostratus rankNimbostratus
May 08, 2008

Redirect to HTTPS doesn't work properly

Redirect to HTTPS doesn't work properly

 

 

Description of the problem:

 

Web site: testcustompoint.rrd.com (it is a test only site so there is an SSL name error)

 

The web server redirects you to HTTPS and once the login page opens the browser address changes to:

 

 

https://testcustompoint.rrd.com/xs2/prelogin?CMPID=126&qwerty=08050811

 

 

At this point if you delete only the letter “s” in the HTTPS and hit Enter the page will load in HTTP and will not redirect to HTTPS. Obviously this is a major security issue.

 

The web team only wants the login page to be secure and not all the pages.

 

 

I setup the following iRule:

 

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/xs2/prelogin" } {

 

HTTP::redirect "https://[HTTP::host][HTTP::uri]"

 

}

 

}

 

 

This iRule did not fix the security issue I described above. I tried a few different modifications of a redirect iRule, but no luck yet.

 

 

Any help will be greatly appreciated!
application delivery
dev
devops
iRules

9 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 08, 2008
    Do you have the iRule attached to the HTTP VIP? If so, the rule should not allow an HTTP request to a URI starting with /xs2/prelogin. If you're seeing this, try to add logging to see exactly what's happening: 

     
 when HTTP_REQUEST { 
  
    log local0. "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]: new HTTP request to [HTTP::uri]" 
  
    if { [HTTP::uri] starts_with "/xs2/prelogin" } { 
  
       log local0. "[IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]: URI started with /xs2/prelogin, redirecting to https" 
  
       HTTP::redirect "https://[HTTP::host][HTTP::uri]" 
    } 
 }

    The log output is written to /var/log/ltm by default.

    Aaron
  • diana_24252's avatar
    diana_24252
    Icon for Nimbostratus rankNimbostratus
    May 08, 2008
    The iRule was and is attached to the VIP. I modified it to log as you advised and I am attaching the log file.

     

     

    Thank you!
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 08, 2008
    I don't see any requests in the log which start with /xs2/prelogin. Can you confirm the URI for the login page?

     

     

    Aaron
  • diana_24252's avatar
    diana_24252
    Icon for Nimbostratus rankNimbostratus
    May 08, 2008
    Welll this is what the developer told me to use for the iRule. Like you say I didn't see that either in the log, but when you open the site it is what is displayed in the address bar. You can test it yourself, the site is available on the Internet.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 08, 2008
    Here are the series of request and responses I saw:

     

     

    Request to: http://testcustompoint.rrd.com/?___________________________aaron_is_testing - 302 redirect to http://testcustompoint.rrd.com/xs2/?CMPID=126

     

    Request to: http://testcustompoint.rrd.com/xs2/?CMPID=126 - 302 redirect to https://testcustompoint.rrd.com/xs2/prelogin?CMPID=126&qwerty=08050802

     

    Request to: https://testcustompoint.rrd.com/xs2/prelogin?CMPID=126&qwerty=08050802 - 200 OK response

     

     

    Manually remove the 's' from https:// and made a request to: http://testcustompoint.rrd.com/xs2/prelogin?CMPID=126&qwerty=08050802 - 200 OK response

     

     

    Can you check what URIs were logged on the BIG-IP for these three HTTP requests? I would think the log should show requests to /xs2 and /xs2/prelogin.

     

     

    Aaron
  • diana_24252's avatar
    diana_24252
    Icon for Nimbostratus rankNimbostratus
    May 08, 2008
    Im sorry, I had stopped te logging as the file was getting big. I asked the developer to look at it and give me another string.

     

    I enabled the logging again. Can you try that test please?

     

     

    Thank you!
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 08, 2008
    I just tried the same sequence. My IP starts with 90.193.139.

     

     

    Aaron
  • diana_24252's avatar
    diana_24252
    Icon for Nimbostratus rankNimbostratus
    May 08, 2008
    Aaron,

     

     

    The firewall seems to be NATing all incomming IPs and it all looks like it comes from 1 IP address, but I saved all the loggs since I reenabled the logging and I am attaching it here.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    May 09, 2008
    I don't see any of the HTTP requests I made in the iRule's entries in LTM log file. Are you sure the iRule is attached to the VIP which requests to testcustompoint.rrd.com is NAT'd to?

     

     

    Here are a list of the non-image objects that were listed in the ltm loig file:

     

     

    /style/3880.css

     

    /xs2/campaigns/managecampaigns

     

    /xs2/global/javascript/common.js

     

    /xs2/items/itemdetails

     

    /xs2/items/itemhome

     

    /xs2/items/itemmaintenance

     

     

    I would have expected to see two requests with "aaron" in the URI. I didn't see that. Nor were there any requests to /xs2/prelogin. So there weren't any HTTP requests which were redirected to HTTPS.

     

     

    I would guess the iRule isn't attached to the correct VIP or the firewall is NATing the requests directly to a webserver.

     

     

    Aaron