Forum Discussion

ucgwebmaster_95's avatar
ucgwebmaster_95
Icon for Nimbostratus rankNimbostratus
May 21, 2008

http to https for specfic pages

Good Day,

 

 

I am a newbie to the F5 and Irules. I work more on the operations side and our developers have come to me with a task. we have a site. http://my.site.com

 

I have setup a VS for port 80 and a vs for 443. I am using SSL offloading so when the developers attempt to code for requiring SSL it fails. They need to actually put the https link in the code. They are going to redesign the site and only want http://my.site.com/login.aspx and http://my.site.com/checkout.aspx to be https.

 

 

Please help!!!1

3 Replies

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    So you want to inspect traffic and if it's one of those two URLs send it through the HTTPS VS?

    If that's the case, try something like:

     
     when HTTP_REQUEST { 
       switch "[HTTP::host][HTTP::uri]" { 
         "http://my.site.com/login.aspx" - 
         "http://my.site.com/checkout.aspx" - 
         default { 
           HTTP::redirect https://[HTTP::host][HTTP::uri] 
         } 
     } 
     

    That will send an HTTP redirect forcing those two particular URLs to an HTTPS version of the same URL. Just apply the above iRule on the port 80 VS and you should be all set.

    Colin
  • Thank you for the quick response. I just found out that it may be for multiple pages. This rule appears to be a good start though. I will need to test it out to make sure.

     

     

    On a side note,

     

     

    If the developer wanted to require ssl from the code level would I then need to pass the cert from the F5 to the Server?
  • A minor note: [HTTP::host] won't contain the protocol, so you can remove "http://" from the switch cases.

    If the developers want to verify SSL was used for some pages, you could insert a new HTTP header in requests which were received through the HTTPS VIP. This could be done on the HTTP profile of the HTTPS VIP (or in an iRule). You'd want to remove any instances of this custom header from the HTTP VIP to make sure malicious clients couldn't force a request to be interpreted as HTTPS when it was HTTP. The application would then need to check for this additional HTTP header to determine whether the client to BIG-IP connection was over SSL or not.

    Normally, you might consider passing the full certificate in a header if the clients were presenting a client certificate when connecting to the VIP. I'm not sure what the point of passing the SSL cert installed on the VIP to the app would be.

    HTTP example:

     
     when HTTP_REQUEST { 
         Remove all existing HTTP headers with our name 
        while {[HTTP::header exists Https-Enabled]}{ 
      
           HTTP::header remove "Https-Enabled" 
        } 
     } 
     

    Aaron