Forum Discussion

andyr0ck_5031's avatar
andyr0ck_5031
Icon for Nimbostratus rankNimbostratus
Jun 13, 2008

Selective SSL rewrite by hostname

Hi,

 

 

I'm running a Blackboard e-learning system with SSL offload using a simple rewrite rule to only encrypt text/html (due to problems with binary formats) and I need to also exclude any traffic from a certain domain from that rewrite as it looks like the rewrite is causing issues.

 

 

Would I change the existing rewrite iRule or write another seperate rule to do the other check?

 

 

 

Here's the exisisting rule:

 

 

when HTTP_RESPONSE {

 

HTTP::header remove "Pragma"

 

 

if { [HTTP::header Content-Type] contains "text/html;charset=UTF-8" } {

 

STREAM::expression "@http://system.college.ac.uk@https://system.college.ac.uk@"

 

}

 

 

}

 

 

 

Cheers,

 

Andy Rock
application delivery
dev
devops
iRules

7 Replies

Sort By
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jun 13, 2008
    What do you mean problems with binary formats? Is only encrypting the text/html going to be sufficient for privacy?
  • andyr0ck_5031's avatar
    andyr0ck_5031
    Icon for Nimbostratus rankNimbostratus
    Jun 13, 2008
    Certain content types aren't rendering properly in IE (namely SCORM content with Flash zipped up) and that rewrite was suggested to me by another sys admin. Security-wise, I wouldn't have thought this was _too_ bad as the traffic worth snooping is encrypted.
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jun 16, 2008
    To answer your original question, it's six of one, half dozen of the other with regards to whether you should rewrite the existing iRule, or create another... Personally, I try & keep a set of generic rules, and only when necessary create specific ones for doing things like re-writing.

     

     

    However I see what you're doing (Altering content within the stream, I understand now why you're having problems with binary) I prefer not to rewrite references within the body if at all possible (I know, sometimes it just isn't).

     

     

    On the other hand, most browsers will complain if you're running mixed Secure/NonSecure content on the same page (Or should do).

     

     

  • andyr0ck_5031's avatar
    andyr0ck_5031
    Icon for Nimbostratus rankNimbostratus
    Jun 23, 2008
    yeah, browsers are complaining a little. on the whole, though, the nag box is a lesser evil so we're going with it.

     

     

  • andyr0ck_5031's avatar
    andyr0ck_5031
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2008
    this is the rule i came up with (my TCL is awful!) but i get syntax errors:

     

     

     

    when HTTP_RESPONSE {

     

    HTTP::header remove "Pragma"

     

     

    if { [HTTP::header Content-Type] contains "text/html;charset=UTF-8" and [IP::addr [IP::remote_addr] not_equals 208.57.158.0/255.255.255.0 ] } {

     

    STREAM::expression "@http://system.college.ac.uk@https://system.college.ac.uk@"

     

    }

     

     

    }

     

     

    can anybody help with this? have i got the logic completely wrong?
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Jul 08, 2008
    It would be good to disable the stream filter by default and then enable it for specific responses. This ensures that the stream filter isn't applied on subsequent HTTP responses on the same TCP connection.

    I'm not sure if you're trying to check the client IP address or the server IP address. IP::remote_addr in a serverside event context (like HTTP_RESPONSE) will return the server IP. If you want to check the client IP, you can use IP::client_addr (in any context). 

     
 when HTTP_RESPONSE { 
  
     Remove the Pragma header 
    HTTP::header remove "Pragma" 
  
     Disable the stream filter by default 
    if { [HTTP::header Content-Type] contains {text/html;charset=UTF-8} and not ([IP::addr [IP::remote_addr] equals 208.57.158.0/255.255.255.0]) } { 
  
        Set a stream expression 
       STREAM::expression "@http://system.college.ac.uk@https://system.college.ac.uk@" 
  
        Enable the stream profile for this response 
       STREAM::enable 
    } 
 }

    Aaron
  • andyr0ck_5031's avatar
    andyr0ck_5031
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2008
    Thanks, Aaron. Yes, it's the client IP we're after. The problem wasn't with this rule, it was with a 'catch-all' rule we had listening on the insecure port to redirect all traffic to the SSL port. Turnitin seems to require to connect on 80 then renegotiate to 443. I hashed together this out of your code:

     

     

    when HTTP_REQUEST {

     

     

    Remove the Pragma header

     

    HTTP::header remove "Pragma"

     

     

    if { ([IP::addr [IP::client_addr] equals 208.57.158.0/255.255.255.0]) } {

     

     

    } else { HTTP::redirect https://[HTTP::host][HTTP::uri]

     

     

    }

     

     

    }

     

     

    cheers,

     

    Andy