Forum Discussion

Ashley_Penney_5's avatar
Ashley_Penney_5
Icon for Nimbostratus rankNimbostratus
Sep 26, 2008

HTTP to HTTPS redirect when 401 received.

Hi,

 

 

We have a very... awkward.. web environment here at work, and I'm hoping that I can get some help here to achieve something. We currently do all the SSL handling on the BigIP, and we're having a problem ensuring that pages with passwords always redirect to https before the client has the chance to pass in their password.

 

 

For reasons that are very very complicated, I can't easily do a rewriterule in apache to handle this, and my latest brainwave is that maybe we could write an iRule to do this. I don't even have an account on the BigIP, so I was hoping I could turn to you guys to see if my idea is fundamentally sound. Based on examples I saw scattered around the forums, I pieced together something like this:

 

 

when HTTP_RESPONSE {

 

Check if the server response is a 401

 

if {[HTTP::status] == 401}{

 

HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]

 

}

 

}

 

 

Would I be able to put something like that in place to ensure we never pass passwords unencrypted?
application delivery
dev
devops
iRules

2 Replies

Sort By
  • Ashley_Penney_5's avatar
    Ashley_Penney_5
    Icon for Nimbostratus rankNimbostratus
    Sep 26, 2008
    I spoke to someone else who suggested this:

     

     

    when HTTP_REQUEST {

     

    set host [HTTP::host]

     

    set uri [HTTP::uri]

     

    }

     

     

    when HTTP_RESPONSE {

     

    if [ [ HTTP::status ] == "401" ] {

     

    HTTP::redirect "https://$host/$uri"

     

    }

     

    }

     

     

     

    Sadly this broke the entire site when I tried putting it in place, but may be a step in the right direction.
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 26, 2008
    It's a good suggestion to explicitly save the values of HTTP::host and HTTP::uri from the request as they aren't saved by default through to the HTTP_RESPONSE event.

    The syntax is slightly off though: 

     
 when HTTP_REQUEST { 
    set host [HTTP::host] 
    set uri [HTTP::uri] 
 } 
  
 when HTTP_RESPONSE { 
    if {[HTTP::status] == 401]}{ 
       HTTP::redirect "https://$host/$uri" 
    } 
 }

    I assume you have an HTTP VIP and an HTTPS VIP and that you're applying this rule to only the HTTP VIP? If you don't have a test BIG-IP, you can create test VIPs on the production BIG-IP to check the iRule.

    Aaron