http/https redirection based on URI

Well, as we expected it worked fine in Firefox/Safari, but IE still complains about the page containing both secure and non-secure content. Really what I need is the ability to say from the https->http irule 'if the http->https was triggered immediately before, don't apply this one until the entire page has loaded'.

 

 

I think it may be impossible, however.

Aaron,

 

 

Thanks for this! Looks like I have a lot of reading ahead of me, I can grasp the basic idea behind the irule, but what is a 'stream', is that kind of like a 'request', for example, and it means it would only apply for the duration of that request? I'm just trying to get to grips with how this works. One of the key requirements is that our redirects go both ways, and that anything NOT /secure/ redirects back to HTTP, so I have to work out how I'd apply this on both sides.

A stream profile allows you to rewrite specific strings in the request and/or response body. The rule enables the stream profile only in specific cases, so the stream filter isn't applied to request bodies, or non-text responses, etc.

 

 

If you can provide an anonymized sample of a few requests to /secure/ pages which contain references to http content and the fully qualified links it references, I can try to help tailor the rule. I'm imagining something like:

 

 

http://site.example.com/secure/page1.asp (needs to be redirected to https://...)

 

References:

 

 

http://site.example.com/images/image1.jpg

 

http://site.example.com/images/image2.jpg

 

http://site.example.com/images/image2.gif

 

http://site.example.com/images/style1.css

 

 

https://site.example.com/secure/

 

 

References:

 

 

http://site.example.com/images/image3.jpg

 

http://site.example.com/images/image4.jpg

 

http://site.example.com/images/image5.gif

 

http://site.example.com/images/style1.css

 

 

Aaron

That's basically what we have, an example of a request to a page that would potentially appear in /secure/ would be like:

 

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /library/ask/index.html HTTP/1.1" 200 14651 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/btn.search.gif HTTP/1.1" 200 636 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/bg.headerwrapper.gif HTTP/1.1" 200 53 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/logo.hls.gif HTTP/1.1" 200 1847 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/bg.bodywrapper.gif HTTP/1.1" 200 1137 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/bg.sectionnav.bot.gif HTTP/1.1" 200 3560 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/bg.sectionnav.ul.gif HTTP/1.1" 200 51 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/bg.sectionnav.top.gif HTTP/1.1" 200 543 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/bullet.Me8e8e8.gif HTTP/1.1" 200 67 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/bg.layoutwrapper.gif HTTP/1.1" 200 158 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/mainnav.matrix.gif HTTP/1.1" 200 14647 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/bg.pagetitle.gif HTTP/1.1" 200 161 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/bg.sectionnav.section.gif HTTP/1.1" 200 234 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/icon.offsite.gif HTTP/1.1" 200 70 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/bg.sectionnav.page.gif HTTP/1.1" 200 77 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /img/bullet.txt.gif HTTP/1.1" 200 44 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /library/ask/3rdshootfemalestudent.jpg HTTP/1.1" 200 130904 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /images-cms/nav-images//active_library_nav_image4.png HTTP/1.1" 200 68427 "https://www.law.harvard.edu/library/ask/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:36:21 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:36:21 -0400] "GET /flash/sifr.lubalin-graph-book.swf HTTP/1.1" 200 82190 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

 

So in this case, I think what's tripping me up is how we're restricting things to content-type text, when I started testing with the rule you crafted, it did this:

 

 

Oct 9 15:43:13 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:43:13 -0400] "GET /library/ask/secure/index.html HTTP/1.1" 200 14651 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:43:13 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:43:13 -0400] "GET /css/print.css HTTP/1.1" 200 3607 "https://www.law.harvard.edu/library/ask/secure/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:43:13 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:43:13 -0400] "GET /css/combined.css HTTP/1.1" 200 55175 "https://www.law.harvard.edu/library/ask/secure/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

Oct 9 15:43:13 hlscrap vhost.www-ssl: www.law.harvard.edu 140.247.209.27 - - [09/Oct/2008:15:43:13 -0400] "GET /js/combined.js HTTP/1.1" 200 103397 "https://www.law.harvard.edu/library/ask/secure/index.html" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Version/3.1.2 Safari/525.21"

 

 

 

So it seemed like, as requested, it got the text only bits. I'm going to do some testing and tweaking, I was having trouble finding documentation on the general concept of stream, I could only find specific examples for stuff like stream::enable.

 

I think it would make sense to map out the logic before testing more. Here is what I've gathered so far:

 

 

If a request is made via HTTP to a page (an object ending with .html?) with a path that contains /secure/, you want to redirect it from HTTP to HTTPS.

 

 

-- so on the HTTP VIP, redirect any requests to /secure/ pages to HTTPS

 

 

Once the client makes a request via https to a /secure/ page, you want to rewrite the references from http to https in the page content, so the client will request those objects over https as well (to avoid the insecure content warning).

 

 

-- so enable the stream profile on the response to rewrite http:// to https://

 

 

Are there other /secure/ pages which don't have the .html file extension? Are there any requests to the HTTPS VIP which you want to redirect to HTTP?

 

 

Aaron

Thanks for helping with this!

 

 

The logic is:

 

 

For requests over 80:

 

 

If the URI contains /secure/, and is .html, .htm (yeahhhh) or .php, rewrite that request to be https.

 

 

For requests over 443:

 

 

If the URI doesn't contain /secure/, rewrite the request back to http.

 

 

------------

 

 

To start with we just did this with a couple of straight forward redirects, but as you said in your reply the problem is that we need to rewrite any references to http to https in the page content, to avoid the warning.

 

 

However, we're constrained by one problem thanks to the way they built the website, here's a snippet of the html:

 

 

 

 

As you can see, we can't do a replace on http to https, and I just realised that the stream stuff is aimed at rewriting the content of the response. The developers have refused to use absolute url's, so there's nothing I can do to get http in there.

 

So what about not rewriting HTTPS requests if the path contains /secure/ or the Referer header matches https://*/secure/*? As you note, it looks like it's not an issue of rewriting the response content--just avoiding redirecting an HTTPS request if it was generated from an HTTPS page.

 

 

Aaron

Aha, the referer header might be an idea, I hadn't realised that each request for a .jpg would have a header with the uri of the page that generated the request.

 

 

We were going to try a different idea, but tomorrow I'll experiment with that.