serverside SSL

Question

Hi there,  
&nbsp; I have a customer with a weird requirement. They have an application server that only supports HTTP communication. However for one reason or another they need this server to be able to talk to a HTTPS server. Put it in other words they have a HTTP client who needs to talk to HTTPS server.  
&nbsp; My idea was that I'll put Virtual server with serverside SSL profile and it would work. The question is it possible to use server side ssl without having client side using SSL as well?  
&nbsp; thanks

hooleylist · Answer

That should work fine.  If the web app uses absolute references to https:// in response headers or content, you might need to rewrite them to http://.  But give it a shot first and see if it works as is. 
&nbsp;  
&nbsp; Aaron

fita_30888 · Answer

Cheers for the reassurance! The confguide says "re-encrypting a decrypted request" so I was in doubts. As for the replace would an iRule with switch do the job? 
&nbsp; thanks

hooleylist · Answer

Re-encrypting a decrypted request is the most common (not not only) use case for server SSL.  If you need to rewrite the response headers, you could use 'HTTP::header replace'.  For response content, you could use a blank stream profile and a STREAM::expression iRule. 
  
 Here are a few examples: 
  
 http://devcentral.f5.com/wiki/default.aspx/iRules/RewriteHTTPRedirectHostname.html

when HTTP_RESPONSE { 
  
     Check if server response is a redirect 
    if { [HTTP::header is_redirect]} { 
  
        Log original and updated values 
       log local0. "Original Location header value: [HTTP::header value Location],\ 
          updated: [string map -nocase "https:// http://" [HTTP::header value Location]]" 
  
        Do the update, replacing https:// with http:// 
       HTTP::header replace Location [string map -nocase "https:// http://" [HTTP::header value Location]] 
    } 
 }

And for payload rewriting: 
  
 http://devcentral.f5.com/wiki/default.aspx/iRules/STREAM__expression.html

when HTTP_RESPONSE { 
  
     Disable the stream filter by default 
    STREAM::disable 
  
     Check if response type is text 
    if {[HTTP::header value Content-Type] contains "text"}{ 
  
        Replace https:// with http:// 
       STREAM::expression "@https://@http://@" 
  
        Enable the stream filter for this response only 
       STREAM::enable 
    } 
 }

As the payload size would change for the stream iRule rewrite, you'll need to set the HTTP profile option for chunking to rechunk. 
  
 Again, I'd suggest you try the scenario without iRules to start with.  It's quite possible you won't need any iRules. 
 Aaron

fita_30888 · Answer

Hello again, 
&nbsp;  
&nbsp; we have tested it but, we've only got success when the virtual address is on :443. As the requests are coming on :80 I was thinking of inserting the port to request via something like this: 
&nbsp;  
&nbsp; when HTTP_REQUEST { 
&nbsp;   if { not [HTTP::host] contains ":" } { 
&nbsp;     HTTP::header replace Host "[HTTP::host] : 443" 
&nbsp;    } 
&nbsp; } 
&nbsp;  
&nbsp; I'm trying to replace the :80 with :443 in this irule. 
&nbsp; cheers

hooleylist · Answer

What fails when the VS is on port 80?  Does the client get any response?  Can you capture a tcpdump on LTM and use a browser plugin like HttpFox for FF or Fiddler for IE to see what's happening? 
&nbsp;  
&nbsp; Aaron

Forum Discussion

serverside SSL

7 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

behavior of SSL::disable serverside

Insert Client Certificate In Serverside HTTP Headers

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

SSL Orchestrator Advanced Use Cases: DNS Sinkholing