Forum Discussion

katekattar_4936's avatar
katekattar_4936
Icon for Nimbostratus rankNimbostratus
Jun 17, 2009

Irule to prevent mixed content

Hi - We have what looks like a fairly simple issue, but it I can't crack it. We are trying to send all HTTP traffic to HTTPS with this irule:

 

 

On VIP-80

 

when HTTP_REQUEST {

 

if { [HTTP::uri] starts_with "/paymentoptionshome/payments" } {

 

HTTP::redirect "https://[HTTP::host][HTTP::uri]"

 

}

 

}

 

 

Then send all HTTPS traffic to HTTP using this irule:

 

On VIP-443

 

when HTTP_REQUEST {

 

if { (!( [HTTP::uri] starts_with "/paymentoptionshome/payments")) and ([TCP::local_port] == 443) } {

 

HTTP::redirect "http://[HTTP::host][HTTP::uri]"

 

}

 

}

 

 

Having this second irule in place forcing mixed content when accessing the uri /paymentoptionshome/payments. We can't have mixed content as the padlock doesn't show and the business is not keen to not show the padlock. Ideally we want the irule to look something like this:

 

 

class file_extensions {

 

".gif"

 

".htm"

 

".html"

 

".jpg"

 

".js"

 

".css"

 

".swf"

 

".jpeg"

 

".pdf"

 

}

 

when HTTP_REQUEST {

 

if { (!( [HTTP::uri] starts_with "/paymentoptionshome/payments") and [matchclass $uri ends_with $::file_extensions] > 0 ) and ([TCP::local_port] == 443) } {

 

HTTP::redirect "http://[HTTP::host][HTTP::uri]"

 

}

 

}

 

 

But this doesn't work. Can anyone help?

 

 

Thanks

 

Kate

 

3 Replies

  • Hi Kate,

     

     

    Why do you want to not serve that specific URI via HTTPS? As you've found, most browsers will generate an insecure content warning and none will show the padlock if the client is redirected to HTTP. The simple solution is to not redirect requests to that URI to HTTP.

     

     

    Aaron
  • Perhaps I have the entire logic incorrect. What we are trying to do is force SSL when using part of our website (to enter card details), and ensure users cant get to SSL at any other time. So we want all requests for /paymentoptionshome/payments to be HTTPS, and everything else HTTP.

     

     

  • You would have to not redirect any element on the page to avoid the mixed content problem. Right now your logic prevents redirecting /paymentoptionshome/payments but that probably only covers the html on the page. I suspect that the images, css, etc. on that page have a different URI and are thus getting redirected to HTTP, causing the mixed content warning (understand that every element on the page is a separate GET and thus a separate connection that passes through the iRule).

     

     

    Denny