examining the "http://" portion of a url

Hi Katherine,

 

 

If you check the actual HTTP headers the browser sends on normal HTTP or HTTPS requests, the protocol of http:// or https:// is not included anywhere. The protocol of HTTP or HTTPS in links tells the browser how to open the connection and whether to use SSL or not. The main exception to this that I've seen is when clients connect to a web proxy and include use an absolute URL in the request line:

 

 

GET http://www.google.com/search HTTP/1.1

 

 

Can you elaborate on what you're trying to do?

 

 

You might be able to use the destination TCP port (retrieved using TCP::local_port in a clientside event like CLIENT_ACCEPTED or HTTP_REQUEST. Or you could check if there is a client SSL profile enabled on the virtual server using [PROFILE::exists clientssl]==1. I've read on the forums that using PROFILE:: commands has a higher overhead than checking the TCP port.

 

 

Aaron

Sure. I have a number of virtual servers that run on non-standard ports.

 

 

For example, http://myserver.com:81. I have configured an SSL profile that allows non-encrypted connections so a user can connect using either http://myserver.com:81 OR https://myserver.com:81.

 

 

Now I need to enforce a redirect from HTTP to HTTPS. The only thing that is different about the url is the presence or absense of the "S".

 

 

Maybe there is another way to do this... is there another way to test for encrypted vs non-encrypted?

 

 

thanks!

 

Katherine

Yes, check this thread out:

 

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=1258 Click here

 

 

You may just want to set a yea/nay variable instead of disabling ssl, but this should get you pointed in the right direction

 

 

HTH....Jason

 

 

You can use the "SSL::cipher version" command, which will return "None" if there is no SSL encryption.

ah, very nice indeed.

On v9, you cannot use the SSL::cipher command unless the profile is sent to clientssl or serverssl (At least I could not when I tried just that). How would this work to tell you the value if it always had to have that. Are you suggesting that all the virts (SSL and nonSSL) should have clientssl set?

 

 

I find the port method works except that nothing stops someone from doing http://www.yoursite.com:443 to get around that.

 

 

 

Tom

Hi Tom,

 

 

Katherine had said that she was using a client SSL profile which was configured to allow non-SSL requests (which I'd question, but...). The client SSL profile would be enabled (though not always used for decryption) and SSL::cipher could be used.

 

 

I don't think it would be a good idea to add a client SSL profile unless the VIP is going to be used for SSL decryption. And in general, I don't like the idea of allowing non-SSL traffic to an SSL enabled VIP.

 

 

Aaron

Actually, there is a runtime TCL error when no cipher is used when trying to get the value for SSL::cipher version:

 

 

Force SSL on one port

 

http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=1170929&view=topic

 

 

I added a codeshare example based on this which seemed to work:

 

http://devcentral.f5.com/wiki/default.aspx/iRules/Redirect_non_ssl_requests_on_ssl_vs_rule.html

 

 

Aaron