csyvenky_18355
Mar 08, 2010Nimbostratus
SSL only some of the time, non-SSL for the rest
Production Ver: BIG-IP 9.4.6 Build 401.0 Final
The issue(s): IE6 prompts users "this page contains both secure and nonsecure items" if they have browsed from SITE1 to SUBSITE1 then back to SITE1 pages in that order. Further to this some of the SharePoint CMS capabilities will fail if authors try to use the text editor if they have entered the authoring session via this same pattern.
The goal: We would like to have the LTM device direct users to an SSL session if they intend to use SUBSITE1, but, direct them to a non-SSL session if they want to use anything else.
Today's Setup:
=========================
Virtual Servers
=========================
NamePort
Site_443 443
Site_80 80
The vast majority of traffic use the Site_80 Virtual Server. That is unless they try to access SUBSITE1, at which point they get redirected via the 'subsite1_ssl' iRule. Of course this iRule simply redirects to the browser to a SSL session. At this point all traffic would be using the Site_443 Virtual Server.
====================================
Staging - 'subsite1_ssl' iRule
====================================
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] starts_with "/subsite1/folder" } {
HTTP::redirect "https://site1.fqdn.com[HTTP::uri]"
}
}
We tried to solve this with reverse logic. Basically stated what we had tried was to add the opposite logic to this on the port 443 Virtual Server. Therefore, if a user is going to SUBSITE1 insist SSL (443), if they are going anywhere else insist non-SSL (80). Sounds easy, right?
What we found when this was implemented was that these rules seem to conflict with each other to the point where endless loops could be entered. In the time we had to troubleshoot, we figured this was because the CMS system presents page resources via different techniques (that we don't really have control over). Some resources have hard-wired references to http://site1/// and others are relational to the current position.