Forum Discussion

csyvenky_18355's avatar
csyvenky_18355
Icon for Nimbostratus rankNimbostratus
Mar 08, 2010

SSL only some of the time, non-SSL for the rest

Production Ver: BIG-IP 9.4.6 Build 401.0 Final

 

 

The issue(s): IE6 prompts users "this page contains both secure and nonsecure items" if they have browsed from SITE1 to SUBSITE1 then back to SITE1 pages in that order. Further to this some of the SharePoint CMS capabilities will fail if authors try to use the text editor if they have entered the authoring session via this same pattern.

 

 

The goal: We would like to have the LTM device direct users to an SSL session if they intend to use SUBSITE1, but, direct them to a non-SSL session if they want to use anything else.

 

 

Today's Setup:

 

 

=========================

 

Virtual Servers

 

=========================

 

NamePort

 

Site_443 443

 

Site_80 80

 

 

The vast majority of traffic use the Site_80 Virtual Server. That is unless they try to access SUBSITE1, at which point they get redirected via the 'subsite1_ssl' iRule. Of course this iRule simply redirects to the browser to a SSL session. At this point all traffic would be using the Site_443 Virtual Server.

 

 

====================================

 

Staging - 'subsite1_ssl' iRule

 

====================================

 

when HTTP_REQUEST {

 

if { [string tolower [HTTP::uri]] starts_with "/subsite1/folder" } {

 

HTTP::redirect "https://site1.fqdn.com[HTTP::uri]"

 

}

 

}

 

 

We tried to solve this with reverse logic. Basically stated what we had tried was to add the opposite logic to this on the port 443 Virtual Server. Therefore, if a user is going to SUBSITE1 insist SSL (443), if they are going anywhere else insist non-SSL (80). Sounds easy, right?

 

 

What we found when this was implemented was that these rules seem to conflict with each other to the point where endless loops could be entered. In the time we had to troubleshoot, we figured this was because the CMS system presents page resources via different techniques (that we don't really have control over). Some resources have hard-wired references to http://site1/// and others are relational to the current position.
application delivery
dev
devops
iRules

3 Replies

Sort By
  • csyvenky_18355's avatar
    csyvenky_18355
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2010
    Thanks Aaron. I will review those other posts. This switching is not related to authentication. We simply have an Intranet at http://site1 and a subsite at http://site1/subsite2 that can process CCs. There is simply no reason for SSL session up at the http://site1 or http://site1/subsite2 levels.
  • csyvenky_18355's avatar
    csyvenky_18355
    Icon for Nimbostratus rankNimbostratus
    Mar 08, 2010
    I've had a chance to review the recent postings. It's somewhat dis-concerning to see that it doesn't appear that anyone has solved this issue. The logic appears to be sound and basically the same in all cases, the fact that the two virtual servers directly conflict with each other seems to put a quick end to this implementation approach.

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 08, 2010
    I don't think this is a problem with implementing a solution in LTM configuration or iRules--it's a problem with identifying what content you want served via HTTP and which you want served via HTTPS, and then coding an iRule to handle the different references the application might have to HTTP and HTTPS. A poster in the "Mixed noSSL/SSL site" post was able to do this for his specific scenario.

     

     

    I'd suggest you reproduce the configuration in a test environment or with test VIPs and then use a browser plugin like HttpFox for Firefox or Fiddler for IE to determine exactly which references you want to rewrite and where. Once you figure that out, we can help you implement the logic in an iRule.

     

     

    Aaron