Let's add another piece to the puzzle. Add an empty STREAM profile to the VIP and this iRule:
when HTTP_REQUEST {
disable serverside compression
HTTP::header remove Accept-Encoding
disable request side STREAM processing
STREAM::disable
replace the incoming Host header
HTTP::header replace Host "x.x.x.x:8020"
}
when HTTP_RESPONSE {
catch redirects and remap Location header URLs
if { [HTTP::header exists Location] } {
HTTP::header replace Location [string map {"http://x.x.x.x:8020" "https://x.x.x.x"} [HTTP::header Location]]
}
only apply the STREAM profile for text-based responsed
if { [HTTP::header Content-Type] contains "text" } {
create a STREAM expression
STREAM::expression {@http://x.x.x.x:8020@https://x.x.x.x@}
enable STREAM processing
STREAM::enable
}
}
You mentioned that you still get redirected to the port 8020 URL for a login page, and I'm guessing that's not a redirect but actually a link within the document object. The previous iRule only inserted a Host header on requests and caught redirects on responses. It did not, however, manage any of the content of the HTML document, which itself could have references to the port 8020 URL. Adding the STREAM profile and the above STREAM expression creates a rewrite mechanism for the content as it passes through the proxy to the client. The objective here is to NOT have separate external port 443 and port 8020 VIPs, but to have all external traffic flow through the port 443 VIP. In order for that to work, the client must not be presented with any references to the port 8020 URL, which can exist both in headers and document content. Give this a shot and let me know how it goes.