Forum Discussion

truongh_36312's avatar
truongh_36312
Icon for Nimbostratus rankNimbostratus
Dec 09, 2014

cleartext redirect to SSL

Hi, We have BIGIP (10.2.3) LTM, we need to redirect to SSL all the incoming cleartext traffic on the URLs (port80). Do we have any way to do it? thanks advance for your reply.

 

7 Replies

  • Wesleyjack, Thanks for your quick reply, I know the irule to redirect from http to https, but in case if we don't want to have virtual server using https(443) with certificate, do you have any way to implement it without create new virtual server port 443? Thanks in advance.

     

    • wesleyjack's avatar
      wesleyjack
      Icon for Nimbostratus rankNimbostratus
      Hien, So, the scenario is you have a virtual server (VS) on your F5 using service port 80. You do not want to create a VS on the same F5 using 443. Does this 443 VS exist on a separate F5? Something has to respond to the IP on port 443. For example, let's say your FQDN is www.hien.com. Let's also say www.hien.com resolves to 1.1.1.1. Lastly, you have a VS on your F5 listening on 1.1.1.1:80. If you establish a HTTP-HTTPS redirect for www.hien.com on the VS, then you would need another VS on your F5 listening to 1.1.1.1:443. If nothing is listening to 1.1.1.1:443, then the redirect will work but the client will get no response to their TCP SYNs.
    • wesleyjack's avatar
      wesleyjack
      Icon for Nimbostratus rankNimbostratus
      Hien, So I tested this on my BigIP Lab VE. I used the redirect iRule. I disabled my 443 VS on the F5, but left my 80 VS up with the redirect iRule in place. 10.128.10.1:54984 --> 10.128.10.35:80 TCP 3-way success 10.128.10.1:54984 GET / HTTP/1.1 --> 10.128.10.35:80 10.128.10.35:80 Redirect --> 10.128.10.1:54984 10.128.10.1:54985 SYN --> 10.128.10.35:443 10.128.10.35:443 RST --> 10.128.10.1:54985
  • but in case if we don't want to have virtual server using https(443) with certificate

     

    if you mean http on clientside (between client and bigip) and https on serverside (between bigip and server), you can just add serverssl profile to http virtual server.