Forum Discussion

3 Replies

  • The logic for managing HTTPS traffic is exactly the same as HTTP traffic, as long as you first decrypt it. You cannot redirect an HTTPS flow without performing decryption first.

     

  • Hi Thiyagu,

    Does it mean SSL termination from the client to the VIP should get complete first and then only the redirection would work?

    For redirection to work on the https traffic, the decryption needs to happen on the LTM, Yes, so you need a clientssl profile mapped to your VS.

    Does it mean the LB VIP should get have the correct SSL certificate with the SAN name of "site1.com"

    Yes if you are planning to redirect https://test1.x.com to https://test2.y.com, make sure the clientssl cert has the CN or SAN of test1.x.com, if it doesn't - when one access https://test1.x.com they will get an certificate exception page first, and when they click on proceed to continue, thats when redirection will take place. I dont suppose you'd want the certificate exception page to pop up. So yea put the SAN in your cert.

    One more query, if I have wrong SSL certificate for example the client URL is site1.abc.com whereas the certificate on LB is site2.abc.com then can't we do the URL direction?

    Yes you can still do redirection, apply the Irule, but you'll see certificate exception error page first when its accessed.

    when HTTP_REQUEST {
        HTTP::redirect "https://test2.y.com[HTTP::uri]"
    }
    

    Is there any way to check in the client hello for the host value and then doing the redirection to the othe URL?

    In the client hello there will not be any http data, It has to be on the http_request.

    when HTTP_REQUEST {
        if { [string tolower [HTTP::host]] ends_with "test1.x.com" } {
            HTTP::redirect "https://test2.y.com[HTTP::uri]"
        }
    }
    
  • One point of clarification.

     

    Is there any way to check in the client hello for the host value and then doing the redirection to the othe URL?

     

    Technically yes, it's totally possible to read the SNI extension from the Client Hello to determine the target host name. But to jaikumar_f5's point, you still have to decrypt to insert the HTTP redirect.