Stealth redirection of HTTPS

Question

Hi Guys!&nbsp;
Would like to ask if the stealth redirection of a website possible in HTTPS example&nbsp;
http://f5.com/ss to https://f5.com/a&nbsp;
I will be able to view the content of https://f5.com/a but on my address bar I see is http://f5.com/ss&nbsp;
We can do stealth redirection with HTTP however not quite sure for https?&nbsp;
Thanks! &nbsp;

ianb · Answer

What you're trying to do is exactly what the chain of trust that SSL uses to verify a website was designed to prevent. &nbsp;
I'm simplifying slightly, but when a certificate is issued for a website, it is signed by a trusted authority. That authority is deemed to be trusted because their root certificates are implicitly trusted by the browser. Geotrust, Digitrust, etc all have certificates that are pre-installed on every current operating system.  In other words, when the website's certificate says it is valid for  *.f5.com, that statement is signed by a chain of certifcates that end in one that the browser implicitly trusts.&nbsp;
Having said that, if you control the clients and have installed your certificate on them and told them to trust it as root CA, then you can set up a scenario where the BigIP is able to substitute the real website's certificate with one that it generated and signed on the fly, and the client will trust it because it trusts the signer.&nbsp;
We have a document which explains in more detail how it works, and how to configure it 
If you're interested, please take a look at our SSL intercept deployment guide&nbsp;
Note that if you were to deploy this without the trusted root certificate on the client, then any browser being directed through the service would alert the user that every https:// site's certificate could not be validated.&nbsp;

kai_wilke · Answer

Hi Cathy,&nbsp;
after Ian's answer, I'm somewhat unsure if you need the stealth redirect in a forward proxy (aka. a Browser accesses the internet) or a reverse proxy scenario (aka. the internet access your web servers. &nbsp;
I you need the stealth redirect in a forward proxy scenario then Ian's answer would be the solution.&nbsp;
But if you need the silent redirect in a reverse proxy scenario, then you have to configure SSL-Termination of your Virtual:443, by assigning a Client- and Server-SSL-Profile. In this case the F5 can terminate and inspect the HTTPS request and then perform any kind of content manipulation.&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_ssl_profiles.html&nbsp;
Cheers, Kai&nbsp;

Forum Discussion

Stealth redirection of HTTPS

2 Replies

Recent Discussions

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Related Content

HTTP To HTTPS Redirect 301

Http redirection

Anchor Link Redirect

HTTP URI Replace/Redirect

HTTP Multipart and Security Implications