Forum Discussion

CSA's avatar
CSA
Icon for Nimbostratus rankNimbostratus
Feb 17, 2009

Redirections HTTP to HTTPS (for login) to HTTP (for usage)

Hello all,

 

 

We use BigIPs for many applications used over a WAN. Our WAN has some boxes to compress/accelerate HTTP traffic, but they can't do it with HTTPS. We don't want to send the login/password in clear text over the network, so we want to use HTTPS for this.

 

 

So we would like to use the BigIPs like this :

 

- if someone use http (and is not logged in), redirect him to https

 

- each time someone has to authenticate, https is compulsory.

 

- once the authentication is done, use HTTP

 

 

What is the best way to do this ?

 

 

Is it this one :

 

- irule to redirect http to https when the application shows the login page (it shows it each time the user wants to load a protected page : this is handled by the application itself)

 

- irule to redirect https to http when it's not the login page (meaning the user is already authenticated from an application point of view)

 

 

Is there a smarter way ? Is it ok or the BigIP session mechanism ?

 

 

And second question : some applications just change the content to ask for the credentials, but the page name can be anything: is it possible to check in the content of the page for some strings and are the ressources used to do this acceptable ?

 

 

Thanks !

 

--

 

LB
application delivery
dev
devops
iRules

6 Replies

Sort By
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Feb 17, 2009
    We ran into this very issue several years ago. This is where we did not want to spend the extra $$ for a module on the BIGIP. The problem we encoutered was that the BIGIP didn't know when a client had successfuly logged in. So we decided that once the login page successfully authorized, the client is redirected the client over to HTTP.

     

     

    So yes we found a solution, but it wasn't a bigip solution

     

     

    As for your second question if you refering to monitoring then use you can monitor for strings in a page which is a common technique to use.

     

     

    Hope that helps

     

    CB

     

  • qcontinuum00_74's avatar
    qcontinuum00_74
    Icon for Nimbostratus rankNimbostratus
    Dec 25, 2009
    Hello Bhattman,

     

     

    I would sincerely appreciate if you could please post how you implemented the solution. We have exactly the same situaion posted by LB.

     

     

    Regards,

     

    qcontinuum

     

     

  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Dec 25, 2009
    Our core application design team had a Siteminder license which allowed them to anthenticate via HTTPS but then redirected them over to HTTP.

     

     

     

    Bhattman

     

  • Raj_Zucre_Ramir's avatar
    Raj_Zucre_Ramir
    Icon for Nimbostratus rankNimbostratus
    Oct 25, 2010
    Guys,

     

     

    I have similar issues, we have created a HTTPS health monitor and we are using the username and password to login onto the server. However, we can only use a corporate domain account with the COMPANY\username prefix. We woudl like to use a local server username and password validate. Is this possible?

     

     

     

    Thanks!

     

  • Raj_Zucre_Ramir's avatar
    Raj_Zucre_Ramir
    Icon for Nimbostratus rankNimbostratus
    Oct 25, 2010

     

    Just to add:

     

     

    SOL5483: Testing an HTTPS Monitor with user authentication from the command line

     

    https://support.f5.com/kb/en-us/solutions/public/5000/400/sol5483.html?sr=10763589

     

     

     

    HTTPS Monitor definitions will appear similar to the following example:

     

     

    monitor ssl_test {

     

    type https

     

    use "https"

     

    interval 5

     

    timeout 16

     

    dest *:*

     

    send "GET /testpage.asp HTTP/1.0\nAuthorization: Basic dGVzdHVzZXI6dGVzdHBhc3N3b3Jk\n"

     

    recv "matchthis"

     

    username "testuser" <-----< missing company\

     

    password "testpassword"

     

    }

     

     

     

     

    Here's another SOL, but needs APM, which we dont have:

     

     

    SOL11446: Overview of HTTP authentication

     

    https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11446.html?sr=10763589

     

     

     

    Hope to hear you ideas. Thanks!
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 25, 2010
    Hi Raj,

     

     

    Can you change the send string to include the domain\ as part of the base64 encoded user:pass and remove the username and password field values from the monitor definition?

     

     

    Send string:

     

     

    GET /testpage.asp HTTP/1.0\r\nAuthorization: Basic RE9NQUlOXHRlc3R1c2VyOnRlc3RwYXNzd29yZA==\r\n\r\n

     

     

    where RE9NQUlOXHRlc3R1c2VyOnRlc3RwYXNzd29yZA== is the base64 encoding of DOMAIN\testuser:testpassword

     

     

    Also, here is a solution related to the \r\n's at the end of the send string:

     

     

    SOL10655: Change in Behavior: CR/LF characters appended to the HTTP monitor Send string

     

    http://support.f5.com/kb/en-us/solutions/public/10000/600/sol10655.html

     

     

    Aaron