Forum Discussion

mslater905's avatar
mslater905
Icon for Nimbostratus rankNimbostratus
Nov 19, 2019

Help with HTTPS_Rewrite iRule

Hi all,

 

I'm currently in a bit of a pickle for developing an iRule solution to avoid HTTPS_Rewrite for certain URL's.

 

I currently have an LTM VS configured which has a profile that rewrites all redirects to HTTPS.

 

ltm profile http HTTPS_Rewrite {

  app-service none

  defaults-from http

  enforcement {

    unknown-method allow

  }

  redirect-rewrite all

}

 

For most of the redirects, I want the redirect response to be HTTPS which is why this is applied. There are two instances however, where I want the URL redirect to be HTTP.

 

For instance, for redirects to "www.one.com" & "www.two.com", we don't want the profile to rewrite it to HTTPS.

 

create ltm rule http-response-specific {

  when HTTP_RESPONSE {

if { HTTP::header value Location contains onetwo-list }

{ ....... }

 

I think replacing the Locaton Variable will be too much of a headache, is it possible to identify the location variable and then bypass the profile entirely for connections with these urls?

 

Any help would be greatly appreciated!

 

 

BIG-IP
devops
iRules

3 Replies

Sort By
  • Vijay_E's avatar
    Vijay_E
    Icon for Cirrus rankCirrus
    Nov 26, 2019

    You can remove the profile and use iRule with HTTP redirect for specific sites and HTTPS for others.

  • Heinrichm5's avatar
    Heinrichm5
    Icon for Altocumulus rankAltocumulus
    Nov 27, 2019

    I'm not certain I've understood the question correctly.

    When I need to redirect all sites to HTTPS except a select few domains, I do like Vijay: create an irule

    when HTTP_REQUEST {
    set vhost  [string tolower [HTTP::host]]
 
    switch $vhost {
        "http-domain1.local" -
        "http-domain2.local" { 
              #now it uses the default settings of the vs, including any default pool you might have selected
         }
         default { 
              #Send a redirect to https - 307 to tell the client that it needs to use the same method as when it send the request to this port
              HTTP::respond 307 Location "https://[getfield [HTTP::host] ":" 1][HTTP::uri]" 
         }
    }
}

    If you have a lot of sites that need the exception you might be better served with a data group. It will make the irule shorter, however, every time you troubleshoot you'll have to look an additional place.

  • mslater905's avatar
    mslater905
    Icon for Nimbostratus rankNimbostratus
    Nov 27, 2019

    I appreciate the feedback!

     

    I actually managed to write an iRule while keeping the profile attached. I was looking for some order of operations as to whether the profile or iRule was triggered first and it wound up being the profile.

     

    On the 'HTTP_Response', I just modified the 'Location Header to replace 'https' with 'http'.

     

    Cheers!