Forum Discussion
amass87,
There are a few different things you have to take into account:
-
SSL is a separate protocol, therefore HTTPS is simply HTTP (OSI layer 7) wrapped in SSL (OSI layer 6). This is, in most cases, completely separate from the logic of the application itself. In many cases you can simply add a client SSL profile to the F5 proxy, and nothing to the back to effectively offload the client side SSL at the F5. It would be cleartext (unencrypted) HTTP on the back side.
-
Sometimes an application will try to be "smart" about its surroundings. If the application server is listening on HTTP (maybe because there's a proxy in front offloading the SSL), the application will generate URLs that are http://. This of course is incorrect, and so you need iRules like the one above to rewrite the application's URLs so that the client continues to communicate on HTTPS.
So you need to do things here:
-
Establish what the URLs the application is sending, and when. So when you say "http:// in the header", you could either be talking about a 30x redirect, in which the redirect URL is in a Location header. Or you could be talking about HTML payload that contains references to objects (images, scripts, stylesheets, other pages, etc.) that are in this case http:// instead of https://. You need to understand which URLs are incorrect. That is usually accomplished with a client side capture tool like Fiddler or HTTPWatch.
-
You need to understand which side of the proxy is encrypted and which is not. If the server side is listening on HTTP only, then you don't add an SSL profile to the server side of the proxy.