Forum Discussion

SSHSSH_97332's avatar
SSHSSH_97332
Icon for Nimbostratus rankNimbostratus
Oct 16, 2012

HTTP Redirection from Web Server breaks SSL Termination

I have VS on port 443 , it has SSL profile to do SSL termination & forward to pool ( on port 80 ) .

 

so communication between user & F5 is HTTPS , between F5 & Web Server is HTTP .

 

most URLs is working fine , but for some url i can see that when i click on it i get " page cannot be displayed " & that the browser used HTTP not HTTPS .

 

i checked web server code & found statements redirecting to HTTP for these URLs , like the below :

 

getURLHome: function() {

 

return "http://erod.siucex.com/web/signin";

 

So , form above it redirects users to HTTP , which breaks HTTPS Termination .

 

shall i ask webserver admin to cahnge that to "https" , but he should only understand HTTP not HTTPS ???

 

i was expecting that BIGPIP will change it automatically to HTTPS before forwarding to nuser

 

 

config
design

5 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 16, 2012

    Can you confirm that the user gets a redirect (a HTTP 301 or 302)? If so you can modify the HTTP Profile assigned to the VS and enable Redirect Rewrite and the F5 will indeed rewrite the response to HTTPS, but only for HTTP redirects.

     

     

    If not you have four options;

     

     

    1) Change the application code to https://

     

    2) Make the links relative not absolute (change the app code again)

     

    3) Use a stream profile to have the F5 rewrite all http:// links in server responses (including in payload)

     

    4) Configure a port 80 VS that will redirect any http:// requests to https://

     

    Sorry Nathan ;-)

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Oct 16, 2012
    Doh! Just about to press Submit and get emailed saying I've been pipped by What Lies Beneath....

     

     

    Was gonna suggest a Stream Profile too.

     

     

    Couple of good articles on this here:

     

     

    http://www.thef5guy.com/blog/2011/09/having-fun-with-stream-profiles/

     

     

    https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/101/LTM-stream-profile-Multiple-replacements-regular-expressions.aspx

     

     

    N
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 16, 2012

    As WLB said, the first two options are the simplest from an LTM perspective.

     

     

    Here's an example for rewriting the response headers and payload as listed in 3):

     

    https://devcentral.f5.com/wiki/iRules.HTTPS-offload-rewriting.ashx

     

     

    Option 4) won't work well if the app requests the client make a POST request via HTTP on port 80. Any of the first three options should work well though.

     

     

    Aaron