Forum Discussion

FSC-IT_27241's avatar
FSC-IT_27241
Icon for Nimbostratus rankNimbostratus
Oct 20, 2008

Irule to redirect https to http

Situation:

 

 

There is a hardcoded URL that goes to https://junk.domain.com/ in an application. I want the f5 to redirect any traffic destined to that domain to a different site located else where on the internet via http://realjunk.domain.com/ But I don't want the expense of adding a certificate to my f5 and I cannot change the software application with the hard coded https url.

 

 

Can this be done?

 

 

I have done a simple vitual host with a redirect rule and it works if I use one of my existing ssl profiles but I get the error that the cert does not match. Which is true but ultimately I am really redirecting to a non ssl site.

 

 

Thoughts?

2 Replies

  • Hi there,

    Is this the same scenario as the last post (Click here)? If so, you can use a stream profile and STREAM::expression based iRule to rewrite the response content to the correct domain. This would avoid the issue of the client making a request to the old domain.

    You can check the STREAM::expression wiki page for examples (Click here).

     
     when HTTP_RESPONSE { 
      
      
         Check if response type is text 
        if {[HTTP::header value Content-Type] contains "text"}{ 
      
            Replace https://junk.domain.com with https://realjunk.domain.com 
           STREAM::expression {@https://junk.domain.com@https://realjunk.domain.com@} 
      
            Enable the stream filter for this response only 
           STREAM::enable 
      
        } else { 
            Disable the stream filter by default 
           STREAM::disable 
        } 
     } 
     

    This will work if the response is going to the client through the BIG-IP. If that's not the case, there aren't any simple fixes you can make on the BIG-IP to prevent the browser alert. By design of HTTPS, if a request comes in via HTTPS to a VIP and you don't have an SSL cert valid for that domain or subdomain, the browser will generate an invalid or mismatched cert warning. You could either get a valid cert for junk.domain.com or for *.domain.com.

    Aaron
  • The problem is that you can't invoke HTTP events such as redirects in an iRule without using an http profile on the virtual, and to do that, you've got to decrypt, which means handling the SSL cert first.

    The only other option would be to process something in the CLIENT_ACCEPTED event, and there's no redirection there

    Maybe something like this would work (haven't tried this):

     
     when CLIENT_ACCEPTED { 
         SSL::disable 
         pool myPool 
     } 
     

    Where myPool would have the new domain's server as a pool member, but that's still not going to change the domain that the browser asked for. So, you'd likely get an SSL cert error when it did connect to the new server anyway.

    So unfortunately, I don't think there's a way to do this.

    Denny