Forum Discussion

avdes_200844's avatar
avdes_200844
Icon for Nimbostratus rankNimbostratus
May 06, 2015

Is using iRule a good practice?

Hi, In one of our app deployments, We are using a F5 load balancer with SSS offloading. We have created an iRule in F5 LB to rewrite all HTTP rediect urls(receieved by LB in HTTP response from application) with HTTPS. Our data center provider has suggested that using iRule is a workaround & not a standard practice and we should avoid these. Is it true that iRules is not a good practice and should be avoided with F5? Can someone through some light on Pros/Cons of iRules?

 

We are currently using iRule to handle only http redirects issued by application. As I mentioned above that we are SSL offloading with F5 means that browser sends request to LB over HTTPS, LB then offloads HTTPS and forwards request to one of the app server over HTTP, Hence application on app server receives request over HTTP so it creates redirect urls(in few flows only) using HTTP and sends back in response with HTTP code 302. So at F5 using iRule we are rewriting HTTP url with HTTPS url before passing the redirect response to Browser. This iRule is being specifically applied only to HTTP responses with redirect header which are very less(less than .5% of total requests serverd).

 

My understanding is that using iRule is a standard solution and for scenarios like above, it shouldn't have any negative implications. Please suggest.

 

Thanks in Advance.

 

10 Replies

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    I think it should depend on the business need, i.e. what problem you are trying to address and in what time frame.

     

    The best way is to fix the application. If you application depends on the http redirect or redirect rewrite, you may well have a security issue on your hand.

     

    That being said, the irule is a great toolbox.

     

  • Please provide insight if rewriting HTTP to HTTPS is good or bad.

     

    i think what Jie meant is it is bad but it is a good solution while developer is fixing application.

     

    I don't think we should hardcode the app to create HTTPS urls. Rather it should generate urls using whatever protocol is being used in incoming request.

     

    i do not think so. i agree in case there is no ssl offloading on load balancer.

     

    • avdes_200844's avatar
      avdes_200844
      Icon for Nimbostratus rankNimbostratus
      Thanks nitass for sharing your thoughts. But what if I want to run the app over HTTP(no HTTPS at all)in future by disabling SSL on load balancer then it would be an issue. Right ?
  • Please provide insight if rewriting HTTP to HTTPS is good or bad.

     

    i think what Jie meant is it is bad but it is a good solution while developer is fixing application.

     

    I don't think we should hardcode the app to create HTTPS urls. Rather it should generate urls using whatever protocol is being used in incoming request.

     

    i do not think so. i agree in case there is no ssl offloading on load balancer.

     

    • avdes_200844's avatar
      avdes_200844
      Icon for Nimbostratus rankNimbostratus
      Thanks nitass for sharing your thoughts. But what if I want to run the app over HTTP(no HTTPS at all)in future by disabling SSL on load balancer then it would be an issue. Right ?
  • But what if I want to run the app over HTTP(no HTTPS at all)in future by disabling SSL on load balancer then it would be an issue. Right ?

     

    yes, you are right.

     

    what i think is ssl offloading is not transparent task. so, server should not act like it is transparent (i.e. redirect based on whatever protocol it receives).

     

    just my 2 cents.

     

    • avdes_200844's avatar
      avdes_200844
      Icon for Nimbostratus rankNimbostratus
      Thanks I'll keep the transparency thing in mind. Quite liked it.
  • But what if I want to run the app over HTTP(no HTTPS at all)in future by disabling SSL on load balancer then it would be an issue. Right ?

     

    yes, you are right.

     

    what i think is ssl offloading is not transparent task. so, server should not act like it is transparent (i.e. redirect based on whatever protocol it receives).

     

    just my 2 cents.

     

    • avdes_200844's avatar
      avdes_200844
      Icon for Nimbostratus rankNimbostratus
      Thanks I'll keep the transparency thing in mind. Quite liked it.
  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    OK, if there is a consideration of running the app over HTTP in future, then there is no need for concern of security at all. But why are you running it over HTTPS now?

     

    Back to the issue at hand, in the case of SSL offloading, I think the best solution is to pass an HTTP header "X-Forwarded-Proto: https" to the backend application, which will then be able to determine which scheme to use when constructing a self-referencing URL. This standard header can be configured in an http profile.