Forum Discussion

Alice_214810's avatar
Alice_214810
Icon for Nimbostratus rankNimbostratus
Jan 15, 2016

Advisory on http to https redirection

This is the existing iRule at http virtual server to redirect to https. SSL offloading is done at F5. Please advise what does this irule mean? If my understanding is correct, it will mask out some header in http request. My another question is that what is the different between TCP respond and SSL respond? Is it suitable to implement TCP:respond here instead of SSL::respond? Kindly advise on the functionality of below iRule.

 

when HTTP_REQUEST {

 

log local0. "[HTTP::host] + [HTTP::uri]"

if {[TCP::local_port] == 80 } { set my_loc "https://[HTTP::host][HTTP::uri]" TCP::respond "HTTP/1.1 302 Found\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n" TCP::close } }

 

BIG-IP
cloud

1 Reply

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 15, 2016

    Hi Pwint,

    it would 

    [log]
    your 
    [HTTP::host]
    and 
    [HTTP::uri]
    and then send a 302 HTTP redirect through a raw TCP:80 connection and then closes the connection. If the received connection is not TCP:80, then it would just 
    [log]
    .

    I saw your other post (the post where you found this snippet). This is an old workaround to suppress the BigIP server header in HTTP responses send by your LTM. But in these days, the 

    [HTTP::respond]
    command has build-in 
    noserver
    option, so that the raw 
    [TCP::respond]
    method wouldn't be required anymore. It will now look like this and can be used for incomming HTTP as well for HTTPS request...

    HTTP::respond 302 noserver "Location" "https://[HTTP::host][HTTP::uri]" "Connection" "close"

    The usecases of the 

    [TCP::respond]
    and 
    [SSL::respond]
    commands are somewhat comparable. The TCP version will send a raw cleartext TCP response and the SSL version would send a SSL protected but still raw TCP response. Basically the difference is just where the commands would integrate into the OSI-stack...

    Cheers, Kai