HTTPS to HTTP redirect for maintance page.

Question

We have a HTTPS virtual server that is set as a basic configuration with no iRules. For multiple reasons (security, and simplicity being the biggest) the SSL certs are terminated on the back-end servers directly, the LTM just passes the traffic directly through. &nbsp;
We have a new requirement to implement a maintenance page for one of our sites. One of the options is to write an iRule that sends the client a 302 redirect to an HTTP website while the pool is unavailable. I believe that this should be doable, but based on my understanding of the relationship between SSL/TLS and HTTP it would require that the SSL session be established before the HTTP redirect can occur, which would require that the SSL certs be moved to the LTM. Our architect disagrees and believes that we shouldn't have to house the certs on the LTM in order to implement an HTTPS to HTTP redirect. &nbsp;
I have been searching for documentation to support either positon, and I'm not having a lot of luck. Can anyone advise? &nbsp;

ryan_80361 · Answer

Heya, you are correct in thinking that the certificate will need to be placed on the LTM. If the LTM can't "see inside" the encrypted traffic then it can't modify it e.g. send the redirect that you want. You'll need to perform SSL offloading or SSL bridging (which seems more appropriate as you obviously already have pool members listening on 443 etc).

ryannnnnnnnn · Answer

Heya, you are correct in thinking that the certificate will need to be placed on the LTM. If the LTM can't "see inside" the encrypted traffic then it can't modify it e.g. send the redirect that you want. You'll need to perform SSL offloading or SSL bridging (which seems more appropriate as you obviously already have pool members listening on 443 etc).

zac_quinn · Answer

Reading the OP it looks like David just needs to redirect to a sorry page so he shouldn't need to inspect the contents as his rule is a simple passthrough rule with no L7 uri inspection. Take a look at " as this should give you a couple of ideas for the irule. You can direct to a page on another server or have the LB respond directly with an HTTP page coded in the irule.&nbsp;
Hope this helps&nbsp;
Regards&nbsp;
Zac&nbsp;

zac_quinn · Answer

Reading the OP it looks like David just needs to redirect to a sorry page so he shouldn't need to inspect the contents as his rule is a simple passthrough rule with no L7 uri inspection. Take a look at " as this should give you a couple of ideas for the irule. You can direct to a page on another server or have the LB respond directly with an HTTP page coded in the irule.&nbsp;
Hope this helps&nbsp;
Regards&nbsp;
Zac&nbsp;

david_broaddus_ · Answer

Thanks. The more I thought about it the more I was certain I was correct. The independent opinion is appreciated. &nbsp;

Forum Discussion

HTTPS to HTTP redirect for maintance page.

6 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Anchor Link Redirect

Http redirection

HTTP URI Replace/Redirect

HTTP POST redirect preserving POST data

HTTP to HTTPS Redirect Rewrite plus port change