AltostratusF5 LTM HTTP-HTTPS Re-Direct Using iRules - Virtual Server Config Question
Hello
For the following scenario, please can you provide best recommendations?
A Virtual-Server is UP, all working with a front-end listener on TCP443 (HTTPS) and serving to back-end Pool-Member's (HTTP web application) on a different TCP port from 443/80 running over SSL (SSL offload is being performed by the pool-members and not LTM) - No Server-Side or Client-Side SSL profile.
We want to introduce access on HTTP (TCP80), but ensure that the re-direction is taking place to force any client HTTP web request's to HTTPS... Therefore I would presume an iRule??? (Something like the below)
when HTTP_REQUEST {
HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
Now my main question:
1) Do you apply this iRule to the existing Virtual-Server listening on TCP443?
2) Do you clone the Virtual-Server and its config, but set the front-end destination service-port (listener) on TCP80 (HTTP)? Then apply the iRule (performing HTTP->HTTPS re-direct) to this VIP?
2a) If option 2, do you still clone the back-end pool member's etc? Or can the F5 intelligently see the listener and therefore perform as a re-direct only?
3) Any other better/alternate suggestions?
From the 201 TMOS studies I did, the study-guide says the processing order for a front-end Virtual-Server when inbound traffic is coming into the LTM is the following:
ip:port
ip:any
network:port
any:port
network:any
vlan:port
vlan:any
any:any
Before, I thought that you would need an extra VIP and not able to apply the iRule on the 443-VIP as it would drop traffic. However, from the above would it process in top-down order and hit the ip:any, anyway?
Many thanks!
