Forum Discussion

souravkayal_287's avatar
souravkayal_287
Icon for Nimbostratus rankNimbostratus
Oct 30, 2017

changing server response to HTTPS

So i have TWO services

 

ONE VIP on 8443 with SSL and nodes behind on 9500 ONE VIP on 443 with nodes on 9502

 

have a redirection HTTP VIP with irule to redirect to https another VIP on 9500 to redirect to HTTPS 8443

 

using this rule

 

when HTTP_REQUEST { HTTP::redirect "https://[getfield [HTTP::host] ":" 1]:8443[HTTP::uri]" }

 

Now when i am browsing the application from the console some of the pages are pointing to http:// as the server has no https set up.

 

My question is how can i control the response from the server and change it to https

 

4 Replies

  • Would you please post your virtual servers configuration. What TMOS version are you running? Also, what do you mean by 9500 and 9502? I am not very clear why you need an iRule for this? And what do you mean by browsing from the console? Do you mean cli using curl?

     

    Sorry, your question is not very clear to me.

     

    You shouldn't really need an iRule for redirections unless you are running old code or in other specific scenarios. I guess it's the specific scenario here that I don't understand.

     

    • jurgenvdmark_14's avatar
      jurgenvdmark_14
      Icon for Nimbostratus rankNimbostratus

      Instead of doing a redirect you should change the response from the server. For Instance you can do something like this:

      when HTTP_RESPONSE {
         if { [HTTP::is_redirect] } {
             Replace absolute path with relative path
            HTTP::header replace Location [regsub {https?://[^/]*/} [HTTP::header value Location] "/"]
         }
      }
      

      This removes the host part of the URI

  • Hi,

     

    you can configure http profile with redirect rewrite to matching. if the issue was a redirect issue, it will solve the issue.

     

    if not, try this code (change the array values) and enable stream profile:

     

    when RULE_INIT {
        unset -nocomplain static::rewrite_table
        array set static::rewrite_table {
            "https://www.company.com"   "http://srv-internal.company.local"
            "https://www2.company.com"   "http://srv-internal2.company.local"
        }
        set static::rewrite_table_map [list]
        set static::rewrite_table_stream [list]
        foreach item [array names static::rewrite_table] {
            lappend static::rewrite_table_map $static::rewrite_table($item)/ $item/ $static::rewrite_table($item) $item/
            lappend static::rewrite_table_stream "@$static::rewrite_table($item)/@$item/@"
        }
        log local0. $static::rewrite_table_map
        log local0. $static::rewrite_table_stream
         create stream commands in variables to run them only id stream profile is enabled
        set static::stream_disable "STREAM::disable"
        set static::stream_enable "STREAM::enable"
         change stream expression to convert current site response to relative URI.
        set static::stream_expression "STREAM::expression \[string map \"\$req_proto://\$req_host/ /\" \$static::rewrite_table_stream\]"
    }
    
    when CLIENT_ACCEPTED {
         set default protocol to http. change it to https if clientssl profile is assigned to the VS.
        if { [PROFILE::exists clientssl] == 1} {
            set req_proto "https"
        } else {
            set req_proto "http"
        }
        set stream_profile_enabled [PROFILE::exists stream]
    }
    
    when HTTP_REQUEST {
         Capture request hostname
        set req_host [HTTP::host]
        if {$stream_profile_enabled} {
             Disable the stream filter for all requests
            eval $static::stream_disable
    
             LTM does not uncompress response content, so if the webserver has compression enabled
             we must prevent the server from send us a compressed response by changing the request
             header that indicates client support for compression (on our LTM client-side we can re-
             apply compression before the response goes across the Internet)
            HTTP::header remove "Accept-Encoding"
        }
    }
    
    when HTTP_RESPONSE {
        if { [HTTP::status]  matches "30?"} {
             This is a 302 redirect with a absolute Location URI
            HTTP::header replace Location [string map [string map "$req_proto://$req_host/ /" $static::rewrite_table_map] [HTTP::header Location]]
        } elseif {[HTTP::header value Content-Type] starts_with "text"} {
             Apply stream expression stored in RULE_INIT event
            if {$stream_profile_enabled} {
                eval $static::stream_expression
    
                 Enable the stream filter for this response only
                eval $static::stream_enable
            }
        }
    }