Forum Discussion

babaransari_361's avatar
babaransari_361
Icon for Nimbostratus rankNimbostratus
May 17, 2018

HTTP to HTTPS redirection using only a single virtual server

i need to configure http to https redirection using a single virtual server which will be listening on port 443. This virtual server will communicate with the backend servers on port 8080. Hence any http request should get redirected to https instance of the virtual server without creating the http instance of the virtual server on the F5

 

5 Replies

  • I'm using the following rule for this purpose. It basically strips the host part of http redirects and returns the relative path:

    ltm rule redirect_absolute_to_relative {
         when HTTP_RESPONSE {
              if { [HTTP::is_redirect] } {
                 Replace absolute redirect with relative redirect
                 HTTP::header replace Location [regsub {https?://[^/]*/} [HTTP::header value location] "/"]
              }
         }
    }
    

    Hope this answers your question

  • Can you please try assigning "any" port (put restrictions at the firewall for port 80 and 443 for vip ip) for virtual server and then try assigning redirection irule from HTTP to HTTPS.

     

  • when RULE_INIT {

    set static::redirect_http_to_https 1

    Set this option to 1 to log debug messages (to /var/log/ltm by default) set static::single_vs_debug 1

    } when CLIENT_ACCEPTED {

    Save the VIP name, client IP:port as a log prefix to make the log lines shorter set log_prefix "[IP::client_addr]:[TCP::client_port] [virtual name]"

    if { [matchclass [TCP::local_port] equals $static::vip_https_ports] }{

       Request was to an HTTPS port, so do nothing for the clientside connection.  
       The defined client and/or server SSL profiles will be applied as normal
      if {$static::single_vs_debug}{log local0. "$log_prefix: HTTPS request to [IP::local_addr]:[TCP::local_port]"}
    
       log an error if the virtual server doesn't have a client SSL profile, but receives an SSL request
      if {[PROFILE::exists clientssl] == 0}{
         if {$static::single_vs_debug}{log local0. "$log_prefix:\
            Client connection received on port [TCP::local_port], but no client SSL profile is enabled on [IP::local_addr]"}
         reject
      }
    

    } elseif { [matchclass [TCP::local_port] equals $static::vip_http_ports] }{

       Request was to an HTTP port, not an HTTPS port, so disable client SSL profile if one is enabled on the VIP
      set vip_http_port 1
      if {$static::single_vs_debug}{log local0. "$log_prefix: HTTP request to [IP::local_addr]:[TCP::local_port]"}
    
       Check to see if there is a client SSL profile and if so, disable it
      if { [PROFILE::exists clientssl] == 1} {
         if {$static::single_vs_debug}{log local0. "$log_prefix: Client SSL profile enabled on VIP.  Disabling SSL."}
         set disable_cmd "SSL::disable"
         eval $disable_cmd
      } 
    

    } else {

       Request wasn't to a defined port, so reset the TCP connection.
      if {$static::single_vs_debug}{log local0. "$log_prefix:\
         Dropping request to undefined port [IP::local_addr]:[TCP::local_port]"}
      reject
    

    } } when HTTP_REQUEST {

    If redirect_http_to_https is enabled and the request was made to an HTTP port, redirect the client to the same host/URI over HTTPS if { ($static::redirect_http_to_https == 1 or ([info exists redirect_http_to_https] && $redirect_http_to_https)) && \ ([info exists vip_http_port] && $vip_http_port==1)}{

      HTTP::redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
      if {$static::single_vs_debug}{log local0. "$log_prefix:\
         Redirecting client [IP::client_addr] to https://[getfield [HTTP::host] \":\" 1][HTTP::uri]"}
    

    }

    }

    I used the above iRule but could not achieve my requirement. The backend servers are communicating on port 8080 and the url has the port 8080 specified in it but whenever i use the iRule, the page becomes inaccessible.

  • Hi babaransari,

     

    Why you want to assign only one VIP? in all case you will have to listen on 2 ports (80 and 443). So if you create 2 VIP is the same and it will be more easier for you to manage and maintain your need!!!

     

    Regards