Forum Discussion

Jinshu's avatar
Jinshu
Icon for Cirrus rankCirrus
Dec 11, 2015

Is HTTP to HTTPS redirection Secure?

Hi All,

 

I have configured http to HTTPS redirection in some of the urls but is this secure? The VS blindly forwards all the communications from http to https which can cause man in midle attck right?

 

The attcker might be able to interrupt the communication on http and insert a malicious code/cookie in the header format and my redirection irule blingly forwards it to https virtual server which causes problems.

 

Any suggestions/information on this?

 

-Jinshu

 

5 Replies

  • Hi Jinshu,

     

    To limit Man in the Middle attack on HTTP traffic, you can enable "HTTP Strict Transport Security"

     

    This is a new feature in version 12.0 but you can enable it with an irule on previous version:

     

    https://devcentral.f5.com/articles/implementing-http-strict-transport-security-in-irules

     

    This feature tell the browser to always request HTTPS instead of HTTP even if the user entered http://www.company.com.

     

    In this case, the browser will automatically request https://www.company.com for every new requests until HSTS Max-age expires.

     

  • Thanks Stanislas,

    I have done this with below Irule on 11.5.3 version.

    On HTTPS url,

      when HTTP_RESPONSE {
        HTTP::header insert "Strict-Transport-Security" "max-age=15552000; includeSubDomains"
    }
    

    On http url

    when HTTP_REQUEST {
    set my_loc "https://[HTTP::host][HTTP::uri]"
    TCP::respond "HTTP/1.1 301 Moved Permanently\r\nLocation: $my_loc\r\nConnection: close\r\nContent-Length: 0\r\n\r\n"
    TCP::close
    }
    

    -Jinshu

  • Use HTTP::respond instead of TCP::respond in HTTP_REQUEST irule

    when HTTP_REQUEST { 
        HTTP::respond 301 noserver Location https://[getfield [HTTP::host] ":" 1][HTTP::uri] Connection close Content-Length 0
    }
    
  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    Perhaps a seemingly trivial distinction, but "forwarding" is not the same as "redirection".

     

    HTTP Redirection is accomplished by having the server (or a proxy device like the BIG-IP) issue a 301 or 302 response. The client then makes a new request based on the location specified by the redirect directive.

     

    Forwarding means that the original request is honored and maintained, but the destination is manipulated in some way by the proxy device.

     

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    By the way, any particular reason you're using

    TCP::respond
    instead of the more common
    HTTP::respond
    ?

    Using the latter the rule would look like this (some optimization added by removing the variable):

    when HTTP_REQUEST {
         HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
    }