Forum Discussion

Mohanad's avatar
Mohanad
Icon for Cirrostratus rankCirrostratus
Oct 28, 2021

ssl offloading for microsoft TFS

Hello

i'm trying to implement ssl offloading for Microsoft Team Foundation Server (TFS) application, currently it's working over http 8080, so i created a virtual server with tcp, http & client ssl profile only (Client -- ssl:8080 --> F5 -- http:8080 --> TFS:8080), but it's not working.

I found that first four requests are sent by google chrome over https:8080 but the rest of requests around 70 requests (js & css) is over http:8080!, i used the dev tool to check the issue it was blocked by chrome because mixed contents is blocked by default, i allowed it but still not working because F5 is expecting ssl traffic not clear text, to overcome this issue i configured new http VS with redirect irule (http to https), but i got another error which is "too many redirects".

how to solve this issue & why google chrome is behaving like that, sending clear text request after the first request, maybe the server is send instructions to the client to use http?

irule workaround (too many redirects)

 

when HTTP_REQUEST {

HTTP::redirect https://[getfield [HTTP::host] ":" 1]:8080[HTTP::uri]

}

 

first request:

request headers:

Request URL: https://tfsapp:8080/tfs/DefaultCollection/Jakss%20Ticket%20System/_workitems/edit/78757

Request Method: GET

Status Code: 200 OK

Remote Address: 192.168.20.110:8080

Referrer Policy: strict-origin-when-cross-origin

response headers:

ActivityId: 5fba6c55-c70e-4e16-bb79-ca542327a100

Cache-Control: public, no-store, max-age=0

Content-Encoding: gzip

Content-Type: text/html; charset=utf-8

Date: Thu, 28 Oct 2021 11:31:20 GMT

Expires: Thu, 28 Oct 2021 11:31:21 GMT

Last-Modified: Thu, 28 Oct 2021 11:31:21 GMT

Lfs-Authenticate: NTLM

P3P: CP="CAO DSP COR ADMa DEV CONo TELo CUR PSA PSD TAI IVDo OUR SAMi BUS DEM NAV STA UNI COM INT PHY ONL FIN PUR LOC CNT"

Persistent-Auth: true

Transfer-Encoding: chunked

Vary: *

WWW-Authenticate: Negotiate oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARqcnP7VnRAy2Y9a8LtnH/YImA1Y6pfoH1Sl/DGvqBxo1lCn4bMJi91Gi5YjuUMT59dmSYbLAMd0NKnkHFGs7oSTRl6S8t2hfk/YxDWyB3twFrDMpjF4mgwOL8Oqipvo+doMWhIjIjOEOckRg==

X-Content-Type-Options: nosniff

X-FRAME-OPTIONS: SAMEORIGIN

X-TFS-ProcessId: a5fdd0f9-0e98-4894-8c84-0d0c73345cb7

X-TFS-Session: 5fba6c55-c70e-4e16-bb79-ca542327a100

X-VSS-E2EID: 5fba6c55-c70e-4e16-bb79-ca542327a100

X-VSS-UserData: 7e4446cd-b2d6-4b4a-8929-107b9ad7bc9c:m.abcd

Next requests: (clear http)

Before allowing mixed content

After allowing mixed content

Thanks,

Mohanad

3 Replies

  • Hi Mohanad,

    Can you try this iRule instead of the redirect iRule.

     

    when HTTP_REQUEST {
    	STREAM::disable
    	HTTP::header remove "Accept-Encoding"
    }
     
    when HTTP_RESPONSE {
    	if { [HTTP::header value Content-Type] contains "text" } {
    		STREAM::expression {@http://@https://@}
    		STREAM::enable
    	}
    }

     

    https://support.f5.com/csp/article/K31100432

  • Thank you so much Enes, this i irule made the website loaded but still not fully functional, hereunder the devtool logs

    cannot fetch the events and status code is 500

  • i tried to access the same page without F5, status code is 204, and as per MDN wiki The HTTP 204 No Content success status response code indicates that a request has succeeded, but that the client doesn't need to navigate away from its current page. This might be used, for example, when implementing "save and continue editing" functionality for a wiki site.

     

    it's true because i want to edit a ticket, but the full content of the page is not displayed.