Forum Discussion
Martin_Kaiser_1
May 23, 2011Nimbostratus
Hi again.
in order to make this shorter and to avoid logging entries, I tried the following version of your suggestion:
rule ssl_redirect_sameport {
when HTTP_REQUEST {
this is useless without "accept non-SSL connections" option in clientssl profile!
if { not ( [SSL::cipher version] contains "SSL" ) } {
HTTP::redirect https://[HTTP::host]:[TCP::local_port][HTTP::uri]
}
}
}
this rule is enabled on a VS as follows:
virtual abc.de-29082 {
pool abc-29082
destination a.b.c.d:29082
ip protocol tcp
rules selfaccess-SNAT ssl_redirect_sameport
persist cookie
profiles { abc.de-acceptnonSSL { clientside } http {} tcp-lan-optimized { serverside } tcp-wan-optimized { clientside } }
vlans { internal external } enable
}
(rule selfaccess-SNAT uses a SNAT pool address if the client is on the same subnet as the VS, thus enabling the pool members themselves to access this VS - no SNAT otherwise)
The SSL profile reads as follows:
profile clientssl abc.de-acceptnonSSL {
defaults from abc.de
nonssl enable
}
With this setup, when typing http://abc.de:29082 into the browser address line, I do not get any webpage displayed (connection error - tested with IE8 and Firefox 4.0.1). Wireshark shows that the BigIP issues a TCP reset as soon as it receives the client's unencrypted http GET request. When disabling the ssl_redirect_sameport iRule, the unencrypted access works. Only the redirect doesn't seem to work. Any hints on this? Thanks again for your help.
Martin