Ssl – What’s the best way to detect whether an incoming request is secure

f5-big-iphttphttpsload balancingssl

Is there a preferred method of detecting HTTP vs. HTTPS on an incoming request to an F5 load-balancer? We are attempting to detect secure vs. non-secure with an iRule and pass a corresponding header flag along to my web servers.

Here's what we have so far (untested):

when HTTP_REQUEST_SEND {
   clientside {
      if {[TCP::local_port] == 443} {
         HTTP::header replace HTTP_X_FORWARDED_PROTO "https"
      }
      else {
         HTTP::header replace HTTP_X_FORWARDED_PROTO "http"
      }
   }
}

As you can see, we are using if {[TCP::local_port] == 443} { ... } to detect SSL, but it feels clunky with the port hard-coded into the rule. Is there a better way?

Perhaps inspecting: SSL::mode, HTTP:uri, or something else?

Best Answer

What you want to detect is whether the connection is using a Client SSL profile. The DevCentral page for PROFILE::exists shows how to do this:

when CLIENT_ACCEPTED {
   if { [PROFILE::exists clientssl] == 1} {
      log local0. "client SSL profile enabled on virtual server"
   }
}

Oliver

Related Solutions

F5 Networks iRule/Tcl – Escaping UNICODE 6-character escape sequences so they are processed as and reinserted as the 6-character sequence

What you are trying to do is not recommended with SharePoint.

The recommended approach is to use Alternate Access Maps inside of SharePoint. You will create a public URL of https:// and have an internal name of http://.

This will cause all URLs on your page to be created using https://

You may want to ask this on ServerFault http://serverfault.com if you do not like the answer.

Ssl – Best practices for keeping a portion of website under https & under http for the rest

This pseudo-conf for Apache will do what you require: two virtual hosts, one with SSL, and redirects from the SSL-required path(s) to the HTTPS version of the site.

<VirtualHost *:80>
ServerName www.sample.com
DocumentRoot /var/www/www.sample.com

Redirect permanent /secure https://www.sample.com/secure
Redirect permanent /secure2 https://www.sample.com/secure2
</VirtualHost>

<VirtualHost *:443>
Servername www.sample.com
DocumentRoot /var/www/www.sample.com

SSLEngine On
</VirtualHost>

Once you've given your users a cookie keying to their identity, it's best to keep them on the SSL version of the site, so that their cookie can't be hijacked by malicious users on their unencrypted coffeeshop wireless connection, for example. You have a couple of options for making that work. Either use your application language (eg PHP) to detect the cookie and then redirect to the SSL version of the current page, or you could use mod_rewrite to force SSL when the cookie exists. But that's another question...

Best Answer

Related Solutions

F5 Networks iRule/Tcl – Escaping UNICODE 6-character escape sequences so they are processed as and reinserted as the 6-character sequence

Ssl – Best practices for keeping a portion of website under https & under http for the rest

Related Topic