0

I have a BigIp which has two entry point HTTP and HTTPS, both entry point communicate with my apache server with HTTP protocol.

The HTTPS certificate is on the BigIP, and SSL Offloading is carried out.

The issue is that on my apache server I have a rewrite rule as follows:

RewriteRule ^(/?)$ /fr.html [R=301,L]

If I access my site with https the site redirects to http (which is not good).

I can force https redirection on the apache but I want to access my site both on http and https.

Improve this question

2 Answers 2

Reset to default
4

As far as I know roughly three approaches are possible.

  • Don't do any URL remapping at the level of Apache, place all such logic on the F5. The F5 is aware of the original protocol and will generate correct HTTP(S) URL's.

  • Because you're doing SSL off-loading your actual web server is not aware if the original request was made over HTTPS or plain HTTP. You can make Apache (and all your other applications) aware of the original protocol the client used by injecting the X-Forwarded-Proto header on the F5.

You can then make protocol aware redirects: 

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} https [NC]
RewriteRule  ^(/?)$ https://%{HTTP_HOST}%/fr.html [R=301,L]

RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
RewriteRule ^(/?)$ /fr.html [R=301,L]
  • Leverage an iRule for the HTTPS virtual server that rewrites any occurrence of absolute URL's http://www.example.com to https://www.example.com.

That has the additional benefit of also preventing "insecure content" warnings when your web sites and web applications contain other absolute references to http://www.example.com for stylesheets, images, links and other content. 

STREAM::expression { @http://<www.example.com>@https://<www.example.com>@ }

Edit: a fourth option is of course to not send a HTTP Redirect to the client, but simply substitute the URL internally in Apache, in other words, loose the R flag...

Improve this answer
4
  • Thank you for your answer, the idea of X-Forwarded-proto seems ok, but however I have lots of rewrite. Does that mean I have to rewrite all my rewrite to have one http version and the other for https?
    – Kheshav Sewnundun
    Commented Jul 25, 2018 at 8:14
  • Unfortunately as far as I know yes, you'll need to rewrite all your rules. But fourth option is of course to not send a HTTP Redirect to the client, but simply substitute the URL internally in Apache, in other words, loose the R flag...
    – HBruijn
    Commented Jul 25, 2018 at 8:19
  • Removing the R flag I stays in HTTPS but it causes my application to fail.
    – Kheshav Sewnundun
    Commented Jul 25, 2018 at 8:36
  • Then creating an iRule on the F5 is probably the most efficient way to ensure that HTTPS visitors stay secure and will only see HTTPS URL's and redirects
    – HBruijn
    Commented Jul 25, 2018 at 9:08
2

Since you are offloading SSL, it's often easier to "offload" the fix in the redirects, as @HBruijn said you can use an iRule, but you can also simply use the "Redirect Rewrite" option on the HTTP profile associated with your https virtual-server.

Both option are presented here in details: https://devcentral.f5.com/articles/rewriting-redirects

Basically, setting "Redirect Rewrite" to "All" in your profile should work

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .