Identifying HTTPS traffic in your application

The problem with SSL termination is that all traffic getting to your web application is now over HTTP. This is a problem because often times security checks on the page will enforce an HTTPS connection and possibly attempt to redirect the user to HTTPS. In order for the application to avoid redirects like this, we need to inform the web server that the contents of the request were previously encrypted over HTTPS, even though they aren’t any more.

To do this, it’s recommended to set up an iRule that sets a special header. Visit Local Traffic -> iRules -> iRule List. Click the “Create…” button.

In the new iRule, give it a name such as “https-offloaded-header”. In the rule contents, use the following code:

##
# Notify the backend servers that this traffic was SSL offloaded by the F5.
##
when HTTP_REQUEST {
HTTP::header insert "X-Forwarded-Proto" "https";
}

Save the iRule, then head back over to your virtual server under Local Traffic -> Virtual Servers -> Virtual Server List and click on your HTTPS virtual server. Under the “Resources” tab, click “Manage…” in the iRules section.

Move your new iRule from the “Available” list into the “Enabled” list. Moving it to the top of the rule list is also a good idea if you’re doing any kind of HTTP/HTTPS redirects on your load balancer as setting headers after doing a redirect can cause pages to be undeliverable. Click “Finished” when done.

 

for more details on SSL Offloading you can see:

https://www.lullabot.com/blog/article/setting-ssl-offloading-termination-f5-big-ip-load-balancer

Leave A Comment?

You must be logged in to post a comment.