RE: [load balancing] redirecting http to https for secure webapps

From: Winter, R. Stephen (
Date: Fri Jul 09 2004 - 16:55:52 EDT

Hmm... Since the SSL is (I'm assuming) answering on port 443 on the
BigIP, couldn't you create a separate VIP for port 80 that just goes to
a rule instead of the server pool on port 80 that sends them the new
URL. (=port 443) goes to "server pool1" (=port 80) goes to a dead-end rule that
rewrites (no server pool.)
I have never built a rule for redirection, so I may not know what I'm
talking about, but it seems like it should work...


        From: Fletcher Cocquyt []
        Sent: Friday, July 09, 2004 12:35 PM
        Subject: [load balancing] redirecting http to https for secure
        Fellow lb'ers,
        We have a webapp (/secureapp/) that we only want to make
available through https SSL.
        Users trying to access http://site/secureapp/ should be
redirected to https://site/secureapp/
        Given that:
        1) https://site <https://site/> is a BigIP SSL proxied
        2) Apache web servers in the pool only see port 80 coming
from the BigIP (good thing - that means the SSL is offloaded on the
        3) Some apps (/nonsecureapp/) do not require SSL redirect
        How do I best configure this redirect?
        I have seen various options:
        1) Rewrite rules like the one below do not work because
the server port is 80 regardless
        a. RewriteCond %{SERVER_PORT} !^443$
        b. RewriteRule ^/secret(.*)$$1 [L,R]
        2) BigIP Rules do not seem to work - I get a loop in my
        a. if (http_uri matches_regex "/secureapp/" and
client_port == 80) {
        b. redirect to "https://%h/%u"
        c. }
        3) Setting a Header value in the BigIP Proxy to trigger a
re-write rule seems like it should work, but complicated.
        4) Having the BigIP SSL Proxy point to a new Apache
webserver pool listening on port 81 (something other than 80) and have
the port 80 accesses to /secureapp/ redirect to https://site/secureapp/
        I am thinking of doing option 4 - but thought I'd ask what
others found works best.
        Fletcher Cocquyt
        Senior Systems Administrator

NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, retransmitting, disseminating, or otherwise using the information. Thank you.

The Load Balancing Mailing List
MRTG with SLB:
Hosted by:

This archive was generated by hypermail 2.1.4 : Tue Jul 13 2004 - 03:42:48 EDT