We want to force all users to use SSL instead of http, and redirect any incoming HTTP traffic to HTTPS (from port 80 to port 443).
We will use the REDIRECT rule. The syntax of the redirect rules require that the "domain-name", "URL" and the port is specified. Optionally, you can use '*' to signify the same value as request. We are using * for both domain-name and URL, and 443 for the port.
We use a default rule in a csw-policy and apply it on port http. By doing this, we will ensure that all incoming http traffic will hit the default policy and the redirect-message will be sent to the browser. Browser will then send traffic via https/443
In this example, we have a VIP listening on SSL running in SSL terminate or SSL proxy mode.
GET /dummypage.html HTTP/1.1\r\n
HTTP/1.1 302 Moved Temporarily\r\n
ssl profile sslprofile
! csw-policy p1 default redirect * * 443 ! server real RS1 10.1.1.100 port http port 180 port 180 no-health-check ! server virtual vip1 10.1.1.100 port http port http csw-policy p1 port http csw bind http RS1 180 port ssl ssl-terminate sslprofile bind ssl RS1 http
Tips / Caveats
Note: The example above has created a dummy port (180) on one of the real servers with no-health-check. Port SSL under the virtual server is bound to the http port on the real servers. To assign a CSW policy, you must have the VIP port bound to a real server port. As vip-ssl port is bound to real-http port already, we will use a dummy port (180) to bind vip-http port to real-180 port allowing us to assign that re-direct policy. This does not require any configuration changes on the actual real server.
ServerIron# show server bind vip1 Bind info Virtual server: vip1 Status: enabled IP: 10.1.1.10 SSL -------> RS1: 10.1.1.20, http (Active) http -------> RS1: 10.1.1.20, 180 (Active) <--(DUMMY PORT)
If doing SSL termination/SSL offload on ServerIron ADX, ensure you are using at least ADX OS >= 12.1.