RE: [load balancing] redirecting http to https for secure webapps

From: Winter, R. Stephen (SWinterIZZATbecu.org)
Date: Fri Jul 09 2004 - 16:55:52 EDT


Hmm... Since the SSL is (I'm assuming) answering on port 443 on the
BigIP, couldn't you create a separate VIP for port 80 that just goes to
a rule instead of the server pool on port 80 that sends them the new
URL.
 
https://server.domain.com (=port 443) goes to "server pool1"
http://server.domain.com (=port 80) goes to a dead-end rule that
rewrites (no server pool.)
 
I have never built a rule for redirection, so I may not know what I'm
talking about, but it seems like it should work...

  _____

        From: Fletcher Cocquyt [mailto:fcocquytIZZATstanford.edu]
        Sent: Friday, July 09, 2004 12:35 PM
        To: lb-lIZZATvegan.net
        Subject: [load balancing] redirecting http to https for secure
webapps
        
        
        Fellow lb'ers,
         
        We have a webapp (/secureapp/) that we only want to make
available through https SSL.
        Users trying to access http://site/secureapp/ should be
redirected to https://site/secureapp/
         
        Given that:
        1) https://site <https://site/> is a BigIP SSL proxied
site
        2) Apache web servers in the pool only see port 80 coming
from the BigIP (good thing - that means the SSL is offloaded on the
BigIP HW)
        3) Some apps (/nonsecureapp/) do not require SSL redirect
         
        How do I best configure this redirect?
         
        I have seen various options:
         
        1) Rewrite rules like the one below do not work because
the server port is 80 regardless
        a. RewriteCond %{SERVER_PORT} !^443$
        b. RewriteRule ^/secret(.*)$
https://www.domain.com/secret$1 [L,R]
        2) BigIP Rules do not seem to work - I get a loop in my
testing:
        a. if (http_uri matches_regex "/secureapp/" and
client_port == 80) {
        b. redirect to "https://%h/%u"
        c. }
        3) Setting a Header value in the BigIP Proxy to trigger a
re-write rule seems like it should work, but complicated.
        4) Having the BigIP SSL Proxy point to a new Apache
webserver pool listening on port 81 (something other than 80) and have
the port 80 accesses to /secureapp/ redirect to https://site/secureapp/
         
         
        I am thinking of doing option 4 - but thought I'd ask what
others found works best.
         
        Thanks,
         
        Fletcher Cocquyt
        Senior Systems Administrator
        fcocquytIZZATstanford.edu
         

NOTICE: This communication and any attachments may contain privileged or otherwise confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received without printing, copying, retransmitting, disseminating, or otherwise using the information. Thank you.

____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com



This archive was generated by hypermail 2.1.4 : Tue Jul 13 2004 - 03:42:48 EDT