(CSS) HTTP headers in SSL

David Coupez · ‎11-29-2007

Hello,

I've a problem with my Content Switch, hope you'll be able to help me to solve it! So there are 2 content switches (master and backup).

As expected, they are used to balance connections between servers in a farm. Several balanced sites are using a SSL connection according to a transparent pattern.

So the problem is the system seems to work on first sight, but in fact, there is still a problem! All HTTP headers sent by servers are removed by CSS after the encryption.

It leads to a removal of caching headers and thus to a growing bandwidth use.

How can I fix this ? Where the can problem can be located?

Here is a summary of my config :

ssl-proxy-list myproxy

ssl-server 1

ssl-server 1 rsacert myfirstsite.pem

ssl-server 1 rsakey myfirstsite.rsa

ssl-server 1 vip address 10.168.1.30

ssl-server 2

ssl-server 2 rsacert mysecondsite.pem

ssl-server 2 rsakey mysecondsite.rsa

ssl-server 2 vip address 10.168.1.31

ssl-server 2 cipher rsa-with-3des-ede-cbc-sha 192.168.1.1 40000

active

service sslservice

slot 2

type ssl-accel

keepalive type none

add ssl-proxy-list myproxy

active

content myfirstsite_ssl

vip address 10.168.1.30

add service sslservice

port 443

protocol tcp

active

content myfirstsite

vip address 10.168.1.30

redirect "https://www.myfirstsite.com"

protocol tcp

port 80

url "//www.myfirstsite.com/*"

active

content mysecondsite_ssl

vip address 10.168.1.31

add service sslservice

port 443

protocol tcp

active

content mysecondsite

vip address 10.168.1.31

redirect "https://www.mysecondsite.com"

protocol tcp

port 80

url "//www.mysecondsite.com/*"

active

Thank you very much!

Kind regards,

David

Gilles Dufour · ‎11-30-2007

David.

This is not possible.

The CSS does not have the capability to remove the headers from the servers.

Moreoever, since this is encrypted traffic, I don't think a cache device can see the header - it is encrypted - so that's not the reason for not caching those objects.

Gilles

David Coupez · ‎12-03-2007

Thanks for your answer Gilles.

I guess I badly explained myself. The problem is that the CSS removes automatically all HTTP headers. When sniffing before CSS, headers are present, after CSS they are gone. I understand encryption should bring problems for caching but I guess it can be solved too!

Cache device in this case is the cache of the client browser. You can check it out on information page of Firefox. Everything are noted as no-cached.

I guess this is a very strange problem. Thank you for interesting to my problem!

Gilles Dufour · ‎12-03-2007

David,

with encryption, the goal is to guarantee that nobody can see your data or use them.

So, it is normal that you do not see a header once the HTTP traffic is encrypted. The HTTP header is part of the data and it is encrypted.

Same for the caching devices. They won t be able to see the data and therefore, they won t be able to cache it.

This is normal in the encryption world.

Gilles.

David Coupez · ‎12-03-2007

Gilles,

Thanks for your response but I understand a middle device wont be able to cache because he doesnt have the session key. But in case of client's browser, it's not true! All clients are able to cache encrypted page (except if corresponding option has been disabled). In Content Switch system, connection is unsecure between server and CSS. The SSL layer is built only between CSS and client. Thus, CSS see the clear HTTP packet. In consequence, he is able to withdraw HTTP header. That's my problem! I dont want my CSS to remove HTTP header! Since he removes it, cache header are removed and caching is thus disabled... In some kind, it seems the CSS builds a new HTTP answer retrieving only data field of the received from the server. I really dont understand what's happening!

Kind regards,

David