SSL 443 to Clear 8080 Application wants to see :8080 in hdr

Unanswered Question
Feb 5th, 2008
User Badges:

Hello

I'm using a CSS11501 with SSLmod SSLclient_side - ClearServer_side.

All is fine except that the back-end (java) application wants to see :8080 in the header as if it were entered from a browser.

i.e http://160.1.1.1:8080/mypage.htm

not http://160.1.1.1/mypage.htm


Is there a way of inserting :8080 to calls to the server ?

I am sending traffic to the servers on port 8080 ok but get a MOCK application error returned - it just needs the :8080

A network trace showed the only difference between routing over the CSS (successful) or hitting the VIP (error returned) was that :8080 was missing in the http GET.

Any ideas ?

Thanks

Graham

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Tue, 02/05/2008 - 03:38
User Badges:
  • Cisco Employee,

Graham,


unfortunately the CSS (and it's the same for other loadbalancers) do not change the content of the traffic.

So, there is no way to add the :8080 to the Host Field.

(modifying the content means computing new CRC, checking packet size so it stays below MSS and MTU, ...)

You could either change your application to not look at the port inside the host field, or try a trick by redirecting the client to https://....:8080/...., decrypt this traffic and send it cleartext to the server.

It should come with the host field set to ...:8080


Gilles.

grahamlewis Tue, 02/05/2008 - 04:06
User Badges:

Many thanks Gilles

I think they will need to change their application.

I had tried everything I could think of but thought if there was another way - you would know.

A case of developers testing app's in an environment that in no way reflects the real world, I think?

Thanks again.

Graham

paul.matthews Wed, 02/06/2008 - 03:13
User Badges:
  • Silver, 250 points or more

Hi Gilles, you suggestion has picqued my interest somewhat, but I am not sure where this redirection would potentially fit - are you proposing this before the initial SSL content rule?


I do agree the best option would be to mod the application, but it is always useful to know options, even if they are not the best of ideas!


Paul.

Actions

This Discussion