I'm terminating SSL on the CSS for a website that we want to force users to use HTTPS to get to the site. If the user uses HTTP we want the Load balancer to change it to HTTPS have the user use the HTTPS url for all queries to the site.
I've looked at a couple of ways of doing this. One method is to create a special 'service' entry which rewrites the URL. But I don't see how this can work with the normal way SSL terminated websites are configured.
is the example of that.
Alternately there's the 'ssl-server 1 urlrewrite 1 www.domain.com' command, but that seems to only cause backend webserver issued redirects to get changed from http to https. It doesn't cause the incoming request to be changed.... ?
You are correct. The IP address is bogus on the example you have provided. Your redirect service does not require an IP address in order for it to work properly.
The configuration you have posted should accomplish what you are requesting however you will need to add a new content rule:
add ssl-proxy-list ssl-list1
keepalive type none
keepalive type none
add service redir-https
add service web-service
add service ssl_module
advanced-balance ssl (if you want to maintain stickyness for SIDs)
application ssl (Reuse of SIDs for HTTPS connections)
The reason for the alternate port content rule(I just chose port 81, but any port can be used) is to allow the decrypted HTTPS connection/traffic to be handled to the webserver for processing. If you do not have the alternate port your HTTP connection will fall into a redirect loop if you have the proxy-list configuration setup to forward the decrypted traffic back to port 80. This pattern will continue and the browser will never be able to resolve content.
Redirect loop will occur with the following:
ssl-server 1 cipher all-cipher-suites 80
Content will be displayed correctly as the CSS can forward the decrypted traffic to an alternate port content rule for the webserver to process the connection with the following in the proxy-list:
ssl-server 1 cipher all-cipher-suites 81
You alternate port content rule can be used with a form of session persistence as well, ie. cookie, ARPT cookie, sticky-scrip, etc.
Hope this info clarifies everything!