CSM: handling HTTP and HTTPs connections made by a browser to the same application

Unanswered Question
Sep 21st, 2010

Hi Guys,

This post is as much a question as it is an observation.

Typically we have a number of applications that use our CSM for load balancing and SSLM for encryption.  In most cases the transition is seamless, in that there isn't much configuration to be done on the CSM apart from the standard things to allow for HTTPs connections.  However, every now and then we see the following:

1. A customer has a web based application which has SSL terminated on the server itself

2. Eventually move the application to using the CSM / SSL module with the same DNS name that is used to access the service

3. In this new setup, through testing we see that the browser (using HTTPWatch) performs both HTTP and HTTPS connections (i.e GETs or POSTs), where previously, (when the SSL termination was on the server), all the browser connections were HTTPs.

In this senarios, i ask the application administrator:

1. Whether there are any absolute links or any such hardcoded links that would cause the browser to perform these HTTP connections

2. Whether URL re-writes can be performed on the server side to ensure that everything that is presented to the client's browser is HTTPs and subsequently all connections made by the browser is HTTPs.

3. Lastly (not preferable at all), is to hard code all links to HTTPs

My question here is, firstly have others noticed this sort of behavior, where you observe the browser performing both HTTP nd HTTPs connections to the same web application?  The Application admisistrators almost say the issue is with the CSM, since the web application was working fine when the SSL termination was on the server itself.  How best can one explain this sort of behavior?  Ultimately my thinking is that it comes down to the way the web application is coded up.....however, why would moving the SSL termination point be any different?!

Any information or Cisco documents that explain this would be most appreciated.

thanks

Sheldon

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
litrenta Wed, 09/22/2010 - 05:39

if there are no hrefs in the application that refer to http (hrefs should be relative rather than absolute). Usually what happens is that the server in the flow of things is sending a 301 or 302 redirect with a location header header that tells the client to come in on http. The server usually does this based on whether he is doing ssl or not. When you offload ssl to the sslm and send back to the server cleartext the server references http in his redirects since he is listening for http.

The solution is to do url rewrite on the sslm to have the sslm intercept the redirect and change http in the location header to https on its way back to the client.

see:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ssl/3.1/configuration/guide/advanced.html#wp1247049

for config details to do url rewrite

Actions

This Discussion