CSM: handling HTTP and HTTPs connections made by a browser to the same application
This post is as much a question as it is an observation.
Typically we have a number of applications that use our CSM for load balancing and SSLM for encryption. In most cases the transition is seamless, in that there isn't much configuration to be done on the CSM apart from the standard things to allow for HTTPs connections. However, every now and then we see the following:
1. A customer has a web based application which has SSL terminated on the server itself
2. Eventually move the application to using the CSM / SSL module with the same DNS name that is used to access the service
3. In this new setup, through testing we see that the browser (using HTTPWatch) performs both HTTP and HTTPS connections (i.e GETs or POSTs), where previously, (when the SSL termination was on the server), all the browser connections were HTTPs.
In this senarios, i ask the application administrator:
1. Whether there are any absolute links or any such hardcoded links that would cause the browser to perform these HTTP connections
2. Whether URL re-writes can be performed on the server side to ensure that everything that is presented to the client's browser is HTTPs and subsequently all connections made by the browser is HTTPs.
3. Lastly (not preferable at all), is to hard code all links to HTTPs
My question here is, firstly have others noticed this sort of behavior, where you observe the browser performing both HTTP nd HTTPs connections to the same web application? The Application admisistrators almost say the issue is with the CSM, since the web application was working fine when the SSL termination was on the server itself. How best can one explain this sort of behavior? Ultimately my thinking is that it comes down to the way the web application is coded up.....however, why would moving the SSL termination point be any different?!
Any information or Cisco documents that explain this would be most appreciated.
Re: CSM: handling HTTP and HTTPs connections made by a browser t
if there are no hrefs in the application that refer to http (hrefs should be relative rather than absolute). Usually what happens is that the server in the flow of things is sending a 301 or 302 redirect with a location header header that tells the client to come in on http. The server usually does this based on whether he is doing ssl or not. When you offload ssl to the sslm and send back to the server cleartext the server references http in his redirects since he is listening for http.
The solution is to do url rewrite on the sslm to have the sslm intercept the redirect and change http in the location header to https on its way back to the client.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
==================== VIC FNIC driver does not support Virtual Volumes (
second level LUN ID ) An enhancement request has been created to track
this feature - CSCux64473 UPDATE - 12-14-2016 We made some traction on
the enhancement request - The Fix is in t...