topic Re: Redirecting http to https in Application Networking

Redirecting http to https

michael.e.reid — Fri, 11 Aug 2006 07:38:11 GMT

Hi guys, a customer of mine wants to redirect a URL on port 80 to a different URL on port 443.

He does not want the customer to have to type in a URL, and also wants the new https URL to shown in the browser.

Is this easily achieved on the CSS via the domain/redirect commands. From what I read the CSS will only redirect on receiving an http 302 (page moved) message. Can it redirect even if the server is still up - I know you can very simply do this just by changing the service IP address and port but then the URL does not change in the browser.

cheers,

Mike

Re: Redirecting http to https

Gilles Dufour — Fri, 11 Aug 2006 10:56:33 GMT

Mike,

you are actually mixing 2 features here.

The CSS with the SSL module can parse server response and modify a 302 redirect to an HTTP page into a redirect to an HTTPS page.

In your case, you need to intercept all traffic and create your own redirect.

This is possible as well.

Here is a link to the documentation :

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a00801de8d6.shtml#t4

Gilles.

Re: Redirecting http to https

ssrjazz — Thu, 28 Sep 2006 12:55:06 GMT

From the documentation: This example demonstrates a site that is required to operate over HTTPS exclusively. If a user comes into the site using HTTP, the CSS sends the user an HTTP redirect to come back in via HTTPS.

I don't think this guy wants his entire site to run via https... just a partiuclar URL.

I have the same issue. I have 3 domains going through my CSS and I'd like to have one of them auto redirect to https, but leave the other domains alone. Tried to adapt this documentation to it, but it doesn't work.

Re: Redirecting http to https

Gilles Dufour — Thu, 28 Sep 2006 13:15:01 GMT

this is feasible.

All you have to do is split the content rule in as many parts as needed.

For example, if you want www.aaa.com to be encrypted but not the other site, here is what you can do.

content AAA

vip x.x.x.x

proto tcp

port 80

url "//www.aaa.com/*"

add service REDIRECT

active

content ALL

vip x.x.x.x

proto tcp

port 80

url "/*"

add service LOCAL-80-1

add service LOCAL-80-2

...

active

content AAA-HTTPS

vip x.x.x.x

proto tcp

port 443

add service LOCAL-443-1

...

active

So, the first rule says that if traffic matches www.aaa.com it should be sent a rediret message [see previous post for more info on how to do this], for all the other HTTP traffic simply loadbalance and for HTTPS traffic loadbalance to HTTPS servers.

The opposite is not possible.

You can't intercept HTTPS traffic and redirect it to HTTP.

This could be done with an SSL module but then you could not use 1 vip for all, since SSL uses certificate which are linked to domain name.

Gilles.