Re: CSM redirect problem: http to https (http post changed to ge

MARK BAKER · ‎03-17-2005

I have implemented an SSL module to terminate SSL traffic to our site. We require all http traffic to be redirected by our CSM while maintaining the requested url. This appeared to be working until a problem was found with this configuration.

When an HTTP POST is redirected to HTTPS, it comes back as an HTTP GET. This is causing internal server errors, because it expects a POST.

I have applied a work-around by allowing HTTP POST through without being redirected, but would like to make this work while redirecting all HTTP traffic. Any help would be appreciated.

Thank you,

Mark

Gilles Dufour · ‎03-17-2005

Mark,

this is the browser that decides to change from POST to GET.

The server or CSM sending a redirect only send a new URL not the method to use to go to the site.

This is a normal behavior and there is no way to change it.

You should force your users to switch to HTTPS before they send a POST.

Like they should first GET a page and then they can send a POST.

The GET will be interfacepted and redirected to HTTPS.

The POST will be naturally sent via HTTPS as well.

Regards,

Gilles.

MARK BAKER · ‎03-17-2005

Update on this issue.

I have found that the problem is that from the server's perspective, the client is connected via http(since the ssl module decrypts before sending to the real server). The page in question is sent to the client with http functionality. So when I click the submit button on the form it goes out http which is then being redirected and fails. If the information is sensitive this would be a serious issue. Even though the post fails because of the redirect, the information had already traveled across the internet in clear text before being redirected.

What needs to happen is for the server to send all links and page functionality(when the submit button is pushed on a form) as https. I'm working with the web admins to figure out how to do this, but would appreciate any input from other web admins.

Thanks,

Mark

MARK BAKER · ‎03-17-2005

Would inserting SSL session information into the http header to the back-end server allow the server to recognize the connection as https and send all embeded urls as https and not http without making any changes to the web pages?

jfoerster · ‎03-17-2005

Hi Mark,

from my point of view the following things can be done:

1) rewrite the url at ssl-module. Unfortunaltely this does only work for redirects (see http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_bulletin09186a008020b38e.html)

2) rewrite the webpage to use HTTPs when pressing the button. This should be quite easy as only the source of the page needs to be changed a bit.

3) use local hrefs like href="buttons/button1.gif" instead of href="http://server1/buttons/button1.gif"

Kind Regards,

Joerg

MARK BAKER · ‎03-18-2005

Thanks for the reply.

The below is from Cisco's SSL documentation:

In a typical SSL offloading environment, an SSL offloader terminates secure client HTTP (HTTPS) connections, decrypts the SSL traffic into cleartext, and forwards the cleartext to a Web server through an HTTP connection. The HTTPS connections become non-secure HTTP connections at the backend server. The backend server does not know that the client connection came in as a secure connection.

Here are a few reasons to configure HTTP header insertion:

•HTTP header insertion allows the SSL module to embed information into an HTTP header during a client connection. When the backend server recognizes this header, the server returns all the URLs as HTTPS.

This is exactly what I need to happen. The question I have pertains to the "When the backend server recognizes this header, the server returns all the URLs as HTTPS" portion of this information.

How does the server do this? How does the server recognize this header? Once recognized, how does it know to sedn HTTPS URLs?

I know how to insert http headers on the SSL module, but I have yet to find how the server can recognize and act on the inserted http header information.

I would think this would be common in SSL offload configurations and would think there would be more information on the internet about it.

Please help,

Mark

Gilles Dufour · ‎03-19-2005

The only server I know can recognise the header is Exchange from microsoft.

It is able to detect the 'frontend-https:' or something similar.

Otherwise, if using cgi/perl/php... you can easily get the header and modify on the fly the info you send back to the client.

In your case, with a

MARK BAKER · ‎03-20-2005

Gilles,

I did see the Exchange solution. Why this isn't supported by IIS is odd to me. It would make the SSL implementation much easier.

Strict use of relative links shouldn't be required. The situation that the SSL documentation is clearly talking about in the below excerpt is absolute links on the web server.

From Cisco SSL Documentation:

Here are a few reasons to configure HTTP header insertion:

•HTTP header insertion allows the SSL module to embed information into an HTTP header during a client connection. When the backend server recognizes this header, the server returns all the URLs as HTTPS.

If anyone knows what Cisco is referring to in the above paragraph and how this can be set up on the web server, please let me know. The paragraph makes it sound like this is commonly/easily done. If it is, it is uncommonly difficult to find any information about it.

The link to the full document is:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00801f33c4.html#wp1241063

Thank you,

Mark

CSM redirect problem: http to https (http post changed to get)