Re: HTTPS/SSL termination reverting to HTTP

ranjtech74 · ‎02-04-2007

Hello, this might probably be a pretty stupid question but I have been following the guidelines in the SSL configuration manual for SSL Termination. The setup is

ASA5520 -> SWITCH -> CSS11501S -> SWITCH -> WEB-SERVER(S)

The web-servers use the redundant-interface of the CSS as their default gateway.

I have installed a test cert from a trusted CA to test SSL termination. When I enter the URL with an https://<etc> I get to it, the web-page pops up and since it's a logon page, I enter my credentials. After it's authenticated, I get logged into my account but I'm reverted back to "http". I mean other than the obvious, for me to go and check the references in the pages that follow, would there by any chance be some config that I need in the CSS that needs to be done to keep me using https after logon or is it all to do with the page references (absolute/relative) in our web-pages?

Thanks in advance

scott-goodwin · ‎02-05-2007

Hi

Its all down to page references.

The CSS simply accepts requests on port numbers. 80 - 443 etc..

Hence you need to make sure your login scripts pages etc.. maintain https port 443 connections once passed authentication.

Cheers

Scott

Gilles Dufour · ‎02-05-2007

the server probably sends a 302 REdirect.

The CSS can be configured to intercept this packet and rewrite it to replace the HTTP link with an HTTPS link.

The command you need in the ssl-proxy-list is url-rewrite.

Gilles.

ranjtech74 · ‎02-05-2007

Hello, thanks for the responses. I have tested the scenario on a demo system with NO CSS in the picture and needed to make changes in the database and code to allow for it to handle "https" but now it works in demo. So once we make those changes to production, It should work as well I'm assuming. Will get back to this if it doesn't.

But on that url-rewrite comment, at the moment, I'm forcing the http -> https "re-write" on the first page (just so if anyone types in http://) a javascript page replaces http with https and after that everything continues on https. Now this may be troublesome if someone has turned off javascript in their browser, so is it possible for me to perform what I described through url-rewrite command by matching a given incoming url? or does it only work as a response to the 302Redirect generated from the server?

Thanks in advance

Gilles Dufour · ‎02-05-2007

the url rewrite only works with the server response.

But, you can have an HTTP rule on the CSS and to capture all http traffic [not https] and send a redirect to the client to an https page.

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a0080093ff6.shtml

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_tech_note09186a00801c65b5.shtml

Gilles.

ranjtech74 · ‎02-13-2007

HI Gilles,

thanks for the response. Sorry had gotten distracted with a bunch of other things, didn't get a chance to get back to this. Anyway, so, I can generate the 302 response in my web-servers except I need to turn it around to a different domain name. Now assuming I use URL re-write when I see this coming back from the web-server, I can rewrite this to https and send to the client? A few questions about this and the links you sent above with using redirect service.

a) can I do a a redirect to an https address or does it only do http (considering I only saw examples configs only using www.domain.com/index.html type redirects without specifying the protocol to use)?

b) If not, then I use URL rewrite in conjunction with the 302 from the web-servers. But for my SSL off-load in a pair of CSS using VIP and Virtul Interface redundancy, do I buy 2xSSL Certs for the same domain-name or do I buy ONE (i.e. generate the key-pair/CSR in Master CSS) and import the same rsakey and SSL Cert recd. from CA into both CSSs?

c) Does the CSS handle a wildcard SSL Cert without problems?

Thanks again,

\R