Application Delivery (ADX)

How to rewrite the body of a HTTP response

by on ‎06-09-2009 05:58 AM (161 Views)

Summary


We want to rewrite the body of HTTP responses.

Specifics

The are multiple reasons to rewrite the body of an HTTP response. The most common reason is SSL offload or hiding local internal machine names/ports because of hardcoded applications. In SSL scenario, e.g. A lot of pages in a response include links starting with http:// - the web servers are not changing embedded links from "http://" to "https://" in case SSL offload is getting used. It is possible to do this at the ServerIron using HTTP response rewrite - this way, the upgrade from HTTP only load balancing to HTTP/HTTPS loadbalancing is more easy, and the only configuration changes required are on the ServerIron.

The example below is using the FQDN www.prodapp.com. This is the FQDN used to reach the application - all http links pointing to

http://www.prodapp.com/

need to be replaced with https links to

https://www.prodapp.com/

This ensures the client is getting https links only and it is therefore not possible to leave the encrypted area (HTTPS) by accident using an HTTP link.

You can also change the URL using response rewrite rules if hiding a local internal server. e.g. http://www.localapp2.com:1654/ to http://www.prodapp.com

Topology Diagram

none

Sample Code/Configuration


ssl profile sslp
keypair-file key
certificate-file cert
cipher-suite all-cipher-suites
session-cache off
!

csw-rule "r1" url exists
csw-rule "r12" response-body pattern "http://www.prodapp.com/"
!
csw-policy "p1" type response-rewrite
match "r1" response-body-rewrite
match "r12" rewrite response-body-replace "https://www.prodapp.com/" offset 0 length 23
!
server real rs101 192.168.9.101
port http
port http url "HEAD /"
!
!
server virtual vs222 192.168.8.222
port ssl ssl-terminate sslp
port ssl response-rewrite-policy "p1"
port ssl keep-alive
bind ssl rs101 http




ATTENTION: This requires SSL offload - ensure you are using at least  ADX OS >= 12.1.

It is possible to do this for plain-text HTTP traffic as well. The virtual server configuration would look slightly different in this case:

server virtual vs222 192.168.8.222
port http
port http response-rewrite-policy "p1"
port http keep-alive
bind http rs101 http