Application Delivery (ADX)

How to redirect incoming HTTP traffic to SSL (HTTPS)

by on ‎06-02-2009 09:49 AM (281 Views)

Summary

We want to force all users to use SSL instead of http, and redirect any incoming HTTP traffic to HTTPS (from port 80 to port 443).

Specifics

We will use the REDIRECT rule. The syntax of the redirect rules require that the "domain-name", "URL" and the port is specified. Optionally, you can use '*' to signify the same value as request. We are using * for both domain-name and URL, and 443 for the port.

We use a default rule in a csw-policy and apply it on port http. By doing this, we will ensure that all incoming http traffic will hit the default policy and the redirect-message will be sent to the browser. Browser will then send traffic via https/443

In this example, we have a VIP listening on SSL running in SSL terminate or SSL proxy mode.

Request:

          GET /dummypage.html HTTP/1.1\r\n

          Host: 10.1.1.100\r\n

          \r\n

Response:

          HTTP/1.1 302 Moved Temporarily\r\n

          Server: SeverIron/9.1\r\n

          Connection: close\r\n

          Content-Length: 0\r\n

          Location: https://10.1.1.100/dummypage.html\r\n

          \r\n

Topology Diagram

none

Sample Code/Configuration

ssl profile sslprofile

keypair-file verisign128key

certificate-file verisign128cert

cipher-suite all-cipher-suites

session-cache off

!
csw-policy p1
default redirect * * 443

!
server real RS1 10.1.1.100
port http
port 180
port 180 no-health-check
!
server virtual vip1 10.1.1.100
port http
port http csw-policy p1
port http csw
bind http RS1 180
port ssl ssl-terminate sslprofile
bind ssl RS1 http

Tips /  Caveats

Note: The example above has created a dummy port (180) on one of the real servers with no-health-check. Port SSL under the virtual server is bound to the http port on the real servers. To assign a CSW policy, you must have the VIP port bound to a real server port. As vip-ssl port is bound to real-http port already, we will use a dummy port (180) to bind vip-http port to real-180 port allowing us to assign that re-direct policy. This does not require any configuration changes on the actual real server.

ServerIron# show server bind vip1
   Bind info
    Virtual server: vip1                     Status: enabled  IP: 10.1.1.10
        SSL  -------> RS1: 10.1.1.20,  http (Active)
        http -------> RS1: 10.1.1.20,  180 (Active)   <--(DUMMY PORT)

If doing SSL termination/SSL offload on ServerIron ADX,
ensure you are using at least  ADX OS >= 12.1.

Further  Reading

-