DX - Load Balancing & Application Acceleration
Reply
Visitor
fhs2007
Posts: 7
Registered: ‎06-23-2008
0

HTTP -> HTTPS Redirector Problem

i do have a cluster runing at port 443. additional

i have setup a redirector on the same ip address on port 80.The goal is, that all users are redirected to the Cluster listening on Port 443(HTTPS)

this is the configuration:

Listen: IP : 80

Protocol:   HTTPS

Host: vhost : 443

Url Method: request

 

everythign works fine when requesting pages; it redirects as wanted. But there is a problem when users request a directory (with a valid index file) and do NOT put the last "/" in the url. e.g.: http://webserver/impressum .

then the reditector forwards traffic to: http://webserver:443/impressum

 

when i request:  http://webserver/impressum/ then the redirectorforwards traffic to  https://webserver/impressum

 

any ideas? maybe i did something wrong or its a bug in the software?

 

thanks for any help

 

-andy

Recognized Expert
MattS
Posts: 205
Registered: ‎11-06-2007
0

Re: HTTP -> HTTPS Redirector Problem

 

A redirector takes the path of request as presented by the client and appends it to the redirect host to make the redirect URL, so if the client omits the trailing slash the redirect URL will also have no trailing slash.  

 

The behaviour when a client sends a request with a trailing slash depends on the webserver configuration - for example with Apache you can specify the default index page name to use or allow/disallow directory browsing (http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html).  Without a trailing slash the webserver will be looking for a file, which in your example is 'impressum'.   If the client neglects the trailing slash and goes direct to https://webserver/impressum do they also experience the problem?

 

If you have the HTTP-ADVANCED license feature, which adds apprules and caching, you could use an apprule to re-write the request on the cluster e.g.

 

RTH: url ends_with "/impressum" then append url "/"

 

Without apprules, the webserver might have re-write abilities to manipulate the URL as required, for example Apache has mod_rewrite (http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html).

 

 

Visitor
fhs2007
Posts: 7
Registered: ‎06-23-2008
0

Re: HTTP -> HTTPS Redirector Problem

/impressum is a directory. on port 80 there is a redirector running and this redirector redirects all clients to https://.

this works perfectly, but it doesnt redirect to https when users browse to a directory (like impressum) and do not add a trailing slash.

 

you can test it yourself: try http://fhsys.fh-salzburg.ac.at/impressum and http://fhsys.fh-salzburg.ac.at/impressum/

 

both urls connet to the redirector on port 80. the url with the trailing slash is getting redirected perfectly, the one is not.

i terminate ssl connections on the dx3200 and the apache webservers behind the dx3200 are configured without https. plain http.

so the issue should not be  the apache webservers. when directly connect  to the nodes, everything is fine.

 

thanks for any response.

 

-andy

Recognized Expert
MattS
Posts: 205
Registered: ‎11-06-2007
0

Re: HTTP -> HTTPS Redirector Problem

 

 If I go to URL http://fhsys.fh-salzburg.ac.at/impressum and use HTTPWatch I see:

 

Request                                              Response

--------                                              --------

http://fhsys.fh-salzburg.ac.at/impressum  302 redirect - Location https://fhsys.fh-salzburg.ac.at:443/impressum

https://fhsys.fh-salzburg.ac.at/impressum 301 redirect - Location http://fhsys.fh-salzburg.ac.at/impressum/

http://fhsys.fh-salzburg.ac.at/impressum/ 302 redirect - Location https://fhsys.fh-salzburg.ac.at:443/impressum/

https://fhsys.fh-salzburg.ac.at/impressum/ 200 OK      - content delivered

 

The problem is that the client is sent to https://fhsys.fh-salzburg.ac.at/impressum but the webserver is receiving it as plain HTTP on port 80, so without the trailing slash it sends a 301 redirect but to http:// as it is not aware of the DX proxying with https://

We can tell the 301 came from the webserver as there is a 'Server Apache/2.2.3 (Red Hat)' line in the 301 response.

 

Possibilities are:

  use apprules to catch and re-write the 301 response so the location is https:// rather than http://

  have the webserver send the location as https://

  have the webserver interpret /impressum as /impressum/

  set the webserver to return 302 response code and enable convert302protocol on the HTTPS cluster

 

'Enable the convert302 protocol option.

With the convert302 protocol option enabled, the DX converts the HTTP 302

responses from the target server from HTTP to HTTPS for the client.

dx% set cluster <name> convert302protocol enabled'

Visitor
fhs2007
Posts: 7
Registered: ‎06-23-2008
0

Re: HTTP -> HTTPS Redirector Problem

i understand whats going on, that is not the problem. the appliance has the feature to have ssl on the listen side and forwards the traffic to the webservers using http. getting a 301 when requesting a directory without trailing slash is standard.

i expected that such a hardware with cluster license has the feature to rewrite something like that (without apprules).

 

thanks for your efford matts, but maybe it can be possible to fix / implement this in a next release.

 

-andy

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.