06-30-2008 12:11 AM
i do have a cluster runing at port 443. additional
i have setup a redirector on the same ip address on port 80.The goal is, that all users are redirected to the Cluster listening on Port 443(HTTPS)
this is the configuration:
Listen: IP : 80
Host: vhost : 443
Url Method: request
everythign works fine when requesting pages; it redirects as wanted. But there is a problem when users request a directory (with a valid index file) and do NOT put the last "/" in the url. e.g.: http://webserver/impressum .
then the reditector forwards traffic to: http://webserver:443/impressum
when i request: http://webserver/impressum/ then the redirectorforwards traffic to https://webserver/impressum
any ideas? maybe i did something wrong or its a bug in the software?
thanks for any help
06-30-2008 05:01 AM
A redirector takes the path of request as presented by the client and appends it to the redirect host to make the redirect URL, so if the client omits the trailing slash the redirect URL will also have no trailing slash.
The behaviour when a client sends a request with a trailing slash depends on the webserver configuration - for example with Apache you can specify the default index page name to use or allow/disallow directory browsing (http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html). Without a trailing slash the webserver will be looking for a file, which in your example is 'impressum'. If the client neglects the trailing slash and goes direct to https://webserver/impressum do they also experience the problem?
If you have the HTTP-ADVANCED license feature, which adds apprules and caching, you could use an apprule to re-write the request on the cluster e.g.
RTH: url ends_with "/impressum" then append url "/"
Without apprules, the webserver might have re-write abilities to manipulate the URL as required, for example Apache has mod_rewrite (http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html).
06-30-2008 06:41 AM
/impressum is a directory. on port 80 there is a redirector running and this redirector redirects all clients to https://.
this works perfectly, but it doesnt redirect to https when users browse to a directory (like impressum) and do not add a trailing slash.
you can test it yourself: try http://fhsys.fh-salzburg.ac.at/impressum and http://fhsys.fh-salzburg.ac.at/impressum/
both urls connet to the redirector on port 80. the url with the trailing slash is getting redirected perfectly, the one is not.
i terminate ssl connections on the dx3200 and the apache webservers behind the dx3200 are configured without https. plain http.
so the issue should not be the apache webservers. when directly connect to the nodes, everything is fine.
thanks for any response.
07-02-2008 07:31 AM
If I go to URL http://fhsys.fh-salzburg.ac.at/impressum and use HTTPWatch I see:
https://fhsys.fh-salzburg.ac.at/impressum/ 200 OK - content delivered
The problem is that the client is sent to https://fhsys.fh-salzburg.ac.at/impressum but the webserver is receiving it as plain HTTP on port 80, so without the trailing slash it sends a 301 redirect but to http:// as it is not aware of the DX proxying with https://
We can tell the 301 came from the webserver as there is a 'Server Apache/2.2.3 (Red Hat)' line in the 301 response.
use apprules to catch and re-write the 301 response so the location is https:// rather than http://
have the webserver send the location as https://
have the webserver interpret /impressum as /impressum/
set the webserver to return 302 response code and enable convert302protocol on the HTTPS cluster
'Enable the convert302 protocol option.
With the convert302 protocol option enabled, the DX converts the HTTP 302
responses from the target server from HTTP to HTTPS for the client.
dx% set cluster <name> convert302protocol enabled'
07-02-2008 09:00 AM
i understand whats going on, that is not the problem. the appliance has the feature to have ssl on the listen side and forwards the traffic to the webservers using http. getting a 301 when requesting a directory without trailing slash is standard.
i expected that such a hardware with cluster license has the feature to rewrite something like that (without apprules).
thanks for your efford matts, but maybe it can be possible to fix / implement this in a next release.