|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
SSL Issue - UrgentWe have an f5 ssl offloader that is used in front of IIS 6.0. A https
request comes to the SSL offloader and is forwarded over http to a webserver with the JRun plugin.The problem occurs if the original request is redirected by a IIS/JRun application. The redirected request becomes an http request because IIS/JRun is not aware that the original https request was intercepted by a SSL offloader and forwared to IIS over http. We dont want to install certificates on IIS, is there a way that WebEngine can check whether ssl is required so that when it is ssl over http, https scheme will be chosen. Thanks in advance. The device which translates HTTPS->HTTP should also translate responses from
HTTP->HTTPS, including URLs. It is the only thing that knows the translation happened for a given request, therefore it is responsible for transmitting this information downstream. As you've stated, there is no way that IIS/JRun knows that the original request is HTTPS at all -- the device that translates HTTPS->HTTP needs to give a hint -- perhaps add an extra HTTP request header that client applications can use to detect this. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "smith" <sm***@discussions.microsoft.com> wrote in message We have an f5 ssl offloader that is used in front of IIS 6.0. A httpsnews:3C6E0382-5FED-4527-A87F-AE87A5FDAEC3@microsoft.com... request comes to the SSL offloader and is forwarded over http to a webserver with the JRun plugin.The problem occurs if the original request is redirected by a IIS/JRun application. The redirected request becomes an http request because IIS/JRun is not aware that the original https request was intercepted by a SSL offloader and forwared to IIS over http. We dont want to install certificates on IIS, is there a way that WebEngine can check whether ssl is required so that when it is ssl over http, https scheme will be chosen. Thanks in advance. I did see something similar here :
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg1PQ86347 That is what led me to believe there might be a solution, and i wanted to know if it could be done on the iis level? Show quoteHide quote "David Wang [Msft]" wrote: > The device which translates HTTPS->HTTP should also translate responses from > HTTP->HTTPS, including URLs. It is the only thing that knows the translation > happened for a given request, therefore it is responsible for transmitting > this information downstream. > > As you've stated, there is no way that IIS/JRun knows that the original > request is HTTPS at all -- the device that translates HTTPS->HTTP needs to > give a hint -- perhaps add an extra HTTP request header that client > applications can use to detect this. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "smith" <sm***@discussions.microsoft.com> wrote in message > news:3C6E0382-5FED-4527-A87F-AE87A5FDAEC3@microsoft.com... > We have an f5 ssl offloader that is used in front of IIS 6.0. A https > request comes to the SSL offloader and is forwarded over http to a webserver > with the JRun plugin.The problem occurs if the original request is > redirected > by a > IIS/JRun application. The redirected request becomes an http > request because IIS/JRun is not aware that the original https > request was intercepted by a SSL offloader and forwared to > IIS over http. > We dont want to install certificates on IIS, is there a way that WebEngine > can check whether ssl is required so that when it is ssl over http, https > scheme will be chosen. > > > > Thanks in advance. > > > I cannot view that URL - needs access code.
Yes, we are talking about software and there's usually always a solution. There's two general classes of solution for this problem: 1. Generically extensible -- the translation device gives some hint of the translation so that downstream interpreters can take action. 2. Hack -- the downstream interpreters just guess For generic solutions -- with devices like F5 that offload HTTP/HTTPS traffic, you tend to have the following sort of loss: 1. Client IP - to the web server, the F5 device looks like the client -- some devices will set a proprietary HTTP Request header indication "original" client IP, and custom software can read and change the web server's log accordingly. Custom software exist to do this for both Apache and IIS 2. Port - to the web server, all requests look like it comes for port 80 -- so the device would need to set a proprietary HTTP Request header indicating "original" port, and custom software can behave accordingly These generic solutions require the device doing the translation to do the right thing because the downstream interpreters like IIS/Apache web servers cannot tell. Hacks include: - If this happens for an entire URL namespace, just configure 302 redirection code to always specify an arbitrary port like "443". Of course, this is a hack, so if you only do this for a part of the URL namespace, it won't work. This has been done on Apache and IIS as well. Bottom line: Yes, solutions can be written and IIS can support these approaches. But, whether the code actually exist for you to acquire... that's really an issue of availability and not whether IIS can do it or not. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "smith" <sm***@discussions.microsoft.com> wrote in message I did see something similar here :news:BAA07549-B7C5-4BD7-B2A4-E19AD1FA553B@microsoft.com... http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg1PQ86347 That is what led me to believe there might be a solution, and i wanted to know if it could be done on the iis level? Show quoteHide quote "David Wang [Msft]" wrote: > The device which translates HTTPS->HTTP should also translate responses from > HTTP->HTTPS, including URLs. It is the only thing that knows the translation > happened for a given request, therefore it is responsible for transmitting > this information downstream. > > As you've stated, there is no way that IIS/JRun knows that the original > request is HTTPS at all -- the device that translates HTTPS->HTTP needs to > give a hint -- perhaps add an extra HTTP request header that client > applications can use to detect this. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "smith" <sm***@discussions.microsoft.com> wrote in message > news:3C6E0382-5FED-4527-A87F-AE87A5FDAEC3@microsoft.com... > We have an f5 ssl offloader that is used in front of IIS 6.0. A https > request comes to the SSL offloader and is forwarded over http to a webserver > with the JRun plugin.The problem occurs if the original request is > redirected > by a > IIS/JRun application. The redirected request becomes an http > request because IIS/JRun is not aware that the original https > request was intercepted by a SSL offloader and forwared to > IIS over http. > We dont want to install certificates on IIS, is there a way that WebEngine > can check whether ssl is required so that when it is ssl over http, https > scheme will be chosen. > > > > Thanks in advance. > > > 
Other interesting topics
Redirecting http:// to https:/
How to disable SSL Security Alert in IE Problem with IIS, Powerpoint and AVI-File IIS 5 - Integrated Windows Authentication Issues How to create a Client certificate Certificate Question Exchange 2003 OWA and IIS over SSL Securing IIS 6 Http Error 401.1 HTTP TRACE verb on IIS 6.0 |
|||||||||||||||||||||||
