Reset Search
 

 

Article

5878 - Traffic Manager agreeing with back-end when both http and https are in use

« Go Back

Information

 
Last Modified Date10/23/2018 4:32 PM
Synopsis
Traffic Manager agreeing with back-end when both http and https are in use
Problem or Goal
Cause
Solution
There are 3 basic ways how Traffic Manager can agree with back-end when both http and https are in use:

1) No decryption:
- HTTP virtual server on STM passes everything to HTTP back-end;
- HTTPS virtual server on STM passes everything to HTTPS back-end;
- Back-end knows naturally about type of traffic, since it receives HTTP unencrupted on port 80 and HTTPS encrypted on port 443. No special configuration on back-end is required.

2) Decryption, HTTPS-only:
- HTTP virtual server on STM is answered by STM itself with forced redirect to HTTPS. This traffic does not reach back-end. Following rule should be configured for HTTP virtual server on STM:
Conditions > (no conditions)
Actions > Requests and Responses > HTTP only > HTTP Redirect > https://mysite.example.com/

- HTTPS virtual server on STM decrypts traffic and sends decrypted HTTP to back-end;
- Back-end does not knows anything about encryption and received only decrypted HTTPS;
- Since back-end does not know about HTTPS, traffic manager needs to rewrite re-directs: Virtual Servers > Connection Management > Location Header Settings > location!rewrite > Do not rewrite the hostname. Rewrite the protocol and port. This is the default.

3) Decryption + HTTP pass-through:
- HTTP virtual server on STM passes everything to HTTP back-end;
- HTTPS virtual server on STM decrypts traffic and sends decrypted requests to back-end;
- Back-end receives both HTTP and decrypted HTTPS on the same port, which makes it really hard for back-end to tell apart HTTP and HTTPS. To help back-end to tell them apart, a special header "X-Forwarded-Proto" should be inserted by a special TrafficScript rule (see below).
- It is back-end's task to distinguish between HTTP and decrypted HTTPS based on "X-Forwarded-Proto" request header. This also means that STM does not need to rewrite re-directs: Virtual Servers > Connection Management > Location Header Settings > location!rewrite > Nothing.

 

TrafficScript rule for option #3 (second line is optional):

http.setHeader("X-Forwarded-Proto", ssl.isSSL() ? "https" : "http");
http.setHeader("X-Forwarded-For", request.getRemoteIP());

Related Links
Attachment 1 
Created ByVenkataKondaReddy Palem

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255