Forum Discussion

Thomas_Schaefer's avatar
Thomas_Schaefer
Icon for Nimbostratus rankNimbostratus
Sep 24, 2009

Best Practice to let server know connection was SSL

After working with the BigIP for several years, I feel silly asking this question, but when one uses SSL acceleration and sends data to the pool members in the clear, how does the backup application know the original request was SSL?

Take the following scenario:

  
 *****************  
 *               *           **************  
 *  Internet     *---------->*   BigIP    *---------> * Non-SSL Application  
 *               *           **************  
 *****************  
 

If the BigIP terminates the SSL, but there are 5 URIs that the app must make sure were using SSL, it occurs to me there needs to be some mechanism that the app knows the user came in SSL (versus modify the URL to change the https:// to http://). Of course, I know I can detect this in an iRule and set a header that the application can check. I can also create a dataclass of URIs and have an iRule enforce SSL for any URI that starts with a member of that data class. My preference is to have the app maintain which URIs need SSL and which do not simply because there are more app developers than iRule monkeys.

All these things are possible, but I thought I would ask if the BigIP already supports such an idea. Is there something in the HTTP header to indicate that the original request was SSL? Otherwise, the application has to assume the user did not modify their URIs (never a good idea to assume that). Perhaps the URL maintains https:// even thought there is no more SSL?

I should clarify that the SSL stops at the BigIP so that backend never deals with SSL lest someone thing we have a client-side SSL to the app server.

Thanks,

Tom Schaefer

4 Replies

  • Tom: at first blush your ideas are dead on the money; enforce this access at the BigIP, but also set a header that tells the application that the URI in question was accessed via SSL.

     

     

    Regarding the developers, you can have your cake and eat it too: let them use iControl to maintain the URI mapping so you won't have to touch it. Write the rule one time, then let them maintain the datagroup.

     

     

    -Matt
  • I figured I would reply to my own question with my current thinking on how to handle this. I have two profiles: http (default) and https. Both are parent profiles so https is NOT a child of http.

     

     

    In the https profile, add a header like "X-SSL". In the http profile, remove the header X-SSL just in case some joker adds this header to their request. The https profile enforces that only SSL traffic gets through the https virts so I know if the header X-SSL is present, this had to originated as an SSL transaction.

     

     

    I hope that helps.

     

     

    Tom
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Normally I add in the certificate information to an HTTPS offloaded stream too. Various 3rd party apps also support the concept of SSL offload. e.g. Oracle Access Manager (OAM) & Tivoli Access Manager (TAM). They expect certain headers to indicate that the SSL was offloaded and so generate the correct URL's.

     

     

    I also tend not to share the same poolmembers between offloaded (HTTPS) and non-offloaded (HTTP) VS's... Just another belt & braces approach to security... (And I don't use match across pools for persistence either).
  • I know this is a very old discussion, but I was wondering if anyone else has come across a "best practice" for this I am working on creating a similar configuration right now