Thomas_Schaefer
Sep 24, 2009Nimbostratus
Best Practice to let server know connection was SSL
After working with the BigIP for several years, I feel silly asking this question, but when one uses SSL acceleration and sends data to the pool members in the clear, how does the backup application know the original request was SSL?
Take the following scenario:
*****************
* * **************
* Internet *---------->* BigIP *---------> * Non-SSL Application
* * **************
*****************
If the BigIP terminates the SSL, but there are 5 URIs that the app must make sure were using SSL, it occurs to me there needs to be some mechanism that the app knows the user came in SSL (versus modify the URL to change the https:// to http://). Of course, I know I can detect this in an iRule and set a header that the application can check. I can also create a dataclass of URIs and have an iRule enforce SSL for any URI that starts with a member of that data class. My preference is to have the app maintain which URIs need SSL and which do not simply because there are more app developers than iRule monkeys.
All these things are possible, but I thought I would ask if the BigIP already supports such an idea. Is there something in the HTTP header to indicate that the original request was SSL? Otherwise, the application has to assume the user did not modify their URIs (never a good idea to assume that). Perhaps the URL maintains https:// even thought there is no more SSL?
I should clarify that the SSL stops at the BigIP so that backend never deals with SSL lest someone thing we have a client-side SSL to the app server.
Thanks,
Tom Schaefer