Re: SSL Issue - Urgent
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: Thu, 14 Jul 2005 14:29:08 -0700
I cannot view that URL - needs access code.
Yes, we are talking about software and there's usually always a solution.
There's two general classes of solution for this problem:
1. Generically extensible -- the translation device gives some hint of the
translation so that downstream interpreters can take action.
2. Hack -- the downstream interpreters just guess
For generic solutions -- with devices like F5 that offload HTTP/HTTPS
traffic, you tend to have the following sort of loss:
1. Client IP - to the web server, the F5 device looks like the client --
some devices will set a proprietary HTTP Request header indication
"original" client IP, and custom software can read and change the web
server's log accordingly. Custom software exist to do this for both Apache
2. Port - to the web server, all requests look like it comes for port 80 --
so the device would need to set a proprietary HTTP Request header indicating
"original" port, and custom software can behave accordingly
These generic solutions require the device doing the translation to do the
right thing because the downstream interpreters like IIS/Apache web servers
- If this happens for an entire URL namespace, just configure 302
redirection code to always specify an arbitrary port like "443". Of course,
this is a hack, so if you only do this for a part of the URL namespace, it
won't work. This has been done on Apache and IIS as well.
Bottom line: Yes, solutions can be written and IIS can support these
approaches. But, whether the code actually exist for you to acquire...
that's really an issue of availability and not whether IIS can do it or not.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "smith" <firstname.lastname@example.org> wrote in message news:BAA07549-B7C5-4BD7-B2A4-E19AD1FA553B@microsoft.com... I did see something similar here : http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg1PQ86347 That is what led me to believe there might be a solution, and i wanted to know if it could be done on the iis level? "David Wang [Msft]" wrote: > The device which translates HTTPS->HTTP should also translate responses from > HTTP->HTTPS, including URLs. It is the only thing that knows the translation > happened for a given request, therefore it is responsible for transmitting > this information downstream. > > As you've stated, there is no way that IIS/JRun knows that the original > request is HTTPS at all -- the device that translates HTTPS->HTTP needs to > give a hint -- perhaps add an extra HTTP request header that client > applications can use to detect this. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "smith" <email@example.com> wrote in message > news:3C6E0382-5FED-4527-A87F-AE87A5FDAEC3@microsoft.com... > We have an f5 ssl offloader that is used in front of IIS 6.0. A https > request comes to the SSL offloader and is forwarded over http to a webserver > with the JRun plugin.The problem occurs if the original request is > redirected > by a > IIS/JRun application. The redirected request becomes an http > request because IIS/JRun is not aware that the original https > request was intercepted by a SSL offloader and forwared to > IIS over http. > We dont want to install certificates on IIS, is there a way that WebEngine > can check whether ssl is required so that when it is ssl over http, https > scheme will be chosen. > > > > Thanks in advance. > > >