Re: SSL Issue - Urgent

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/14/05


Date: Thu, 14 Jul 2005 14:29:08 -0700

I cannot view that URL - needs access code.

Yes, we are talking about software and there's usually always a solution.

There's two general classes of solution for this problem:
1. Generically extensible -- the translation device gives some hint of the
translation so that downstream interpreters can take action.
2. Hack -- the downstream interpreters just guess

For generic solutions -- with devices like F5 that offload HTTP/HTTPS
traffic, you tend to have the following sort of loss:
1. Client IP - to the web server, the F5 device looks like the client --
some devices will set a proprietary HTTP Request header indication
"original" client IP, and custom software can read and change the web
server's log accordingly. Custom software exist to do this for both Apache
and IIS
2. Port - to the web server, all requests look like it comes for port 80 --
so the device would need to set a proprietary HTTP Request header indicating
"original" port, and custom software can behave accordingly

These generic solutions require the device doing the translation to do the
right thing because the downstream interpreters like IIS/Apache web servers
cannot tell.

Hacks include:
- If this happens for an entire URL namespace, just configure 302
redirection code to always specify an arbitrary port like "443". Of course,
this is a hack, so if you only do this for a part of the URL namespace, it
won't work. This has been done on Apache and IIS as well.

Bottom line: Yes, solutions can be written and IIS can support these
approaches. But, whether the code actually exist for you to acquire...
that's really an issue of availability and not whether IIS can do it or not.

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"smith" <smith@discussions.microsoft.com> wrote in message
news:BAA07549-B7C5-4BD7-B2A4-E19AD1FA553B@microsoft.com...
I did see something similar here :
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg1PQ86347
That is what led me to believe there might be a solution, and i wanted to
know if it could be done on the iis level?
"David Wang [Msft]" wrote:
> The device which translates HTTPS->HTTP should also translate responses
from
> HTTP->HTTPS, including URLs. It is the only thing that knows the
translation
> happened for a given request, therefore it is responsible for transmitting
> this information downstream.
>
> As you've stated, there is no way that IIS/JRun knows that the original
> request is HTTPS at all -- the device that translates HTTPS->HTTP needs to
> give a hint -- perhaps add an extra HTTP request header that client
> applications can use to detect this.
>
> -- 
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "smith" <smith@discussions.microsoft.com> wrote in message
> news:3C6E0382-5FED-4527-A87F-AE87A5FDAEC3@microsoft.com...
> We have an f5 ssl offloader that is used in front of IIS 6.0.  A https
> request comes to the SSL offloader and is forwarded over http to a
webserver
> with the JRun plugin.The problem occurs if the original request is
> redirected
> by a
> IIS/JRun application.  The redirected request becomes an http
> request because IIS/JRun is not aware that the original https
> request was intercepted by a SSL offloader and forwared to
> IIS over http.
> We dont want to install certificates on IIS, is there a way that WebEngine
> can check whether ssl is required so that when it is ssl over http, https
> scheme will be chosen.
>
>
>
> Thanks in advance.
>
>
>


Relevant Pages

  • Re: Cant Open XLS or PPT files
    ... That logfile entry indicates HTTP status: 200 OK - IIS has received the ... are receiving a "cannot open xxx" type message. ... :>HTTP request that is logged if possible. ...
    (microsoft.public.inetserver.misc)
  • Re: SSL Issue - Urgent
    ... know if it could be done on the iis level? ... > request comes to the SSL offloader and is forwarded over http to a webserver ... The redirected request becomes an http ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 6 .net ERROR 404 with telnet & down-level clients
    ... Can you go into your IIS logfiles and check the HTTP substatus code please? ... : telnet www.myserver.com 80 ... :> simulates a basic GET request for the default page of www.myserver.com. ...
    (microsoft.public.inetserver.iis)
  • HTTP 1.0 support
    ... by default, IIS 6 on Windows Server 2003 returns a 400 error, Bad Request ... when you use a non HTTP 1.1 spec compatible, Unix-like syntax in a HTTP GET ...
    (microsoft.public.inetserver.iis)
  • Re: Page Cannot Be Displayed Errors
    ... In WFetch, for Advanced Request, change to "Add Headers" and write: ... > directly on the web server, ... >>> Where can I get the IIS 6.0 Resource Kit, and how do I use WFetch? ...
    (microsoft.public.inetserver.iis)