/ Zope / Apsis / Pound Mailing List / Archive / 2007 / 2007-02 / Https redirection question

[ << ] [ >> ]

[ Re: [Pound Mailing List] Does pound favor one ... ] [ / mario.kleinsasser(at)bauholding.com ]

Https redirection question
"Wassink, mw. ing. A." <AWassink(at)cvz.nl>		 2007-02-28 11:01:56 [ FULL ] 
Hello,

I am a system administrator for a Governmental institution in The
Netherlands, and we are starting to use more Open Source products in our
company.
POUND was advised to me by enthusiastic users, and during tests in our
environment I have become enthusiastic also.

However, there is one fuction we need and I have not figured out if/how
it can be done with POUND:

In conceptual form this is what we like to do:
          IF IncomingURL = http://a.b.c/subdir/
          THEN goto https://a.b.c/subdir/

Or in case this is not possible the following is also OK:
          IF IncomingURL = http://a.b.c
          THEN goto https://a.b.c

Some background information:

We intend to use POUND to reverse-proxy requests to a public
IIS-webserver.
Certain parts of this website may only be accessed by clients when using
https.
In case clients connect via http, IIS sends an automatic
redirect-request telling clients to use https.
POUND is configured with the certificate of the our webserver and the
webserver-IP-address/port80 is configured as a BackEnd in both HTTP- and
HTTPS-sections.

However, because POUND talks http to the BackEnd we get into a loop:
when a client responds to the webservers' redirect-msg by sending a new
request via https, POUND converts this to http en sends it to the
BackEnd. The BackEnd replies by sending a redirect-https-request... and
so on.
To solve this issue on IIS we have switched off the automatic
redirect-https-requests on certain parts of the website. 
Via a url on the website clients are still redirected to https, and this
works fine (via POUND-revproxy). 
BUT: PROBLEM now is that when the path in a client(webbrowser) should be
manually changed from  https://a.b.c./....
Into http://a.b.c./... the
website can be reached in an insecure way.
And this is NOT what we like!

Underneath our configuration:
#To distribute HTTP/HTTPS requests to webserver:

ListenHTTP
    Address 130.15.200.135
    Port    80

# Try to redirect clients from http to https... (not working)
#    Service
#         Url "http://a.b.c"
#         Redirect "https://a.b.c"
#    End

    Service
        BackEnd
           # webserver:
           Address 10.10.10.10
           Port    80
        End
    End

End

ListenHTTPS
    Address 130.15.200.135
    Port    443
    Cert    "/home/miek/pki/btltrailconcat.txt"

    Service
       BackEnd
          Address 10.10.10.10
          Port 80
       End
    End
End


Hope you can help me.

Regards,
Annemieke Wassink
Re: [Pound Mailing List] Https redirection question
Ted Dunning <tdunning(at)veoh.com>		 2007-02-28 11:32:41 [ FULL ] 
The easiest way to do this would be to build a trivial web-server that
redirects all requests to https.

Then in pound, direct all http requests to this server and all https
requests to the normal server (using http).

Remember that pound will handle incoming https requests, but will not
generate any https requests to backends.  But what you really need is a
redirection, not load balancing so it is better to do what you need using
the application server rather than pound.

Another approach would be to use a security plug-in to look for the headers
that pound inserts for https requests.  If it doesn't see them, it can
redirect the requestor to https.  This saves an extra server, but may
involve changes to a machine you don't control.  If you are the one who has
to implement the security, then a trivial redirector that you control is the
answer. 


On 2/28/07 1:01 PM, "Wassink, mw. ing. A." <AWassink(at)cvz.nl> wrote:
[...]
MailBoxer