Sunday, 13 November 2016

Loosing Https in redirection URLs behind an SSL OffLoading Load-Balancer.

We recently setup an application behind a load-balancer which was performing SSL Offloading and ... load-balancing. We had this setup in a lab using a software load-balancer (HAProxy) and in production using F5's BigIp load-balancer. The application sometimes builds redirection URLs based on the original URL that was used to access it. So if you access the app using https://theLB/myapp it should redirect to, say, https://theLB/myapp/login.do. That worked just fine with HAProxy which, I assume, has a set of default settings that are more comprehensive for non-LB experts. On the F5 side, we faced many issues though. First, the F5 sends the request to the app server like so: http://appServer1/myapp. This URL is what the application sees in the request and uses that for it's redirects, appServer1 being an internal address and port 80 not being open from the outside, this doesn't work for the end user.

To fix the Host Name issue (using theLB instead of appServer1) you must enable something like 'PreserveHost'. And finally to preserve the protocol (HTTPS vs HTTP) you need to add the X-Forwarded-Proto header. (For good mesure you could also add the X-Forwarded-Port header). Something like that for the F5:
 HTTP::header insert X-Forwarded-Proto "https"