Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI
-- Requirement --
I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
The web server instance has two listen sockets, 80 and 443.
The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
-- Current set-up --
The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
How can I constrain the reverse proxying to HTTPS traffic?
Thanks for your help,
Jez
Thanks Chris that worked perfectly.
Aside
Before your solution I had (unsuccessfully) tried the following obj.conf directive
<Client security="false">
NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
</Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner?
Similar Messages
-
Is it possible to redirect https traffic to http in CSM?
Hello,
I have a requirement to redirect https traffic to http. Is it possible to do that in the CSM?
In the CSM documentation all redirect examples/config etc refer only to http traffic so I am wondering if the other way around is supported as well.
BTW I have already tried it on the CSM and it is not working. Everytime I try to reach the https url I get "ERROR_INTERNET_SECURITY_CHANNEL_ERROR" on http watch.
Thanks for any help offered.
MurtazaI don't have a config in hands for this.
I have done it before and know this is feasible.
The redirect is here :
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00802877f6.shtml
Just change the vip to be only accessible by the SSLM.
Create the appropriate redirect vserver.
On the SSLM, send the decrypted traffic to the vip address and port.
Just as if the Vip was a server.
Gilles. -
i am looking for an iPad App that will play a specific iTunes song, at a specific time, on a specific day? Thank you all!
Sorry, i did not say that i need to go out further than 1 week. This is for a church Bell Tower Music System. So we don't want to have to re program the music every week. We are looking for more of a Calender App that will play iTunes Songs for alarms...different songs, on different days. IDEAS ANYONE ???
-
Is there an all in one printer/scanner that will work stand alone with the ipad? Thanks
I'm looking for an all in one scanner/printer that will work stand alone with the ipad,I'm scanning some family photos and no longer use a laptop,thanks for any help.
Use an AirPrint printer.
They are listed here (along with instructions for communicating with iPad):
AirPrint Basics -
Looking for an app that will alarm on specific text messages.
Looking for an app that will alarm on specific text messages. The idea is to use the message as a pager without a monthly subscription. There is a similar app for andriod called firealert.
I could not find any app that would do this. There are different types of message apps but nothing that I could find to do what I am looking for. For a specific contact I would like the message to have a notification that will not go away until I acknowledge it. Just like you would do if it was a pager.
-
Wish to purchase a printer that will reverse print for transfer app and also has 4 seperata ink well
Wish to purchase a printer that will reverse print for transfer app and also has 4 seperata ink well
There are severall units out there with 4 ink cartridges, not sure about the option to revesre image in the printer, however mirroring an image is possible in most software programs. Even in paint i think.
Say "Thanks" by clicking the Kudos Star in the post that helped you.
Although I work for HP my posts and replies are my own
Please mark the post that solves your problem as "Accepted Solution" -
This statement pops up on some occasions when I am sending an Email, but the Emails are usually received by the recipient! who are mostly Family so I have been able to check that that have been read.
Hi mawhitehead,
try these
* '''The page is not redirecting properly''' - MozillaZine Knowledge Base<br>http://kb.mozillazine.org/The_page_is_not_redirecting_properly
* '''Network.http.redirection-limit''' - MozillaZine Knowledge Base<br>http://kb.mozillazine.org/Network.http.redirection-limit
* I am unable to access my gmail calender. It states that refused because of cookies being blocked.<br>https://support.mozilla.com/en-US/questions/786049
* tried posting new thread on sourceforge shareaza forums, firefox gives problem loading page, <br>https://support.mozilla.com/en-US/questions/757368
* Firefox has issues redirecting, cookies are all on, I think I voided my warranty. <br>https://support.mozilla.com/en-US/questions/755435
* firefox message: "The page isn't redirecting properly" Firefox has detected that the server is redirecting the request for this address in a way that will never complete.<br>https://support.mozilla.com/en-US/questions/695393 -
How to configure DNS server to redirect all web traffic to one external website?
I'd like to use the DNS service on my OS X Server as a way to force all all web traffic to one specific, external website. Not quite sure how to go about configuring it, though - any recommendations?
(BTW, this is, obviously, not our primary DNS server; I intend to silently update the preferred DNS server for users who fail to complete their timesheets in order to force the issue)Web clients don't generate uniquely-identifiable DNS queries; there's no SRV request or related traffic that you could select on and spoof. So if you do implement this, everything querying the spoofing DNS server will get the spoofed host, or you'll have to spot specific queries that are likely web queries; Facebook, Google, Bing, etc.
If you still want to implement this, then I'd probably replace the DNS server with a runt DNS server (maybe hack dnsmasq or maraDNS, or create yourself a trivial DNS server) and have that always return the specified IP address. This avoids having to hack BIND to be universally authoritative, which is probably on par with hacking a simpler DNS server to always return a fixed IP address, and the latter is probably easier to undo.
A firewall can spot TCP port 80 and port 443 traffic, unlike a DNS server. Firewalling outbound port 80 traffic is more typical of these requests, and either trap that traffic to a specific web page based on the capabilities of the firewall, or the web proxy approach that Camelot suggests. There are folks that tie access into the web proxies into external authentication and related; that'd be able to do what you want. Web proxies are usually combined with firewall blocks, as most sites want only the web proxy to have external access, too. But this is also rather more pieces than a DNS redirect, too. -
WSA blocking HTTPS traffic -allowing HTTP
We have two S170 WSA appliances configured as Guest Wi-Fi Internet proxy servers. The local network design is as follows:
WLC5508 (Foreign) >> WLC5508 (Anchor) >> ACE20 Context >> WSA 170 >> FWSM >> Internet
Guest traffic is authenticated via WCS using RADIUS but is disabled for now.
Clients associate to SSID, receive IP address via local DHCP scope on anchor WLC and forward all traffic to DFWG which is ACE20 interface.
ACE20 has specific class-maps for public DNS use and loadbalance policy-map which forwards all other traffic (excluding DNS) to WSA.
HTTP traffic works fine, HTTPS traffic fails. The HTTPS proxy service uses a local self-signed certificate for initial decryption of the session. The browser and WSA negotiates to use TLSv1 then the error below is shown.
Fails
57666018.658 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54930 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.760 32 192.168.244.1 NONE_SSL/200 0 TCP_CONNECT 10.153.9.6:443 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 0 cs-auth-group= - c-port= 54931 cs-bytes= 0 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= - cs-referer= - cs-cookie= -
1357666018.799 0 192.168.244.1 TCP_DENIED_SSL/403 0 GET https://post.packetconsulting.com:443/owa - NONE/- - BLOCK_ADMIN-HTTPS-NonLocalDestination-NONE-NONE-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> - s-ip= 255.255.255.255 s-port= 443 webcat-code= - cs-version= 1 cs-auth-group= - c-port= 54931 cs-bytes= 598 wbrs-score= - wbrs-threat-reason= - wbrs-threat-type= - cs-user-agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; InfoPath.2; Tablet PC 2.0; MS-RTC LM 8)" cs-referer= - cs-cookie= -
I have seen this error posted before but no resolution. I'm sure this is a config problem, but cannot figure why or where!
Any ideas, thoughts or help would be great...
CheersHi axa,
This is an access policy blocking the SSL traffic based on the TCP_DENIED_SSL / 403. Also I would suspect that you do not have HTTPS proxy enabled which would be required since your not using port 80 for 443 traffic. I would recommend opening a ticket with the WSA Content Security Team.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
Message was edited by: Erik Kaiser -
CSG C5(14) alters HTTP traffic if http accounting is enabled
Hi guys,
I'm facing an issue with some mobile handsets that connect to the internet to gather information from the vendor website (http tcp 80).
I have CSG 5.5(14) configured in this way:
ip csg policy HTTP
accounting type http customer-string INTERNET
ip csg content WWW
ip any tcp 80
replicate
vlan CLIENTVLAN
policy HTTP
inservice
Mobile handsets receive an error while trying to connect.
A trace (attached) shows an HTTP 502 (Bad Gateway).
If I create a more specific content without policy (and consequently without http accounting) like the following, everything works:
ip csg content MYCONTENT
ip 84.0.0.0 255.0.0.0 tcp 80
replicate
vlan CLIENTVLAN
inservice
My problem is that the DNS resolves that hostname each time with different IP address in different subnets, so I don't have a safe way to map the webserver to this new content.
My questions:
Is there any method to safely map that destination without involving an huge amount of IP address that should match WWW content instead?
Anyone knows what is the behavior of http accounting in CSG?
Thanks in advance.
Regards,
RiccardoEach HTTP method must be initiated by the same endpoint that initiated the TCP connection.The CSG supports IP fragmentation for HTTP; Internet Message Application Protocol, version 4 (IMAP4); Post Office Protocol version 3 (POP3); Simple Mail Transfer Protocol (SMTP); Wireless Application Protocol (WAP) 2.0; and WAP 1.x, regardless of the order in which the flows arrive.Refer http://cisco.com/en/US/products/sw/wirelssw/ps779/products_configuration_guide_chapter09186a00806ab79a.html
-
Lync mobility and HTTP authentication test failed. Is reverse proxy required?
I currently have the following setup.
1 x 2013 edge server lync1.local.com
has 3 dmz ips for external names
has 1 internal ip
2 x 2013 std front end servers lync2 & lync3.local.com
Ive read that in 2013 the mobility service is installed automatically on the front end servers and i do see it running on both.
All my clients can connect from the windows and mac clients(internally and externally) but not from phone or windows app store client (internally or externally)
running the exchangeconnectivity test on the website i get the following error
Testing HTTP authentication methods for URL https://lyncdiscover.external.com/Autodiscover/AutodiscoverService.svc/root/user.
HTTP authentication test failed.
Additional Details
A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
HTTP Response Headers:
X-MS-Server-Fqdn: lync1.local.com
Connection: close
Content-Length: 64
Content-Type: text/plain
Server: RTC/5.0
Elapsed Time: 427 ms.
After some reading I notice that many people refer to a reverse proxy when dealing with mobility.
I do not have a reverse proxy server installed. Is this required for the mobility to work correctly? I cant just use the edge server?
Thanks in advance for any help.Take a look at Georg Thomas' blog: http://www.lynced.com.au/2014/04/configure-citrix-netscaler-vpx-as.html also the Citrix official documentation: http://www.citrix.com/global-partners/microsoft/netscaler.html
Please mark posts as answers/helpful if it answers your question.
Blog
Lync Validator - Used to assist in the validation and documentation of Lync Server 2013. -
HTTP adapter using SSL through a reverse proxy (Apache)
I've configured SSL on the PI Server (Double_Stack) and it is working fine. I need to configure an Apache server to act as a reverse proxy which will accept client certificates. Is there a how to or SDN post on this? I have been searching but no luck. I have found info on www.apache.org but it is confusing. Web Dispatcher is not an option in this case (mandated Apache). Thanks for the help.
Didn't need to use Apache.
-
Redirect HTTPS traffic to HTTP in Tomcat
Hi,
We are running SAP BI Platform 4.0 SP2 Patch 7, which runs on top of Tomcat 6.
We have succesfully configured our iPads to connect to our SAP BusinessObjects server using HTTPS in internet. We have an application proxy that handles HTTPS and sends plain HTTP to the SAP BusinessObjects server.
The problem is that same connection do not work when users are accessing our intranet, because the SAP BusinessObjects server only accepts HTTP requests in port 8080.
I have seen that Tomcat allows automatic redirections from HTTP to HTTPS ( using redirecPort parameter in HTTP connector definition ).
But is it possible the opposite, to switch automatically HTTPS to HTTP ?
Regards,
JoanHi,
At last we have activated HTTPS support in Tomcat. The idea was to avoid HTTPS in BOBJ servers to save CPU usage but after some tests we can afford it.
So no redirections are needed and the question is solved.
Thanks,
Joan -
Best Home use All- in one scanner/printer that will run on linux
Doestic Use - UK . What would members recommend as the best all-in-one printer scanner colour, to use on linux with full wireless capability and photo mainipulation software addons etc. Runnung Ubuntu based 14.04 - Linux Lite 2.4 Thanks
I think you will not get a general consensus. Canon is my preference, for both work and at home, but others will tell you they are rubbish, most likely due to a previous bad experience, such as your friend has had.
What I can say about the Canon products is that they have improved their driver and software functionality compared to the days of 10.2. There are still some shortfalls, but there is definitely more support for OS X than there ever was previously.
With your friends requirements in mind, I would suggest the MX700. It offers Ethernet and USB connections for printing, faxing and scanning. It also does a reasonable job of photo printing.
Here is a CNET review
http://www.cnet.com.au/printers/multifunction/0,239035478,339281337,00.htm -
I am using a new computer with the latest version of FF on it. When the problem began, I was using an older computer that had a virus and malware on it. I have not yet cleaned the files from the old computer and consequently have not transferred any of them. I don't understand why I am having this same problem. I am not experienced with FF and wonder if there is some setting that I need to change.
Press CTRL+SHIFT+DEL, change the top option to '''Everything '''and in the bottom menu, checkmark '''Cache '''(uncheck all the others). Then click '''Clear Now'''.
Then go to '''Tools''' | '''Options '''| '''Advanced '''and in the Network tab | Offline Storage menu, click '''Clear Now'''.
Then go to '''Tools '''| '''Options '''| '''Privacy''', click '''Show Cookies '''button and delete the cookies for lumosity.com.
Then try again.
Maybe you are looking for
-
How do i sync my iphone with my itunes library and my mom's itunes library
I just bought an iphone and was wondering how do I sync it to my itunes as well as my mom's for music. I did this with our ipods but now i can't seem to do it. The libraries are on the same computer, just different profiles.
-
What is wrong with this picture? We are forced to vent on forums and rely on other users to find answers to our problems. Obviously, after reading other posts, we all suffer from poor quality controls before release of upgrades and new "toys"! I have
-
Syntax error in Se80 even though the syntax is right
Hi , We are using a three system landscape. DEV - TST---CON The correction request released from dev sytem has no syntax error in both DEV and TST but only in cons system. All systems hare in the same basis SP levels for release 620. Even though the
-
SetCurrentDirectory not working
Hi all, I am creating a simple program in netBean 6.71, and I am trying to make some minor change to part of the codes so that the program will remember the last used directory. Here is part of the codes of my program: JFileChooser chosenFile; File o
-
Request.getCharacterEncoding() - corresponding client header?
Can anyone tell me how to manually set the character encoding in the client header (i.e., which header request property it is) so it will be picked up by a servlet's request.getCharacterEncoding()? At the moment, I'm setting con.setRequestProperty("A