CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 29th April 2016
INTRODUCTION:
Secure Proxy Server configurations that converts all HTTP to HTTPS requests.
QUESTION:
How to convert all HTTP requests intercepted by SPS, to HTTPS requests?
ENVIRONMENT:
Policy Server: R12.52 SP1 CR1
Secure Proxy Server: R12.52 SP1 CR1
ANSWER:
== OPTION 1 ==
Using Apache mod_rewrite module to detect any HTTP request and send a redirect to the client to come back via the HTTPS interface.
Update httpd.conf with the following:
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
== OPTION 2 ==
Using SPS proxy rules via cond to test against the HTTP host name and port and send a redirect to the client to come back via the HTTPS interface.
Update the proxyrules.xml with the following:
<nete:cond type="host" criteria="equals">
<nete:case value="www.example.com:80">
<nete:redirect>https://www.example.com$0</nete:redirect>
</nete:case>
<nete:case value="www.example.com::443">
<nete:forward>http://backed.example.com$0</nete:forward> </nete:case>
<nete:default>
<nete:redirect>https://help.ca.com/error.html</nete:redirect>
</nete:default>
</nete:cond>
== OPTION 3 ==
If you have a large number of hosts where an entry per hostname is not feasible then we can use the pattern match facility to do a wildcard match via cond against the any host ending in :80 and then send a redirect to the client to come back via HTTPS URL. to give the same result for any hostname.
Update the proxyrules.xml with the following:
<nete:cond type="host" criteria="endswith">
<nete:case value=":80">
<nete:redirect>https://{{HOST}}$0</nete:redirect>
</nete:case>
<nete:case value=":443"> <nete:forward>http://backed.example.com$0</nete:forward> </nete:case>
<nete:default>
<nete:redirect>https://help.ca.com/error.html</nete:redirect>
</nete:default>
</nete:cond>
NOTES:
To avoid getting into a loop, setup the default proxy rule case to forward request directly to backend server, instead of redirect back to SPS.