Layer7 Access Management

Tech Tip - CA Single Sign-On: Convert HTTP to HTTPS requests using Secure Proxy Server

By wonsa03 posted 04-28-2016 11:31 PM

  

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 29th April 2016

 

INTRODUCTION:

Secure Proxy Server configurations that converts all HTTP to HTTPS requests.

 

QUESTION:

How to convert all HTTP requests intercepted by SPS, to HTTPS requests?

 

ENVIRONMENT:

Policy Server: R12.52 SP1 CR1

Secure Proxy Server: R12.52 SP1 CR1

 

ANSWER:

== OPTION 1 ==

Using Apache mod_rewrite module to detect any HTTP request and send a redirect to the client to come back via the HTTPS interface.

Update httpd.conf with the following:

 

LoadModule rewrite_module modules/mod_rewrite.so

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}


== OPTION 2 ==

Using SPS proxy rules via cond to test against the HTTP host name and port and send a redirect to the client to come back via the HTTPS interface.

Update the proxyrules.xml with the following:

 

<nete:cond type="host" criteria="equals">

<nete:case value="www.example.com:80">
                        <nete:redirect>https://www.example.com$0</nete:redirect>
</nete:case>

<nete:case value="www.example.com::443">

                        <nete:forward>http://backed.example.com$0</nete:forward> </nete:case>

 

<nete:default>

<nete:redirect>https://help.ca.com/error.html</nete:redirect>
</nete:default>

 

</nete:cond>

 

== OPTION 3 ==

If you have a large number of hosts where an entry per hostname is not feasible then we can use the pattern match facility to do a wildcard match via cond against the any host ending in :80 and then send a redirect to the client to come back via HTTPS URL. to give the same result for any hostname.

Update the proxyrules.xml with the following:

 

<nete:cond type="host" criteria="endswith">

<nete:case value=":80">
                        <nete:redirect>https://{{HOST}}$0</nete:redirect>
</nete:case>

<nete:case value=":443">                         <nete:forward>http://backed.example.com$0</nete:forward> </nete:case>

<nete:default>

<nete:redirect>https://help.ca.com/error.html</nete:redirect>
</nete:default>

</nete:cond>

 

NOTES:

To avoid getting into a loop, setup the default proxy rule case to forward request directly to backend server, instead of redirect back to SPS.

0 comments
0 views