When using an SSL offloader, the TARGET parameter when redirected to the login.fcc page is changed to specify a http: rather than https: protocol even though the original request was made over https:

Document ID : KB000051429
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This is a common configuration problem for traffic behind an SSL offloader. When using an SSL offloader, the actual traffic arrives at the webserver/webagent using an unencrypted http protocol. The following entry:

HTTPSPorts=<Port1>,<Port2> 
HTTPSPorts=80 

 

needs to be set so that the webagent can identify that the traffic received on port 80 is actually https: traffic. Then it will set the TARGET parameter correctly.

Solution:

When redirecting to the credentials Collector, the Web Agent calculates the TARGET variable using the url used in the request.

With SSL offloaders and webcaches, often it will rewrite the request before forwarding it on to the actual webserver and so the webserver/webagent will receive an unencrypted request, often on port 80 even, and the agent will assume it is http: request not a https: request.

The Agent Configuration Object Parameter:

HTTPSPorts=  

 

Allows you to specify which ports are to be treated as if they were SSL ports, by the webagent. The channel is then assumed to have a security level of an SSL port, for SMSESSION cookies over secure connections only, and also affect the settings http / https protocols in generating redirect TARGET variables.

If the traffic arrives at the webserver over port 80 directly from the SSL offloader, then you will need the entry:

HTTPSPorts=80  

 

This can be used if the backend webserver only accepts traffic from the SSLOffloader, and all requests are then assumed to be encrypted. It is important however to ensure that the webserver only accepts traffic from the SSLOffloader, and does not accept traffic directly from other backed servers.

For simplicity, it is a common recommendation, that for the decrypted traffic from the SSL Offloader to the backend web server that it uses another port, not port 80 to avoid confusion. A commonly used port for this traffic is port 81. So you setting would be:

HTTPSPorts=81  

 

Then internally within your firewall you can still differentiate between SSL traffic and no-SSL traffic.

If in your configuration, there is also internal traffic on port 80 to that machine, and internal https:(port 443) traffic that can also go to that machine, then in that case the setting would be:

HTTPSPorts=81,443  

 

To indicate that traffic on port 81 from the SSLoffloader is considered secure, as is any https traffic on port 443 and any traffic arriving on port 80 is then considered normal http traffic.

Note: There has been some confusion, and despite some clarification continues to be, about this point in the Agent Configuration Guide, this parameter is not deprecated, and is also used for platforms other than Apache, of particular note it is also used in IIS and Sun One Webservers.

Also of use depending on your configuration will be the following Agent Configuration Parameter:

  • To set Agent Config Object setting:
    getportfromheaders=YES
    This needs to be set for some webservers, if the port after the SSL accelerator is not one of the standard ports 80,443 (It is common for the traffic post decryption to be sent on another port say 81 to avoid confusion with internal unencrypted traffic).
  • And if Apache is the webserver, you may also need to set the following values in httpd.conf:

 

  • UseCanonicalPhysicalPort Off (default is Off)
  • UseCanonicalName On   
  • ServerName server_name:port_number

Where,
server_name = host name of the SSL offloader
port_nubmer = the HTTP port which SSL offloader uses to send the traffic to the backend webserver. This port number must be included in the HTTPSPorts ACO parameter