Hi folks, I got a question about Citrix ADC. An application with multiple Apache virtual hosts (Same IP, each vhost is bound to a port in the range of 12300 to 12319) that is published to outside users via Citrix ADC (using a SSL vserver). Citrix doing SNAT
Traffic from user to Citrix vserver is SSL (HTTPS), between Citrix SNIP and Apache vhosts is HTTP. Ideally, the users should always see https:// in their address bar, with no backend port. But we are encountering an issue where on user's web browser, the address bar shows the scheme being http://, and the backend port is not removed.
What I've configured on Citrix ADC:
- Enable SSL offload
- Configure HTTP service (backend Apache vhosts)
- Configure SSL vserver using those service, with the correct certificate
- On the SSL vserver, we enabled SSL redirect and SSL port rewrite
- Also on the SSL vserver, there's a Rewrite policy applied on Response, with condition to match if Location exists in HTTP response header, and action to remove the backend port (using Regex match). We expect application to return with a 302 and Location, and alter such Location as we return it to the outside users.
There is also a HTTP vserver which has almost the same configuration with the SSL vserver, except for the cert, SSL params (because they are not required). On this HTTP server there's a Responder policy to redirect users to HTTPS.
No comments:
Post a Comment