As being part of the CUGC Networking leadership team, I’ll would like to kick-off my first personal blog article for the NSIG group with 1 of my NetScaler insights around SSL Offloading and Rewrite Policies. A very simple and effective feature!
NetScaler is one of the most advanced and impressive products that I’ve used throughout the past 5 years. Started with the configuration of the NetScaler Access Gateway / ICA Proxy, and ended up with all the advanced features, such as URL Rewrite, Content Switching (CSW), Global Server Load Balancing (GSLB) and URL transformations.
(I’m also advising you to take a look at GSLB, I’ll already covered this feature earlier in a CUCG User Share Webinar, together with fellow Networking leaders Dave Brett and Carsten Bruns).
When you setup the following scenario… SSL Offloading for Web Applications performing the transformation of the internal HTTP Protocol to a Secure HTTPS connection on the outside. Just let the NetScaler do the encryption. In some of the cases this works properly, but sometimes you’ll need to replace the HTTP headers back to the original protocol to avoid problems in the links of the (web) application.
For example, the application doesn’t show the right redirections and it still places http:// in front of some of the links. Images are not loaded properly, and thinks it’s still on HTTP instead of HTTPS. Internet Browsers returning with Mixed Content warning, as the examples below…
To solve these problems, you’ll need to activate Rewrite Actions / policies, which will translate all the SSL Offloading HTTPS requests back to HTTP in the header. At that moment, the Web Application will know his way and the application will proceed working perfectly fine in a secure way!
In this article, I’ll show you how you can configure URL Rewrite / Responder Policies to make sure that your Web Application continues working after activating SSL Offloading, when the back-end is listening on the HTTP Protocol.
Errors without URL Rewrite
The following error can return, when you activate SSL Offloading without using URL Rewrite policies…
The following Mixed Content errors will return in the internet browser developer tools…
URL Rewrite configuration steps
Perform the following steps to use the rewrite feature to replace occurrences of http:// with https:// in the body of an HTTP response. In this way, the protocol transformation steps will be translated.
Step 1: Create a Rewrite Action through the following command
add rewrite action httpRewriteAction replace_all http.res.body(50000) "\"https://\"" -pattern http://
Step 2: Create rewrite policy
add rewrite policy httpRewritePolicy "http.res.body(50000).contains(\"http://\")" httpRewriteAction
Step 3: Bind the new Rewrite policy to the Virtual Server of the Web Application Server – as Response Rewrite Policy.
Note: Check the following Citrix Docs article for all the other Policies and Expressions possibilities that are available for NetScaler. https://docs.citrix.com/en-us/netscaler/11/appexpert/policies-and-expressions/ns-pi-summ-exmp-adv-expr-pol-wrapper-con.html
That’s it, I hope this solves your problem.
Networking SIG Leader, CTA