INSSL Appliance

[BeckyHester]

This topic is dedicated to questions and comments related to the INSSL - HTTP Gateway with SSL support appliance.
The INSSL data sheet can be found at:
AppLogic 2.4.x: http://doc.3tera.net/AppLogic24/CatGatewayINSSL.html
AppLogic 2.7.x: http://doc.3tera.net/AppLogic27/CatGatewayINSSL.html (page will be published concurrently with 2.7 release)

Please post any questions and/or comments here.

[jemil]

the link to the data sheet for this appliance is not working. please corect this in the catalog main documentation too.

Thanks,
Emil

[PeterNic]

Emil,

Thank you -- these should now work both ways (from doc to forum and back); I appreciate the feedback.

Regards,
-- Peter

[kapow]

I thought I would post this for those of you who might be using Ruby on Rails and Mongrel with SSL and need the INSSL appliance for your application.

Rails needs a special HTTP header to that it understand whether to redirect to an SSL connection or not. That header is X-Forwarded-Proto.

The INSSL appliance uses pound as load balancing proxy server. To configure it to pass along the X-Forwarded-Proto header, you must first branch the INSSL class. Once branched and your appliance is save, start it up.

Login to your branched INSSL appliance and change directories to /etc/pound. Edit the file pound_https.conf. Add the following two lines before the End statement:

Code:

HeadRemove "X-Forwarded-Proto"
AddHeader "X-Forwarded-Proto: https"

Your entire pound_https.conf should look like this:

Code:

ListenHTTPS
   Address XXX                            
   Port 443             
   Client  20         
   Cert    "/mnt/key/server.pem"          
   HeadRemove "X-SSL-Request"    
   AddHeader "X-SSL-Request: 1"    
   HeadRemove "X-Forwarded-Proto"   
   AddHeader "X-Forwarded-Proto: https"   
End

Note: This will not take affect until your app instance is restarted.

Test your Rails app to ensure that it reforwards https requests appropriately.

[PeterNic]

Kapow,

Thank you very much for posting this solution here. We should be able to include an option for adding the needed header in the next release of INSSL.

Regards,
-- Peter

[kapow]

I'd like to configure the INSSL appliance to redirect any http requests to https. Any clues on where do do that? Thanks

[PeterNic]

Kapow,

The current version of the INSSL appliance does not provide this feature. It is a good idea, though -- thanks, we'll try to include it in one of the next releases.

In terms of what can be done now: the simplest approach would be to provide redirection in the web server, based on the presence of the "X-SSL-Request: 1" header (or, rather, on its absence).

I will also discuss this with the maintainers of the INSSL appliance, to see if there is an easy way to do this in the INSSL appliance (e.g., by branching INSSL and making a small change there).

Best regards,
- Peter

[LeoKalev]

There may be a limited ability to make Pound redirect HTTP requests. This can only be done to a few fixed URLs (e.g., any HTTP URL goes to the home page), there is no way to tell it to redirect to the same exact HTTPS resource as the incoming HTTP request.

To do this, a Service section with a Redirect directive (or several of them, if desired) needs to be added inside the ListenHTTP ... End section in the config file. Example:
ListenHTTP
Service
URL "*"
Redirect "https://...."
End
...
End
This is not exactly trivial to add to INSSL because the redirect target URL must be made to match the hostname of INSSL itself, so unless one wants a single instance of INSSL for a particular web site with a hard-coded URL, this portion of the configuration file will have to be generated at boot time.

[PeterNic]

So one approach would be to:

1. Branch INSSL
2. Add a property hostname
3. Edit the config file to add the section above, use markup to put in the hostname property
4. Test and move back to a catalog (e.g., user)

Another approach (dumb but will do the job and is simpler -- does not require branching INSSL):

1. Configure INSSL for https only. This will route all http traffic via aux
2. Connect a small WEB server to INSSL aux (directly, or via PS8 if you use aux for other traffic)
3. Put a script in the WEB server that takes the given URL and redirects to http.

(For the future, we can add this to INSSL; the redirection can be done by thttpd or a perl script inside INSSL; it is not necessary for pound to listen to http in this mode)

Regards,
-- Peter

[PeterNic]

A quick diagram of an app with the http redirect using a separate small web server. The redirect script can be placed on the appliance's content volume (read-only).