User Inputted HTTPs POST Data is lost on SSL Offloaded Virtual Services

Many customers use the KEMP LoadMaster SSL offload feature to take SSL encryption load from the Real Server. In this case the connection ends up as follows:

 

Client --HTTPS--> Loadmaster --HTTP--> Real Server (HTTP 80)

Client <-HTTPS-- Loadmaster <--HTTP-- Real Server (HTTP 80)

 

 

For HTTP offloaded services - the server itself operates as unencrypted HTTP only and may sometimes contain URLs to other HTTP resources. As this is contained in the webpage as HTML, this is not modified by the LoadMaster. However, it is easily handled by redirecting all HTTP queries to their HTTPS corresponding URL.

Typically the LoadMaster is configured to redirect all connections made to HTTP to HTTPS, for example:

 

Client ---------HTTP----------> Loadmaster 

Client <-Redirect to HTTPS--> Loadmaster

Client --HTTPS--> Loadmaster --HTTP--> Real Server (HTTP 80)

Client <-HTTPS-- Loadmaster <--HTTP-- Real Server (HTTP 80)

 

This approach can cause problems however; when a page is presented to the user containing a form that the user fills it in and then clicks Submit on.

This uses the POST Method. If the POST maps to a full URL, for example http://www.domain.com/POSTDATA, it will be redirected correctly to https://www.domain.com/POSTDATA.

However, redirects do not preserve the data entered in the form and the submission fails as it contains no data.

To resolve this issue, any POST URLs should be relative and not contain the full path. For example /POSTDATA instead of http://www.domain.com/POSTDATA. If contained within a page which has been offloaded, and is being accessed by the client using HTTPS, the relative URL will be interpreted as HTTPS and no redirect will occur on submitting.

Alternatively, if a 307 Temporary Redirect is used the POST Data should be preserved after redirect which should resolve

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments