Apache

Change all HTTP requests to SSL/HTTPS on a NetScaler

on

I recently received a request to catch all requests on HTTP and redirect the user to the exact same URL that was requested but over SSL (HTTPS) instead. You can do this using a Responder Policy.

Basically the action to redirect over SSL will be:

"HTTP/1.1 301 Moved Permanently\r\n" + "Location: https://" + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH + "\r\n"

Make sure to Bypass the Safety check or it will give you an Input Expression is unsafe error. Don’t worry, this is just a warning message. The Netscaler tries to resolve URLs to make sure they respond when you write an expression. In this case we are telling it to catch any URL. So since it can’t validate something general like this, it throws the expression error. Make sure to bypass the safety check to get around this.

The responder policy that calls the action by looking for non-SSL connections should be:

!CLIENT.SSL.IS_SSL

You will notice I specified a 301 redirect in my action because I want to make sure any search engine spiders index my site URL as “https://www.mywebsite.com” and not as “http://www.mywebsite.com” for SEO purposes.

You may or may not want to bind the policy globally. I only apply responder policies to vservers that need them just to be cautious.

About Jason Samuel

Jason Samuel lives in Houston, TX with a primary focus on strategic advisory and architecture of end-user computing, security, enterprise mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and networking over his 20+ year career in IT. He is an Author, Speaker, and Local User Group Community Leader. He is certified in several technologies and is 1 of 63 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 42 people in the world that has been awarded as a VMware EUC Champion and VMware vExpert. He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with. Disclaimer: The content and opinions expressed in articles and posts are his own and are by no means associated with his employer.

Recommended for you

4 Comments

  1. Jonathan Polansky

    December 8, 2011 at 6:03 PM

    Thanks for the post Jason! And what’s the NetScaler command to bypass the safety checks, you may be asking? 30 mins of Google searching yields:

    http://support.citrix.com/proddocs/topic/netscaler-rewrite-93/ns-rw-bypass-sfty-chk-tsk.html

    > set rewrite action insertact -bypassSafetyCheck YES
    Done
    > show rewrite action insertact

    Name: insertact
    Operation: insert_http_header Target:Client-IP
    Value:CLIENT.IP.SRC
    BypassSafetyCheck : YES
    Hits: 0
    Undef Hits: 0
    Action Reference Count: 2
    Done

  2. Jochen

    January 9, 2012 at 8:43 AM

    Nice Post, many thanks. But how to bind the responder to the Access Gateway VServer?

  3. Jochen

    January 9, 2012 at 9:22 AM

    @Jochen
    Got it! Just add a Content Switching VServer to the same Access GAteway VServer IP but w/ Port 80 and bind the responder policy to the CS VServer. That’s it!

  4. Scott [email protected]://uk.linkedin.com/in/scottbarnwell

    February 6, 2012 at 5:35 AM

    Another good post. If anyone is looking for more information on binding the responder globally or to a VServer, here is the Citrix eDoc:

    http://support.citrix.com/proddocs/topic/netscaler-responder-93/ns-resp-binding-resppoli-tsk.html

    To globally bind a responder policy by using the configuration utility

    In the navigation pane, expand Responder, and then click Policies.
    On the Responder Policies page, select a responder policy, and then click Policy Manager.
    In the Responder Policy Manager dialog box Bind Points menu, select Default Global.
    Click Insert Policy to insert a new row and display a drop-down list of all unbound responder policies.
    Click one of the policies on the list. That policy is inserted into the list of globally bound responder policies.
    Click Apply Changes.
    Click Close. A message appears in the status bar, stating that the configuration has been successfully completed.

    To bind a responder policy to a specific virtual server by using the configuration utility

    In the navigation pane, expand Load Balancing, and then click Virtual Servers.
    On the Load Balancing Virtual Servers page, select the virtual server to which you want to bind the responder policy, and then click Open.
    In the Configure Virtual Server (Load Balancing) dialog box, select the Policies tab, which displays a list of all policies configured on your NetScaler appliance.
    Select the check box next to the name of the policy you want to bind to this virtual server.
    Click OK. A message appears in the status bar, stating that the configuration has been successfully completed.

Leave a Reply

Your email address will not be published.