Convert HTTP to HTTPS requests using CA Access Gateway (SPS)
search cancel

Convert HTTP to HTTPS requests using CA Access Gateway (SPS)

book

Article ID: 41280

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

How to convert all HTTP requests intercepted by CA Access Gateway (SPS), to HTTPS requests?

CA Access Gateway (SPS - Secure Proxy Server) configurations that converts all HTTP to HTTPS requests.

Note:

This kb article describes how to add a general rule so that if a client sends in any HTTP:// request then the SPS/Ag will redirect them via a 302 response to the HTTPS:// version of the page.

Eg., :
 
# Client sends request, and gets 302 redirect

client -> http://www.example.com         ->  Secure Proxy Server / Access Gateway  
client <- 302 redirect to https://www.example.com 

# client then makes request on https:// 

client  -> https://www.example.com       ->  Secure Proxy Server / Access Gateway  

The HTTP request does not get to be processed, only the HTTPS requests are processed.   

Some confusion was mentioned that mod_header/mod_rewrite were rewriting the headers and passing them onto the back end.

 

Environment

 

Policy Server: R12.52 SP1 CR1
Secure Proxy Server: R12.52 SP1 CR1

 

Resolution

 

== OPTION 1 ==

Using Apache mod_rewrite module to detect any HTTP request and send a redirect to the client to come back via the HTTPS interface. 

Update httpd.conf with the following:

LoadModule rewrite_module modules/mod_rewrite.so

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}

== OPTION 2 ==

Using CA Access Gateway (SPS) proxy rules via condition to test against the HTTP host name and port and send a redirect to the client to come back via the HTTPS interface. 

Update the proxyrules.xml with the following:

 <nete:cond type="host" criteria="equals"> 
  <nete:case value="www.example.com:80"> 
    <nete:redirect>https://www.example.com$0</nete:redirect> 
  </nete:case> 
  <nete:case value="www.example.com::443"> 
    <nete:forward>http://_host.example.com$0</nete:forward> 
  </nete:case>
  <nete:default>
    <nete:redirect>https://_host._domain.com/error.html</nete:redirect>
  </nete:default>
</nete:cond>

== OPTION 3 ==

When having a large number of hosts where an entry per hostname is not feasible then the pattern match facility can be used to do a wildcard match via condition against the any host ending in :80 and then send a redirect to the client to come back via the HTTPS URL. to give the same result for any hostname.

Update the proxyrules.xml with the following:

<nete:cond type="host" criteria="endswith"> 
  <nete:case value=":80"> 
    <nete:redirect>https://{{HOST}}$0</nete:redirect> 
  </nete:case> 
  <nete:case value=":443"> 
    <nete:forward>http://_host.example.com$0</nete:forward>  
  </nete:case>
  <nete:default>
    <nete:redirect>https://_host._domain.com/error.html</nete:redirect>
  </nete:default>
</nete:cond>

NOTES:

To avoid getting into a loop, set up the default proxy rule case, to forward the request directly to the backend server, instead of redirect back to CA Access Gateway (SPS).

 

Powered by Wolken Software