Jump to content
Welcome to our new Citrix community!
  • Mixed Content Warnings when Using SSL Offloading? Use the Rewrite Feature...


    christiaan_brinkhoff-1.png by Christiaan Brinkhoff, CTA

    As being part of the CUGC Networking leadership team, I'll would like to kick-off my first personal blog article for the NSIG group with 1 of my NetScaler insights around SSL Offloading and Rewrite Policies. A very simple and effective feature!

    NetScaler is one of the most advanced and impressive products that I've used throughout the past 5 years. Started with the configuration of the NetScaler Access Gateway / ICA Proxy, and ended up with all the advanced features, such as URL Rewrite, Content Switching (CSW), Global Server Load Balancing (GSLB) and URL transformations.

    (I’m also advising you to take a look at GSLB, I'll already covered this feature earlier in a CUCG User Share Webinar, together with fellow Networking leaders Dave Brett and Carsten Bruns).

    When you setup the following scenario…  SSL Offloading for Web Applications performing the transformation of the internal HTTP Protocol to a Secure HTTPS connection on the outside. Just let the NetScaler do the encryption. In some of the cases this works properly, but sometimes you'll need to replace the HTTP headers back to the original protocol to avoid problems in the links of the (web) application.

    For example, the application doesn’t show the right redirections and it still places http:// in front of some of the links. Images are not loaded properly, and thinks it's still on HTTP instead of HTTPS. Internet Browsers returning with Mixed Content warning, as the examples below... 

    To solve these problems, you’ll need to activate Rewrite Actions / policies, which will translate all the SSL Offloading HTTPS requests back to HTTP in the header. At that moment, the Web Application will know his way and the application will proceed working perfectly fine in a secure way!

    In this article, I’ll show you how you can configure URL Rewrite / Responder Policies to make sure that your Web Application continues working after activating SSL Offloading, when the back-end is listening on the HTTP Protocol.


    Errors without URL Rewrite 

    The following error can return, when you activate SSL Offloading without using URL Rewrite policies…


    The following Mixed Content errors will return in the internet browser developer tools…


    URL Rewrite configuration steps

    Perform the following steps to use the rewrite feature to replace occurrences of http:// with https:// in the body of an HTTP response. In this way, the protocol transformation steps will be translated.

    Step 1: Create a Rewrite Action through the following command

    add rewrite action httpRewriteAction replace_all http.res.body(50000) "\"https://\"" -pattern http://

    Step 2: Create rewrite policy

    add rewrite policy httpRewritePolicy "http.res.body(50000).contains(\"http://\")" httpRewriteAction

    Step 3: Bind the new Rewrite policy to the Virtual Server of the Web Application Server - as Response Rewrite Policy.


    Note: Check the following Citrix Docs article for all the other Policies and Expressions possibilities that are available for NetScaler. https://docs.citrix.com/en-us/netscaler/11/appexpert/policies-and-expressions/ns-pi-summ-exmp-adv-expr-pol-wrapper-con.html

    That’s it, I hope this solves your problem.


    Christiaan Brinkhoff 

    Networking SIG Leader, CTA

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...