Jump to content
Welcome to our new Citrix community!

URL Transformation broken after swap to HTTPS


Brent Vickery

Recommended Posts

We had a ssl vserver configured in our DMZ accepting traffic on port 443 and redirecting the traffic to a server running https on port 443 with a url transformation policy bound to change the url on the fly.  This is because we dont wnt to expose the internal URL externally.  We have a URL externally, that used to be modified on the netscaler and then forwarded on to the internal webserver via http.

 

We recently swapped the internal server to use HTTPS instead of HTTP.  We updated the ports and URL's in the config, but we're still not having any luck.  I also had the policy for the URL Transformation set to HTTP.REQ.HOSTNAME.CONTAINS("www.example.com").  I noticed that the counter for policy hits is not incrementing.  I changed the policy expression to HTTP.REQUEST.IS_VALID, and now the hit counter increments, but we still dont get the correct behavior.

 

Can anyone tell me what I need to do to get this working?  Im guessing since the traffic is https, the netscaler cant see inside the traffic to modify the url?  My understanding is a little basic on the ssl side of things. Im guessing since before we were using https externally with the netscaler serving our wildcard cert, and then http internally, there wasnt an issue, but now that we swapped to https, it cant see inside to modify the url?

 

Any help anyone can provide is much appreciated.  I can provide any additional info as well if needed.

Link to comment
Share on other sites

If yor vip is SSL , netscaler will be able to check the url,etc. I ma guessing you had this previously and you did not change it. and the services were http.

When you switched to 443 services , that means that the back-end session will also be a ssl between the netscaler (it is a client) and the server that is listening on 443.

In this case also the netscaler will be able to see the url,http headers,etc

 

if the vip is SSL_Bridge  the netscaler will not be able to see anything inside the ssl session as the ssl session will be between client and server.

 

can you share the url transformation? or something similar to your rule?why did you change the url transfomation? has the url change in the backend?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...