Jump to content
Welcome to our new Citrix community!

HTTP to HTTPS translation

Recommended Posts

Hello folks


I have a request to translate from HTTP to HTTPS (no redirect):
http://path1.domain1.com => https://path2.domain2.com

We have an old application that can't speak HTTPS hence thought to use Netscaler to achieve that.


I am bit stuck in how to proceed here, mostly used with SSL offloading but not viceversa.

Any hint or doc is really appreciated.


Best regards


Link to comment
Share on other sites

When we go from HTTPS/443 to HTTP/80, we typically enable both SSL Redirect and SSL Redirect Port Rewrite.  I wouldn't be surprised if those two settings were required "in reverse."  Have you tried them?


I assume you have a working certificate on the back-end server (self-signed is fine) and you can contact that server directly as a test.

Link to comment
Share on other sites

If the OLD application can't do HTTPs, then what it sounds like you want is HTTPS on the front end for the client to lb vserver communication while leaving HTTP on the backend netscaler to server communication.  This would be a classic HTTPS offload (HTTPS frontend with HTTP backend)

But you keep saying you don't want to redirect to SSL, which implies no client side SSL

and you say you are not doing ssl offload which again implies you do not want client side/frontend ssl to backend HTTP.


Can you clarify what exactly you would like to do?  


Also, again, if your application (the backend servers) cannot do SSL, then it sounds like you want the client to do SSL.

If instead, you have an app that you want HTTP only (frontend and backend) and if the user makes an https request, you want to redirect them to HTTP so they are no longer attempting ssl, then that is also possible (but usually discouraged in favor of ssl offload instead).


I just need to confirm what scenario you are trying to solve.  Or if none of the above, provide more info and we'll see what is possible.




Link to comment
Share on other sites

I don't think a rewrite alone will help you for this (except for the domain portion).


Have you first tried a frontend HTTP vserver to backend SSL services? (Obviously this provides absolutely no client side security at all)

Then use the rewrite policy to change the domain for the backend resolution, to match the cert?

The rewrite alone can't change the destination of the traffic just the host header/url paths for the destination on the services you are on.  Meaning the services still have to go to the service (or second vserver you want to receive this traffic.)


I can't mock it up until later; but see if this approach might help.

The rewrite might need to be:

request url from (client side) --> into (server side)

http://path1.domain1.com(.*)  -->  https://path2.domain2.com$1


response rewrite from (server) --> into (client side)

https://path2.domain2.com(.*)  -->  http://path1.domain1.com$1


Then we'll have to see from there.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...