Saturday, January 5, 2013

Netscaler and SSL offloading;

As many people are aware, you can offload SSL on a netscaler,  this usually causes some app level problems as your app could have logic to check that access was via https, and redirect if not.  Or your app my have  logic to insert the protocol into links, and as access to your app (from it's point of view) is not http, the links may now be incorrect protocol type.

you can workaround this using a technique I call ssl-intercept,  where ssl offloading is performed on the netscaler, say on a content switch, pointing to a  HTTP Load Balancer , which has services bound that are SSL services.  What this means is that the client's ssl terminates on the Netscaler and a new ssl session is made to the backend server, leaving the stream within the Netscaler as HTTP , allowing you to insert headers or make other decisions based on the http content within the ssl session. your app sees the traffic as ssl, so the problems above are negated.

This is particularly useful if not using source-ip, and inserting the client ip as a header to your apache or tomcat server.  otherwise you would have to do ssl-bridge and use source-ip which is sub-optimal.

If, like me, you want to achieve ssl offload, not do intercept, then there is a trick which can help.

1) add a header to indicate the netscaler has done ssl offload
    The easiest way to do this is to use the microsoft header used for outlook web access, which inserts a header 'Front-End-Https: On'

   you simply create an action with OWA set to yes, create a policy with that action and bind the policy to the CS or LB under it's ssl policy tab. http://support.citrix.com/proddocs/topic/netscaler-ssl-93/ns-ssl-config-owa-support-tsk.html

2) on tomcat or apache use this header to make the server think access is via ssl. my sample's below include making tomcat or apache accept the header of the client ip as though it's the real ip.

    In Apache,  add this to httpd.conf


        SetEnvIf Front-End-Https "^On$" HTTPS=on

        LoadModule extract_forwarded_module modules/mod_custom_header.so


        MEForder refuse,accept
        MEFrefuse all
        MEFaccept 10.10.10.1
        MEFCustomHeader NS-Client-IP


    NS-Client-IP is what we use to send the client ip from the netscaler as a header, see http://support.citrix.com/article/CTX109555

     In Tomcat , add this to server.xml


       <Valve
          className="org.apache.catalina.valves.RemoteIpValve"
          remoteIpHeader="X-Forwarded-For"
          protocolHeader="Front-End-Https"
          protocolHeaderHttpsValue="On"
       />

     X-Forwarded-For is what we use to send the client ip from the netscaler as a header for tomcat