This morning I came across a issue many before have come across: GSLB with HTTP and HTTPS
For those not familiar, GSLB is Global Server Load Balancing.
We use f5 devices at work because they seem to be flexible and bulletproof. We have yet to come across something we can not get them to handle! </endf5plug>
Anyway, today i decided to install a SSL to one of our GSLB pools, lets call it xyz.example.com
So we have 2 sites, SYD1 and SYD2 with a GSLB in each. We do not use LTMs (at least not in this scenario), like in traditional scenarios with the GSLBs returning the direct IP of the server, not the LTM device.
So I installed the SSL to xyz.example.com and loaded it, works great! And if you hit https://xyz.example.com it also works fine. Good work team! Time for a beer.
Wait a minute!
The status check on the pool in the load balancer is only checking HTTP NOT HTTPS.
Hypothetical Scenario:
HTTP is responding on the server, but the HTTPS port just got firewalled off. HTTPS is now closed.
Because the status check on the pool is ONLY checking HTTP, it will keep pushing HTTPS traffic to the failed server. And there is nothing the load balancers can do in this scenario because they do not inspect the traffic, only the DNS request. DNS sits one step before sending HTTPS traffic, so nothing you can do there :'(
So how do you fix this?
2 options:
1) Make the pool have both HTTP and HTTPS status check and that it must meet both of them. This is a good idea, but not good enough for my standards.
2) Redirect all HTTP traffic to HTTPS
3) Well, you need another wide IP / DNS name.
So i created securexyz.example.com
Now i have xyz.example.com and securexyz.example.com. BOTH of which respond on HTTPS with the second having separate checking of the HTTPS virtual host
Woohoo! Fixed, beer time!
Oh come on. That’s only half a job! Two more things need to happen.
The first, educate people on the new URL which has separate checking and thus a greater reliability.
The second is a 301 redirect to the right place to make sure servers get the new URL.
I’m not a expert at htaccess rules, so the below took me a few minutes to work out hence why I am sharing it
This will take any SSL traffic on xyz.example.com and redirect it to securexyz.example.com
RewriteEngine on
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^xyz\.example\.com$ [NC]
RewriteRule ^(.*)$ https://securexyz.example.com/$1 [R=301,L]
Whilst this still has a small loophole where the original issue can still happen, over time the 301 redirect will work its magic and users will slowly adjust to the new URL.
By doing it at the htaccess level as well, and not at the code level. You ensure this redirect will work if there are code errors / interpreter errors on the server.
NOW it is beer time!
2 comments
Thanks for posting this helpful post on the Difference Between Http and Https, I got all the details about http and https from here.
There are several articles on this. But somehow this article stands out of all. Great writing style and some extra information are the add-ons.