Is there any standard http header which a ssl termination point should set?
I'm asking because currently we have a loadbalancer which is the termination for https. Behind there's an application server, and at the moment we have no clue wether the request came over http or https.
Should the loadbalancer set a cookie, or maybe a special http header?
-
SSL wraps HTTP, it is an issue similar to the https Vhost one ... nothing in the http is aware of the encrypted tunnel it is wrapped in.
Nevertheless the web server can set some env variable or other similar mechanism to make server side applications such as php script aware of the channel being encrypted or not, but it is not a protocol issue.
Julien Vehent : Load balancers and application servers rarely share variable (this is different than apache executing php in its own memory context), therefore the HTTP connection is the only way of exchanging information. This is why most infrastructure use X-custom headers in HTTP requests.AlberT : Of course, but the point is that those informations are **inside** the encrypted channel and are only accessible once the SSL connection is established. Nevertheless What you say is rightFrom AlberT -
I assume your load balancer can manipulate the HTTP headers after decipher the SSL. Thus, a solution would be to add a custom local header to the HTTP request forwarded to the server, such as X-SSL-ENABLE: 1.
A cookie would be stored on the client's side, resent for each request and therefore loading your external bandwidth for no reason, since this is of internal use only.
wittwerch : Ok, a custom http header. But there is no standard, how this header should be named? Maybe X-HTTPS: onJulien Vehent : I am not aware of any standard/good practice.I'd say, make it explicit and it should be alright.symcbean : -1: cookie? What cookie? Are you talking abut implementing server affinity on the load balancer?From Julien Vehent
0 comments:
Post a Comment