Use redirects to redirect a request from one URL to another URL. For example, use redirects to send users to a different web site (for example, redirecting from an old version of an application to a newer version) or from HTTP to HTTPS or from HTTPS to HTTP. Redirects can be enabled in a number of ways in the application (for example, servlet-based redirects, web.xml redirects). However, sending a redirect URL through the load balancer may require some additional configuration of the Enterprise Server or the load balancer. Note that redirects are different from requests that are forwarded using HTTPS Routing. When using redirects, set httpsrouting to false. If configuring HTTPS requests to be forwarded to HTTP, use HTTPS Routing.
The following properties affect redirects: the authPassthroughEnabled and proxyHandler properties of the HTTP service or HTTP listener, and the rewrite-location property in the loadbalancer.xml file.
When the Enterprise Server authPassthroughEnabled property is set to true, information about the original client request (such as client IP address, SSL keysize, and authenticated client certificate chain) is sent to the HTTP listeners using custom request headers. The authPassThroughEnabled property allows you to take advantage of a hardware accelerator for faster SSL authentication if you have one installed. It is easier to configure a hardware accelerator on the load balancer than on each clustered Enterprise Server instance.
Set authPassthroughEnabled to true only if the Enterprise Server is behind a firewall.
Use the asadmin set command to set the authPassthroughEnabled property on the HTTP service or the individual HTTP listener. The setting for the individual HTTP listener takes precedence over the setting for the HTTP service.
To set the authPassthroughEnabled property on all HTTP/HTTPS listeners, use the following command:
asadmin set cluster-name-config.http-service.property.authPassthroughEnabled=true
To set it on an individual listener, use the following command:
asadmin set cluster-name-config.http-service.http-listener.listener-name.property.authPassthroughEnabled=true
The proxy handler for the Enterprise Server is responsible for retrieving information about the original client request that was intercepted by a proxy server (in this case, a load balancer) and forwarded to the server, and for making this information available to the deployed web application that is the target of the client request. If the intercepting proxy server is SSL-terminating, the proxy handler retrieves and makes available additional information about the original request, such as whether the original request was an HTTPS request, and whether SSL client authentication is enabled. Use the proxyHandler property only if authPassThroughEnabled is set to true.
The proxy handler inspects incoming requests for the custom request headers through which the proxy server conveys the information about the original client request, and makes this information available to the web application using standard ServletRequest APIs.
The proxy handler implementation is configurable, either globally at the HTTP service level or for individual HTTP listeners, with the proxyHandler property, whose value specifies the fully-qualified class name of an implementation of the com.sun.appserv.ProxyHandler abstract class. Configurable proxy handler implementations allow the server to work with any proxy server, as long as the proxy handler implementation knows about the HTTP request header names, and understands the format of their values, through which the proxy server conveys information about the original client request.
The proxy handler for the Enterprise Server reads and parses the SSL certificate chain from the request header. This allows a back-end instance to retrieve information about the original client request that was intercepted by an SSL-terminating proxy server (in this case, a load balancer). You can use the default proxy handler settings, or configure your own using the proxyHandler property of the HTTP service or HTTP/HTTPS listener. The proxyHandler property specifies the fully-qualified class name of a custom implementation of the com.sun.appserv.ProxyHandler abstract class used by the listener or all listeners.
An implementation of this abstract class inspects a given request for the custom request headers through which the proxy server communicates the information about the original client request to the instance, and returns that information to its caller. The default implementation reads the client IP address from an HTTP request header named Proxy-ip, the SSL keysize from an HTTP request header named Proxy-keysize, and the SSL client certificate chain from an HTTP request header named Proxy-auth-cert. The Proxy-auth-cert value must contain the BASE-64 encoded client certificate chain without the BEGIN CERTIFICATE and END CERTIFICATE boundaries and with \n replaced with % d% a.
You can only use this property if authPassThroughEnabled is set to true. If you set the proxyHandler property on an individual HTTP or HTTPS listener, it overrides the default setting for all listeners.
Use the asadmin set command to set the proxyHandler property on the HTTP service or the individual HTTP listener.
To set the proxyHandler property on all HTTP/HTTPS listeners, use the following command:
asadmin set cluster-name-config.http-service.property.proxyHandler=classname
To set it on an individual listener, use the following command:
asadmin set cluster-name-config.http-service.http-listener.listener-name.property.proxyHandler=classname
If set to true, the rewrite-location property rewrites the original request information and includes the protocol (HTTP or HTTPS), host, and port information By default, the rewrite-location property is set to true to maintain backward compatibility with previous Enterprise Server releases.
The rewrite-location property is not available through the asadmin create-http-lb-config. To use the property, use the asadmin set command as follows:
asadmin set domain.lb-configs.load-balancer-config.property.rewrite-location=false
Set the rewrite-location property with the following points in mind:
If httpsrouting is false and authPassthroughEnabled is not enabled on the Enterprise Server, set the rewrite-location property to true. When authPassthroughEnabled is not enabled, the Enterprise Server will not be aware of the protocol (HTTP or HTTPS) of the original request. By setting rewrite-location to true the load balancer modifies the protocol part of the rewrite location suitably. That is, if the client is sending HTTPS requests, then the load balancer redirects the client to a HTTPS-enabled listener port on the load balancer. The process is the same for HTTP requests.
If httpsrouting is false, and authPassthroughEnabled is enabled on the Enterprise Server, then rewrite-location can be set to true or false because the Enterprise Server is aware of whether the client request is HTTP or HTTPS. When authPassthroughEnabled is enabled, the Enterprise Server modifies the protocol part of rewrite location suitably. If rewrite-location is set to false, the load balancer does not rewrite the location of the redirected URL. If set to true, it rewrites the location of the redirected URL. But this rewrite is not needed as the Enterprise Server was aware of HTTPS connections from the client. Also, if the application needs to redirect HTTP to HTTPS or HTTPS to HTTP, you must set the rewrite-location parameter to false.