bscully Absent Member.
Absent Member.
1349 views

Redirecting HTTP -> HTTPS

Hi,

I've been using Google's (formerly) PWM for many years and am seriously considering moving to NetIQ's SSPR based on their customization and ease-of-deployment using similar code. While working with PWM, I used a combination of iptables and Tomcat's security-constraint to intercept HTTP/80 to HTTPS/443. Is there a similar "redirect" within, say, the Administration GUI (:9443) or the Configuration Editor to listen and unblock 80 and redirect/require sessions to 443?

My goal is to simplify appliance installs and upgrades using the export/import configuration options and avoid the CLI for configuration tweaks.

Thanks for your time!

Bill
0 Likes
8 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Redirecting HTTP -> HTTPS

You can do exactly the same thing with the host-based firewall. On SLES
you can set the FW_REDIRECT setting under /etc/sysconfig/SuSEfirewall2 and
that will do it for you, or you can use your own combination of iptables
rules to do the same thing (SuSEfirewall2 uses iptables under the hood
like just about every other Linux-based firewall out there).

SSPR itself, like PWM, is just a web application that runs within Apache
Tomcat, and Tomcat does not run as 'root' normally, so it cannot do
anything with ports below 1024.

Making an appliance with SSPR should be easy, and in fact the company also
has one for you that will get SLES patches to keep the host OS, Tomcat,
etc. up to date.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
bscully Absent Member.
Absent Member.

Re: Redirecting HTTP -> HTTPS

Thanks, but I was hoping to keep it simple. I'm running the 4.1 appliance, now, but wondering if either the Administration GUI or Configuration Editor will allow the same sort of thing. They've setup things like TLS Cert. management and HTTPS enforcement and even list the Firewall rules, but I'm wondering if I've just missed a configuration page in there that will allow HTTP->HTTPS management, too?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Redirecting HTTP -> HTTPS

bscully;2451500 wrote:
Thanks, but I was hoping to keep it simple. I'm running the 4.1 appliance, now, but wondering if either the Administration GUI or Configuration Editor will allow the same sort of thing. They've setup things like TLS Cert. management and HTTPS enforcement and even list the Firewall rules, but I'm wondering if I've just missed a configuration page in there that will allow HTTP->HTTPS management, too?


So, if I understand correctly:

In addition to redirecting the HTTP -> HTTPS (8443) for the end users, you ALSO want to redirect the management port (:9443) to "443" as well?

If so, I don't believe it can be done without somehow adding/binding the management to another IP address (you can't have two things redirecting to the same port and still have the app "work", usually).

But maybe there is a way to do it, I'm just not aware (Filr, other setups have similar limitations). Maybe with NAM front-ending you could do it with some DNS-based multi-homing on a different port (but I've never tried it to be honest).
0 Likes
bscully Absent Member.
Absent Member.

Re: Redirecting HTTP -> HTTPS

Thanks for your response.

No, I'm not interested in the redirecting the admin port and, yes, it's easy to listen and redirect using the same IP using Linux tools like iptables and configuring security-constraints in Tomcat's web.xml, but I am wondering if the same can be accomplished via, say, the Configuration Editor. This way I can preserve my config and an appliance replacement would simply involve an export and import of the config without the additional steps of having to visit the CLI, modify the tables, xmls, etc. NetIQ has manages to do this for certain pieces, i.e., a Cert. import doesn't involve using keystore adds from the CLI, etc. I'm wondering if my original post can be done using one of the 2 GUI admin pages so these settings can be easily transferred (import/export) to another appliance, for example.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Redirecting HTTP -> HTTPS

I doubt it, at least at the present. SSL happens after the service is
started, connected-to and TCP is finished negotiating, which all happens
after Apache Tomcat has bound a socket for listening, which happens after
it is fully loaded/initialized. On the other hand, binding a socket
happens much earlier, and even if you could do it the LInux side will
prohibit it unless you either run Tomcat as root (bad idea) or you Linux
"Capabilities" (setcap command, etc.) which may or may not work (I tried
Monday with another Java-based process and it did not work for me, though
that could easily have been pilot error). Since you are trying to avoid
the command line, I do not think you can do it.

If you want the appliance to be easy like NetIQ's, you could use SUSE
Studio to set everything up so all you do is provide the WAR, or even
include that in the appliance from SUSE Studio, and you're off to the
races. Pull down appliance, turn on, and set the last site URL setting
and everything could work pretty nicely. You could also then import he
SSPRConfiguration.xml file in order to customize all of SSPR other than
Apache Tomcat's bits.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
bscully Absent Member.
Absent Member.

Re: Redirecting HTTP -> HTTPS

Thanks. It's definitely doable using the method I mentioned above and using, for example, RewriteEngine for Apache instances. I was just hoping for something portable in SSPRs configuration dump.

Thanks all the same!
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Redirecting HTTP -> HTTPS

bscully;2451506 wrote:
Thanks. It's definitely doable using the method I mentioned above and using, for example, RewriteEngine for Apache instances. I was just hoping for something portable in SSPRs configuration dump.

Thanks all the same!


SSPR Appliance doesn't have an HTTP port. My recommendation would be to configure an HTTP service in an upstream proxy or network switch.
0 Likes
bscully Absent Member.
Absent Member.

Re: Redirecting HTTP -> HTTPS

jrivard;2452072 wrote:
SSPR Appliance doesn't have an HTTP port. My recommendation would be to configure an HTTP service in an upstream proxy or network switch.


HTTP/TCP 80 is there, it's just blocked by default (SuSEfirewall).

I think NetIQ should come up with an elegant solution for their customers. 80->443 is a given in today's browsing. If I enter a URL in a browser's address bar without specifying a port and protocol, the default behavior is to direct me to that site's server listening on HTTP/80. Today, sites will commonly redirect you to their HTTPS sites from there, typically TCP 443.

Thanks for your time, everyone. I've reverted back to PWM until NetIQ further develops SPPR. I think they're almost there, but I want to see their appliance a little more portable and easy to upgrade, i.e., a complete config that can be downloaded and uploaded to a new appliance when necessary and not requiring CLI interaction. I'm comfortable at a command line, but I'm not sure my successor will be.

I appreciate you guys!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.