Netscaler Knowledgebase

In NS8.0, I used a responder policy bound to a CS vserver to handle http to https redirects. In 9.0 this particular method does not work as is requires me to have some additional configuration on the CS vserver.

The primary reason I used the responder bound to the CS vserver is so that I would not see a ton of "down" LB vservers that I have defined strictly to redirect http request to the proper https site. I went back to creating a LB http vserver with no service and let the redirect URL be the https site.

Is there a way to make the responder policy work to force a redirect when using a vserver or do I have to bind the same services used on the SSL vservers and just force the responder policy on the LB  vserver?

Thanks!

The generic explanation from my account SE is below:

The CSW policies are now processed first as part of the changes to do the application templates so all the policy types operate consistently. This means if a lb server is selected, then no policies are evaluated

So my understanding of what he has stated is that the CSW requires a backend service to be available in order for the responder rules to be processed. I haven't gone too much further into what he said since I just created my down HTTP LB vserver (no services bound) and have the redirect URL send it to the SSL site.

While that works fine, my problem with it is that now I have a bunch of services that show nice red marks as if there is a problem with the services. 

I've created some HTTP LB vservers and used the same back-end services as its SSL counterpart and applied the responder policy to it. That seems to work quite nicely. My concern was having legitimate services applied to the HTTP vserver and potentially having the ability (if someone screwed up the configuration or via a bug) to have connections coming into the site via http and not https.

Wouldn't you know it that as soon as I post a response I think of an idea that *might* work. What if you just created a generic LB VServer bound to nothing with no IP / port and pointed all your CS Servers to it. That way even if you did make a policy mistake there is nothing for the client to connect to.

Might work?

asherlm,

I think if you create a policy that is always true for example, then you don't need to worry about that some requests come in through http, because the policy is always triggered.
If you use TRUE in the expression for a responder policy, you probably have to create a own vservers for each site where you bind that policy.

To avoid config issues that you also mentioned, I would recommend you create one or multiple dummy vservers with a dummy service.
Nobody needs to touch that dummy vserver to the the risk for loosing some configs should be less.

ZManGT,
you mentioned to create a generic vserver with with no IP/Port. What do you mean with that?
As far as I know you need to specify an IP address when you create a vserver.

I don't know the behavior in version 8.1. But since version 9.0 you can't create any more a vserver or service with the IP 0.0.0.0. They removed that.
If you try that, you get now the following error.
fkcns4> add lb vserver testtest http 0.0.0.0 80
ERROR: Operation not permitted

I noticed this when 9.0 was released and when I tried to convert the configs from all my devices.
After that I changed all my dummy vservers to a the valid IP like the SSL vserver, but with a dummy service that is always UP. (stupid IP with a monitor who does a ping to localhost.


Marco

mschirrmeister - Thanks for the input. I was close to getting that working, but I couldn't think of an easy way to keep a fake service up. Pinging the localhost never even came to mind.  Doh!

Here's something similar to what I ended up using on our device.
(Edited to put in the missing cs policy 'testing')

! Create http to https redirect for any request coming in on port 80.
!
add responder action RedirectHttpToHttps redirect "\"https://\" + http.REQ.HEADER(\"Host\").HTTP_URL_SAFE" -bypassSafetyCheck NO
add responder policy RedirectHttpToHttps "client.tcp.DSTPORT.EQ(80)" RedirectHttpToHttps RESET
!
! Bind as a policy label to use with more than one vserver
!
add responder policylabel "http-to-https-redirects"
bind responder policylabel "http-to-https-redirects" RedirectHttpToHttps 100 END
!
! Create "dummy" vservers and monitor that lead to nowhere.
!
add service dummyservice1 192.0.2.1 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED "X-Forwarded-For" -usip NO -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA YES -TCPB NO -CMP YES
add lb vserver dummyvserver1 HTTP 192.168.0.1 80 -persistenceType NONE -cltTimeout 180
bind lb vserver dummyvserver1 dummyservice1
add lb monitor dummymonitor1 PING -LRTM ENABLED -destIP 127.0.0.1
bind lb monitor dummymonitor1 dummyservice1
!
! Create CS vserver and add Policy Label AND dummy vserver 

add cs vserver "dummy-redirect" HTTP 10.1.1.1 80 -cltTimeout 180
add cs policy "testing" -rule http.REQ.IS_VALID
bind cs vserver "dummy-redirect" -policyName "NOPOLICY-RESPONDER" -priority 110 -gotoPriorityExpression END -invoke policylabel "http-to-https-redirects"
bind cs vserver "dummy-redirect" dummyvserver1 -policyName testing -priority 100