I recently received a request to catch all requests on HTTP and redirect the user to the exact same URL that was requested but over SSL (HTTPS) instead. You can do this using a Responder Policy.
Basically the action to redirect over SSL will be:
"HTTP/1.1 301 Moved Permanently\r\n" + "Location: https://" + HTTP.REQ.HOSTNAME + HTTP.REQ.URL.PATH + "\r\n"
Make sure to Bypass the Safety check or it will give you an Input Expression is unsafe error. Don’t worry, this is just a warning message. The Netscaler tries to resolve URLs to make sure they respond when you write an expression. In this case we are telling it to catch any URL. So since it can’t validate something general like this, it throws the expression error. Make sure to bypass the safety check to get around this.
The responder policy that calls the action by looking for non-SSL connections should be:
!CLIENT.SSL.IS_SSL
You will notice I specified a 301 redirect in my action because I want to make sure any search engine spiders index my site URL as “https://www.mywebsite.com” and not as “http://www.mywebsite.com” for SEO purposes.
You may or may not want to bind the policy globally. I only apply responder policies to vservers that need them just to be cautious.
Jason Samuel is a visionary product leader and trusted advisor with a proven track record of shaping strategy and driving technology innovation. With extensive expertise in enterprise end-user computing, security, cloud, automation, and virtualization technologies, Jason has become a globally recognized authority in the IT industry. His career spans consulting for hundreds of Fortune 500 enterprises across diverse business sectors worldwide, delivering cutting-edge digital solutions from Citrix, Microsoft, VMware, Amazon, Google, and NVIDIA that seamlessly balance security with exceptional user experiences.
Jason’s leadership is amplified by his dedication to knowledge-sharing as an author, speaker, podcaster, and mentor within the global IT and technology community. Recognized with numerous prestigious awards, Jason’s contributions underscore his commitment to advancing technology and empowering organizations to achieve transformative results. Follow him on LinkedIn.
Jonathan Polansky
December 8, 2011 at 6:03 PM
Thanks for the post Jason! And what’s the NetScaler command to bypass the safety checks, you may be asking? 30 mins of Google searching yields:
http://support.citrix.com/proddocs/topic/netscaler-rewrite-93/ns-rw-bypass-sfty-chk-tsk.html
> set rewrite action insertact -bypassSafetyCheck YES
Done
> show rewrite action insertact
Name: insertact
Operation: insert_http_header Target:Client-IP
Value:CLIENT.IP.SRC
BypassSafetyCheck : YES
Hits: 0
Undef Hits: 0
Action Reference Count: 2
Done
Jochen
January 9, 2012 at 8:43 AM
Nice Post, many thanks. But how to bind the responder to the Access Gateway VServer?
Jochen
January 9, 2012 at 9:22 AM
@Jochen
Got it! Just add a Content Switching VServer to the same Access GAteway VServer IP but w/ Port 80 and bind the responder policy to the CS VServer. That’s it!
Scott Barnwell@http://uk.linkedin.com/in/scottbarnwell
February 6, 2012 at 5:35 AM
Another good post. If anyone is looking for more information on binding the responder globally or to a VServer, here is the Citrix eDoc:
http://support.citrix.com/proddocs/topic/netscaler-responder-93/ns-resp-binding-resppoli-tsk.html