SecuritySwitch on Load balanced sites with non-standard ports

47 views
Skip to first unread message

Rajasekhar Nemani

unread,
Apr 17, 2012, 9:52:49 PM4/17/12
to securit...@googlegroups.com
Hello,

I am new to this group and posting a question for the first time.  I have a need to secure certain pages on my site Using SSL and I found Securityswitch.  It works great and I think I was able to make it work on my local development laptop, but my upstream environments are load balanced.  Here is how those environments are setup

 

Site on two webservers  behind a load balanced VIP.  Users hit the VIP and the balancer directs the traffic to member web servers

The website on each member web server running IIS 7 has SSL installed and “Requires SSL” checkbox is turned off. 

HTTP traffic to the website is bound to port 8106 and https is bound to 443. The VIP directs the traffic to 443 or 8106 appropriately.

 

Is it possible to use Security switch for this situation.  I am mostly confused on how to configure baseSecureUri and baseInsecureUris.  Do I need to set these to something like

Member server 1 web.config configuration:

----------------------------------------

baseSecureUri = https://memberserver1

baseInsecureUri = http://memberserver1:8106

 

and similary for Member server 2.

 

Is there a way for me not to have specify these URIs or is this not possible because I have a non-standard port of http traffic.


Did anybody use Securityswitch successfully in a similar setup

 

Any help is appreciated.

 

Thanks

Raj

 

 

Matt S.

unread,
Apr 19, 2012, 9:17:33 PM4/19/12
to Security Switch
Hi Raj,

You would need to specify both baseSecureUri and baseInsecureUri,
similar to what showed in your post. However, note that those URIs
should be the ones used by the public. In other words, set them to the
public site domain on all member servers. Do not make them different
on each member server. The URIs are what is sent back to the
requesting browser with a redirect request, so they cannot be private
host names.

Here are example configurations for 3 of your member servers.

Member Server 1:
<securitySwitch ... baseSecureUri="https://www.yourpublicsite.com"
baseInsecureUri="http://www.yourpublicsite.com:8106">
...

Member Server 2:
<securitySwitch ... baseSecureUri="https://www.yourpublicsite.com"
baseInsecureUri="http://www.yourpublicsite.com:8106">
...

Member Server 3:
<securitySwitch ... baseSecureUri="https://www.yourpublicsite.com"
baseInsecureUri="http://www.yourpublicsite.com:8106">
...


Notice how all member servers set those attributes to the exact same
values. The module really only needs the non-standard URI (the
insecure/http one); however, it requires both have values if either of
them does for completeness.

Does this answer your question?


-Matt

Rajasekhar Nemani

unread,
Apr 19, 2012, 10:33:22 PM4/19/12
to securit...@googlegroups.com
Hi Matt,
Thank you so much for your reply and help.  I can give this a try.  I will post my results.  My guess is that the my load balancer is configured to redirect the requests made on the public DNS name (with a VIP) to memberservers using member server name and a specific port (ex:http://myserver1:8106). If this is true then http://mypublicsite.com:8106 may not resolve to anything. 
 
Again I appreciate your help.  I will let you know my results.
 
Thanks
Raj

Matt S.

unread,
Apr 20, 2012, 11:04:23 AM4/20/12
to Security Switch
Raj,

If that's the case, I'm guessing the public port for HTTP is the
standard 80. If so, you don't need to add the port to the module's
configuration; just set it to "http://mypublicsite.com".

Good luck!


-Matt
Reply all
Reply to author
Forward
0 new messages