Forum Discussion
Jan_V_48538
Nimbostratus
Nimbostratushow to set https header?
In our production environment, the client uses ssl for the authorize_new request. Because we are handling ssl on the load balancer, the application does not know that the protocol is https instead of http, so the OAuth signature is not generated correctly.
Does anyone know how we would configure the load balancer to set a header for https requests? Rails expects one of the following headers to be set:
HTTPS: on
HTTP_X_FORWARDED_PROTO: https
Thanks.
Jan
8 Replies
- The_BhattmanHi Jan,
Since you are terminating SSL on the load balancer you can then use the following in your irule
You can create something like the following example:when HTTP_REQUEST{ if { (![HTTP::header "HTTP_X_FORWARDED_PROTO"] equals "https") and (![HTTP::header "HTTPS"] equals "on") } { HTTP::header insert "HTTP_X_FORWARDED_PROTO" "https" HTTP::header insert "HTTPS" "on" } }
I hope this helps
CB 
hoolioCirrostratus
Also, if you want to do this in the HTTP profile, you could configure the header to erase as one of the header names (HTTPS or HTTP_X_FORWARDED_PROTO) and the same header name in the header to insert field as the header name and value ('HTTPS: on' or 'HTTP_X_FORWARDED_PROTO: https').
Aaron
Peter_Milanese_Posted By hoolio on 09/28/2009 1:55 PM
Also, if you want to do this in the HTTP profile, you could configure the header to erase as one of the header names (HTTPS or HTTP_X_FORWARDED_PROTO) and the same header name in the header to insert field as the header name and value ('HTTPS: on' or 'HTTP_X_FORWARDED_PROTO: https').
Aaron
How do you delimit the Headers in the erase/insert fields if you want to place both?- hoolioHi Peter,
I think you can only remove or insert one header using the HTTP profile. You can use an iRule to handle more than one header insert or removal:
http://devcentral.f5.com/wiki/default.aspx/iRules/http__header
HTTP::header insert ["lws"] [ ]+when HTTP::request { Insert multiple headers in one command HTTP::header insert header_1 value_1 header_2 value_2 Insert a third header in a separate command HTTP::header insert header_3 value_3 Remove all headers with this name (only supports one header name per invocation) HTTP::header remove header_1 }
Aaron - Peter_Milanese_Thanks much Aaron, that got me a lot closer.
I'm uncertain why, but when I dump the headers, both prepend "HTTP_" to the variables (as dumped within phpinfo())
i.e.
when HTTP_REQUEST {
HTTP::header insert "HTTPS" "on"
HTTP::header insert "HTTP_X_FORWARDED_PROTO" "https"
}
gets-
HTTP_HTTPS on
HTTP_HTTP_X_FORWARDED_PROTO https
Kind of strange, no? - Peter_Milanese_We worked around this on the backend, thanks for the help Aaron!
- hoolioThe HTTP_ prefix is generated by your web server as part of the CGI spec:
http://www.ietf.org/rfc/rfc3875
4.1.18. Protocol-Specific Meta-Variables
The server SHOULD set meta-variables specific to the protocol and
scheme for the request. Interpretation of protocol-specific
variables depends on the protocol version in SERVER_PROTOCOL. The
server MAY set a meta-variable with the name of the scheme to a
non-NULL value if the scheme is not the same as the protocol. The
presence of such a variable indicates to a script which scheme is
used by the request.
Meta-variables with names beginning with "HTTP_" contain values read
from the client request header fields, if the protocol used is HTTP.
The HTTP header field name is converted to upper case, has all
occurrences of "-" replaced with "_" and has "HTTP_" prepended to
give the meta-variable name. The header data can be presented as
sent by the client, or can be rewritten in ways which do not change
its semantics. If multiple header fields with the same field-name
are received then the server MUST rewrite them as a single value
having the same semantics. Similarly, a header field that spans
multiple lines MUST be merged onto a single line. The server MUST,
if necessary, change the representation of the data (for example, the
character set) to be appropriate for a CGI meta-variable.
The server is not required to create meta-variables for all the
header fields that it receives. In particular, it SHOULD remove any
header fields carrying authentication information, such as
'Authorization'; or that are available to the script in other
variables, such as 'Content-Length' and 'Content-Type'. The server
MAY remove header fields that relate solely to client-side
communication issues, such as 'Connection'.
Aaron 
goyogiHey Peter, what did you do on the backend as your work around?
