Reverse Web Proxy

Computing Facilities operates a reverse web proxy service which offers several features:

  • High-availability with automatic fail-over (also requires your origin web server to be suitably configured)
  • Provides public web access to servers that are otherwise inaccessible from the public Internet
  • HTTPS (TLS) termination services

The HTTPS service uses a SoC *.comp.nus.edu.sg wildcard certificate, and it will work when proxying any SoC website in the comp.nus.edu.sg domain.

The reverse proxy service comprises a pair of NetScaler load balancers.

HTTPS Web Redirection

Websites use HTTPS (TLS) for better security. Although website owners publish the secure HTTPS URL, the plaintext HTTP URL is often still made available for easier accessibility, in case users did not type the https:// part of the URL. For better security, however, website owners may wish to automatically redirect HTTP connections to HTTPS.

In a reverse proxy setup, the HTTPS connection is terminated at the load balancer and forwarded as plaintext HTTP to the origin web server. If the origin web server blindly performs a redirect from HTTP to HTTPS, the user browser will go into a loop, because while the browser speaks HTTPS with the reverse proxy, the origin web server only sees HTTP.

The correct solution is for the web server to determine the actual protocol used in the original browser connection. The reverse proxy provides this information through the X-Forwarded-Protocol HTTP header. The header is present, and the value is set to https if the original browser connection is HTTPS; otherwise the header is absent.

This is an example Apache .htaccess to perform the appropriate redirection:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Protocol} !=https
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1

 

© Copyright 2001-2012 National University of Singapore. All Rights Reserved.

This page is dynamically generated by the Drupal CMS.