Wish I could say I understand your explanation, but I don't.

apache sends http sequests to Netscaler

Do you mean that Apache forwards requests to Netscaler though mod_proxy? Or you only mean that there's a link on a webpage which points to Netscaler?

Netscaler do not translate(encapsulate) this to https

That either a response arrives in http or https only depends on the request, if the request was comming through https, then the response will be https too, and vice versa.

HTTPS communication itself is between end user and netscaler only

So browsers directly communicate with Netscaler (read [example.com...] and there https is always used?

Because of it end user receive in in IE 6.0 we receive security alert

You'll get security warnings in two cases:

• The certificate is not valid. Either because it is not signed by a trusted root, either because it has been expired or last but not least when the certificate was issued to a different CN. For example if you have a certificate for www.example.com, then byt using only example.com or anything.example.com will result in a security warning (in all browsers).
• The certificate is valid, but if IE is in "secure mode", and the html page contains external resources which are not SSL secured. Suppose you have a certificate for www.example.com and on the index.html page you have any of the the following:

  <img src="http://www.example.com/spacer.gif" />

  ,

  <script type="text/javascript" src="http://www.example.com/dummy.js"></script>

  , ...

Hope this helps, but if not, please try to explain the problem once again, if you would tell about that three points in more details, that might help already.

Hi , thank you for the answer

In short, Apache cannot rewrite this redirection ( which is set by application "redirect rules that have been put into JSF configuration" because he dont know anything about future protocol handshaking by NetScaller. Developer proposed to give up redirection for dynamic pages to avoid situation like this , but this is unacceptable solution .The URL link where user will be redirected after successful payment is given by application itself. If application doesnt know that user is communicating over HTTPS its gives HTTP URL to payment portal.( security alert appears )Developer insists that we can solve this problem on apache level using right redirections (?) , we are in quite dead end now

Developer configuration configuration Browser <HTTPS> Apache <HTTP> WebSphere works fine.

Our infra with netscallers is a bit different and developer did not care about it while programming application.

I hope this is more clear :)

Unfortunately, not. It might be my mistake, as I'm really not into WebSphere nor JSF, and even NetScaler I did not know it existed until now (and it looks interesting ;-)...

To try to understand your problem:

1. You have an application made in WebSphere, and that's server by an Apache frontend (so requests from visitors goes to Apache and that forwards them to WebSphere)? Or you use the Apache included in WebSphere?
2. Visitors do not directly connect to Apache, but to the NetScaler box, which encapsulates everything into https (but it only does that if the request was initiated through https!)?
3. And your problem is that somewhere a redirection is issued to the browser, and that redirection is for a plain-text http resource, and you can not make redirection to point to the SSL secured https counterpart?

Hey Joanna11, the Netscaler can rewrite relative links in response data. You need to be running netscaler 8.x or higher. 9.0 is the current GA which does full body/header rewriting inbound and outbound. It also does URL transformations which is pretty cool (proxypass style). You can get your redirects rewritten with the policy below.

add rewrite action httpRewriteAction replace_all http.res.body(50000) "\"https://\"" -pattern http://

add rewrite policy http-https-res "http.res.body(50000).contains(\"http://\")" httpRewriteAction

This particular policy will look into the first 50k of the apache response (you can tune this amount) and it changes all occurrences of http to https.

Hi chadt,

Thanks for your response, and welcome to WebmasterWorld!

Can the policies you posted be modified to detect relative links?

Can regular-expressions be used in these policies to detect variations of relative-linking formats and call the appropriate actions to modify them? (I am assuming that the argument to the Netscaler policy directive's "contains" function is a string literal to be matched in the response content-body, but that in the case described here, the content body won't include "http://" because the links in it are relative -- That is, the descibed links will be in formats such as <a href="path">, <img src="../path">, or <link rel="{object}" href="./path">.)

I'm hoping that Joanna11 comes back here to find your response, but in the meantime, it might be useful to address these questions.

Thanks!
Jim