2

In our production environment the SSL is offloaded to the load balancer. This was done to reduce the CPU load on the servers.

For the most part this is perfectly fine, however, we now need the servers to be aware whether they are serving pages over SSL or not.

What is a good way of doing this, but keeping the SSL offload in place?

Rob White
  • 463
  • 8
  • 16

1 Answers1

3

You could add a header sent to the backend server containing the scheme

For example, using NGINX I'd send a header to the backend proxy server with the $scheme variable,

proxy_set_header Scheme $scheme;

Then in your backend application you could get the header;

if ( this.request.getheader('Scheme') is 'http' ) {
    this.response.send('HTTP!')
} otherwise ( this.request.getheader('Scheme') is 'https' ) {
    this.response.send('HTTPS!')
}

What load balancer are you using? I'm sure there will be a way to do something similar in most software, I just happen to know NGINX best

  • I think, it's a Cisco IronPort. – Rob White Nov 24 '11 at 09:47
  • @ilivewithian Unfortunately without a modification on the load balancer it's unlikely you'll get to see this, unless it's already being sent. If it doesn't support something similar to `$scheme`, every lb *should* support some method of original URL passthrough, then you can parse the scheme out yourself. –  Nov 24 '11 at 09:50
  • @ilivewithian Slight hack round, for requests that send a `Referer` header you might be able to parse it from there, providing the lb doesn't strip it out. This is unreliable, since direct hits won't send referer, some browsers might not send this and various other cases where the referer won't be sent to the server. –  Nov 24 '11 at 09:52
  • 1
    Most loadbalancers let you insert the port or protocol as a header. It may not be called scheme but I would be surprised if the functionality was missing. – JamesRyan Nov 24 '11 at 10:17