0

I have Apache installed on my server and I need to redirect from http to https. The reason for this is our load balancer solution cannot hand https so requests come in on http and then we transfer them to https using the below lines in the httpd.conf file.

<VirtualHost 10.1.2.91:80>
     Redirect 302 /GladQE/link https://glad-test.com/GladQE/link.do
</VirtualHost>

This works fine for GET requests but POST requests will loose the parameters passed on the URL. What would be the easiest way to perform this redirect and maintain POST params?

I need to get from http://glad-test.com/GladQE/link.do to here https://glad-test.com/GladQE/link.do maintaining POST params

Thanks

Tom

shawsy
  • 131
  • 1
  • 1
  • 6
  • 2
    Your requests go through the whole internet without any encryption, so why the hell do you want to use https for the last hop?.... – Pascal Schmiel Jun 25 '13 at 10:46
  • Switch to a load balancer that can handle 443/tcp with ssl or deploy an app on your webservers 80/tcp that does a correct POST redirect (looks like you're using Java?). – fsoppelsa Jun 25 '13 at 10:56
  • Because we are not so concerned about the information transferred over HTTP (the params) But we are concerned where later in the process confidential info will be submitted. – shawsy Jun 25 '13 at 11:36
  • Hi fsoppelsa, Yes we are using java. This is a good idea! i will try. – shawsy Jun 25 '13 at 11:40

1 Answers1

3

As specified in RFC 2616 Sec 10.3, if the response to a POST request is a redirect (301, 302, 303, or 307), the user agent must NOT repeat the POST at the new location.

Your only hope for repeating a POST would be for the first response to return some JavaScript that automatically re-submits the form data at the new location.

However, considering that you've already divulged the form data over cleartext HTTP, there really isn't much point to continuing the session over HTTPS. You really ought to start earlier and present the user with the initial form over HTTPS.

200_success
  • 4,771
  • 1
  • 25
  • 42