poert redirection https to http

Discussion in 'Cisco' started by Robert, Mar 10, 2006.

  1. Robert

    Robert Guest

    Hello
    Question is
    I have PIX firewall 501
    We have smaill web application based on port 80 (http)
    Can i redirect ports on firewall so people will type https://xxxxxxxxxx and
    it will redirect to http://xxxxx and users will thint that is https not http
    If not what should i buy
    It is impossible to change this port :(

    Thank you
    Robert
     
    Robert, Mar 10, 2006
    #1
    1. Advertisements

  2. Robert

    Robert Guest

    Hello
    I have at home 2xCisco 3640 Router, 5x2620 Cisco Router, 1x Cisco 2610
    Router, Netscreen Firewall 5XP, and Netscreen Firewall 25 - can i use 1 od
    those ?

    Robert
     
    Robert, Mar 10, 2006
    #2
    1. Advertisements

  3. Robert

    Uli Link Guest

    Robert schrieb:

    This is technically possible but I cannot imagine any legitimate or even
    usefull use.

    If you need SSL/TLS to public users, you'll may want request a valid
    server certificate from a Certificate Authority.

    This isn't a matter of any router/firewall in between the webserver and
    the browser. It's a matter of the Trust chain of the server's presented
    certificate.
     
    Uli Link, Mar 10, 2006
    #3
  4. Robert

    Robert Guest

    This is technically possible but I cannot imagine any legitimate or even
    This application has to be on 80 it is impossible to be https :(
     
    Robert, Mar 10, 2006
    #4
  5. Robert

    chris Guest

    Users won't usually type http://blah or https://blah, they will just type
    the URL. Even if they did type https://domain.com and they were redirected
    to a http site, no body is going to be fooled by this. There will be no SSL
    certificate to accept!

    What you are trying to do serves no purpose.

    Chris.
     
    chris, Mar 10, 2006
    #5
  6. Robert

    Robert Guest

    OK
    we have our own tracker system
    Users wants to use https instead of http - but problem is it is hardcoded -
    links are hardcoded - it is impossible to use https at the moemt - they will
    have to recompile whole code and it may take up to 6 months

    Thanks - i will tell them - NO WAY!!!!!! change code

    Robert
     
    Robert, Mar 10, 2006
    #6
  7. Robert

    Uli Link Guest

    The difference between http: and https: is more than just a different
    default tcp port. So it won't work, even if you translate the port
    (which can be easily accomplished by a static NAT in any of you Cisco
    routers). The https: client will wait for cipher negotiation of SSL/TLS
    and a http: server won't answer the correct way regardless of it's
    default listener port.
     
    Uli Link, Mar 10, 2006
    #7
  8. Are the users inside or outside of where the firewall would go?
    Is the web server inside or outside?

    When you say that "links are hardcoded", do you mean that the
    web-server sends back links in http://hostname format?

    Where, exactly, is the use of port 80 hard-coded?

    I am confused because in one place you say it is hardcoded but
    in another place the user would have the freedom to type
    https://something

    Would it be possible for the user to type https://hostname:80 ?
    Is it possible for the web server to send back its links in
    that form? Is it possible for you to reconfigure the web server to
    use SSL on port 80?

    https does not need to be on port 443 only: it can run over any
    port, with 443 being the default -- but all of the links would
    have to include the port number.
     
    Walter Roberson, Mar 10, 2006
    #8
  9. Hi
    Just my 2c

    There is a Cisco box named SCA-something (Security Content
    Accelerator), which is, actually re-branded SonicWall SSL. The box can
    strip SSL and forward plain HTTP, but most importantly (in your case),
    it can REWRITE URL (or so they claim in datasheet).

    Roman Nakhmanson
     
    Roman Nakhmanson, Mar 10, 2006
    #9
  10. Robert

    Peter Guest

    Hi Robert,
    I suspect what you are saying is that either the Server (on port 80)
    or the Client S/W (on the user machine) is custom S/W (or possibly
    BOTH!!!) and set up ONLY to use HTTP on port 80, and you need a SECURE
    transport between them.

    If the desire is simply to encrypt the transport, then one way to do
    this would be to implement a simple (sic) VPN environment between
    them, until the original S/W can be modified.

    Alternatively, if the SERVER end is a (custom) Web application that
    CANNOT be easily configured to work as HTTPS, then depending on the
    CLIENT needs, you may be able to set up something like Apache ahead of
    that Server to handle the HTTPS and Apache could re-direct the HTTPS
    to HTTP on Port 80 on the Target Server. That only leaves the Client
    end to worry about and if that is a standard Web Browser then you
    should be fine.

    Cheers................pk.
     
    Peter, Mar 10, 2006
    #10
  11. Hi,

    try "SSG" (Service Selection Gateway) on cisco-documentation-center.

    best regards

    Peter
     
    =?ISO-8859-15?Q?Peter_Ku=DFmann?=, Mar 13, 2006
    #11
  12. Robert

    joelevy Guest

    Hi,

    Software based SSL tunnel: http://www.stunnel.org/

    Install that on your server - it can receive the inbound HTTPS
    connections, decrypt, and pass the unencrypted payload into the local
    HTTP listener. This is effectively a functionally limited software
    version of the SonicWALL (and Cisco) SSL Offloader.

    joe
     
    joelevy, Mar 16, 2006
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.