Product Documentation

How to redirect HTTP request to HTTPS using responder

This article explains how to configure the responder feature with a load balancing virtual server IP addresses and redirect client requests from HTTP to HTTPS.

Consider a scenario, where a user might attempt to access a secure web site by sending an HTTP request. Instead of dropping the request, you might want to redirect the request to a secure web site. You can use the responder feature to redirect the request to the secure web site without changing the path and the URL query which the user attempts to access.

How Citrix ADC responder redirects a request from HTTP to HTTPS

The following illustration shows a step by step flow of how the appliance redirects a request.

Responder redirecting a request

Note: The navigation paths and screen shots are derived from NetScaler 11.0.

To configure the Responder feature along with the Load Balancing VIP addresses of a NetScaler appliance to redirect client requests from HTTP to HTTPS, complete the following procedure.

  1. Enable the responder feature on the appliance. Navigate to System > Settings > Configure Advanced Features > Responder.

    Enabling Responder

  2. Create a responder action and specify an appropriate name, such as, http_to_https_actn, in the Name field.
  3. To create a responder action, in the navigation pane, expand AppExpert > Responder, click Actions and then click Add.
  4. Select Redirect as Type.
  5. In the Expression field, type the following expression:

    "https://" + HTTP.REQ.HOSTNAME.HTTP_URL_SAFE + HTTP.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE.

  6. In NetScaler version 9.0 and 10.0 ensure that the Bypass Safety Check option is cleared.

    Note: This option is not present from NetScaler 11.0 onwards.

  7. Create Responder Policy and specify an appropriate name, such as http_to_https_pol, in the Name field.
  8. To create a Responder Policy, in the navigation pane, expand AppExpert > Responder, click Policies and then click Add.
  9. From the Action list, select the action name that you have created.
  10. From the Undefined Action list, select RESET.
  11. Type the HTTP.REQ.IS_VALID expression in the Expression field as shown in the following screen shot.

Create Responder policy

  1. Create a monitor for which the status is always marked as UP and specify an appropriate name, such as localhost_ping, in the Name field.
  2. To create a monitor, in the navigation pane expand Load Balancing, click Monitors and then click Add.
  3. In the Destination IP field, specify the 127.0.0.1 IP address, as shown in the following screen shot.

    Configure monitor

  4. Create a service and specify an appropriate name, such as Always_UP_service, in the Name field.
  5. To create a service, in the navigation pane, expand Load Balancing, click Services and then click Add.
  6. Specify a non-existent IP address in the Server field.

    Configure monitor

  7. Specify 80 in the Port field.
  8. Add the created monitor from the Available Monitors list.
  9. Create a Load Balancing Virtual Server and specify an appropriate name in the Name field.
  10. To create a Load Balancing Virtual Server, in the navigation pane, expand Load Balancing, click Services and then click Add.
  11. Specify the IP address of the web site in IP Address field.
  12. Select HTTP from the Protocol list.
  13. Type 80 in the Port field.
  14. On NetScaler version 9.0 and 10.0, select the Active option for the service you have created in the Services tab as shown in the following screen shot. This option is deprecated in NetScaler version 11.0.

    Select Action option

  15. Click the Policies tab.
  16. Bind the Responder policy you created to the HTTP Load Balancing VIP address of the web site.
  17. Create a secure Load Balancing virtual server that has the IP address of the web site and port as 443.

To create a configuration similar to the preceding procedure from the command line interface of the appliance, run following commands:

enable ns feature responder
add responder action http_to_https_actn redirect "\"https://\" + http.req.hostname.HTTP_URL_SAFE + http.REQ.URL.PATH_AND_QUERY.HTTP_URL_SAFE"
add responder policy http_to_https_pol HTTP.REQ.IS_VALID http_to_https_actn RESET
add lb monitor localhost_ping PING -LRTM ENABLED -destIP 127.0.0.1
add service Always_UP_service 1.2.3.4 HTTP 80 -gslb NONE -maxClient 0 -maxReq 0 -cip ENABLED dummy -usip NO -sp OFF -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES
bind lb monitor localhost_ping Always_UP_service
add lb vserver http_site.com HTTP 10.217.96.238 80 -persistenceType COOKIEINSERT -timeout 0 -cltTimeout 180
bind lb vserver http_site.com Always_UP_service
bind lb vserver http_site.com -policyName http_to_https_pol -priority 1 -gotoPriorityExpression END

Notes:

  • The status of the port 80 Load Balancing Redirect virtual server must be UP for the redirect to work.
  • Web browsers might not redirect correctly if the HTTPS virtual server is not active.
  • This redirect setup allows for situations where multiple domains are bound to the same IP address.
  • If the client sends an invalid HTTP request to the redirect virtual server, then the appliance sends a RESET message code.

How to redirect HTTP request to HTTPS using responder