Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Web & Directory Servers >> Web Servers

iPlanet 6.0SP5 HTTP to HTTPS redirect

Hey,

I currently have iPlanet 6.0SP5 on Windows 2000. I used to have two instances setup, one for HTTP and one for HTTPS. The HTTP instance simply acted as a forwarder to the HTTPS sites. Now I am trying to use the below configuration in my obj.conf and it is giving me errors. I am simply trying to make all non-ssl requests go to ssl.

obj.conf

==

<Client match="all" security="false">

NameTrans fn="redirect" from="/yyy" url-prefix="https://www.somesite.com/yyy"

NameTrans fn="redirect" from="/" url-prefix="https://www.somesite.com/xyz"

</Client>

#Other Miscellaneous options

PathCheck fn="nt-uri-clean"

<Object name="xyz" ppath="*/xyz/*">

Service fn="wl-proxy" WebLogicCluster="X.X.X.X:8400,X.X.X.X:8400" KeepAliveEnabled="true"

</Object>

==

With that configuration I see this error message in the error log when trying to pull up http://www.somesite.com. On screen it says"Server Error". The redirect happens.

error log

==

[03/Jan/2007:17:32:40] warning ( 7812): for host X.X.X.X trying to GET /xyz/, unix-uri-clean reports: not full path: 槹?尋尋餜/xyz/

==

If I comment out the "PathCheck fn="nt-uri-clean"" setting, than it works, but I have heard of security risks with this type of setup.

With the original setup (2 server instances), this type of redirecting works fine without commenting out the above. Does anyone have any ideas of why the "nt-uri-clean" is having a problem and how to fix it?

Thanks

Ben

[1945 byte] By [bennyspa] at [2007-11-26 14:03:43]
«« can anyone debug this...
»» MIDP 2.0 Socket Problem?
# 1

The gibberish in that error message suggests that something's gone horribly wrong. Can you share your complete obj.conf configuration file? Is there a reason you haven't applied the latest service pack, 6.0SP11?

You probably need the nt-uri-clean SAF to protect the server from malicious clients. In any event, you should not remove the nt-uri-clean SAF unless you understand exactly what it does and why you don't need it.

elvinga at 2007-7-8 1:47:11 > top of Java-index,Web & Directory Servers,Web Servers...
# 2

Unfortunately, I cannot share my whole file (security reasons) and I do understand that it is difficult to help without this information. I can tell you, however, when I use the below entry instead, than the other redirects work. It is only when I have the redirect for "/" enabled that I get the Site Errors. So, for instance the "/yyy" does work as well as the "/xyz".

There has not been a specific reason to upgrade to SP11, so maybe there is a fix for this issue in one of those packs?

obj.conf

==

<Client match="all" security="false">

NameTrans fn="redirect" from="/xyz" url-prefix="https://www.somesite.com/xyz"

NameTrans fn="redirect" from="/yyy" url-prefix="https://www.somesite.com/yyy"

#NameTrans fn="redirect" from="/" url-prefix="https://www.somesite.com/xyz"

</Client>

Thanks

Ben

benny.s.pa at 2007-7-8 1:47:11 > top of Java-index,Web & Directory Servers,Web Servers...
# 3

Ok, I just downloaded iPlanet 6.0SP10 (couldn't find SP11) on my local workstation and I am able to reproduce the problem exactly (same error messages too). Below is my full workstation obj.conf file.

obj.conf

==

# Use only forward slashes in pathnames--backslashes can cause

# problems. See the documentation for more information.

<Object name=default>

## START SSL FORWARDING ##

# *This entry must be in to force SSL forwarding...

# Any client that is not currently using HTTPS

#then forward to the URL

<Client match="all" security="false">

NameTrans fn="redirect" from="/xyz" url-prefix="https://127.0.0.1/xyz"

NameTrans fn="redirect" from="/" url-prefix="https://127.0.0.1/xyz"

</Client>

## END SSL FORWARDING ##

NameTrans fn="NSServletNameTrans" name="servlet"

NameTrans fn="pfx2dir" from="/servlet" dir="$docroot/servlet" name="ServletByExt"

NameTrans fn=pfx2dir from=/mc-icons dir="c:/program files/iPlanet/Servers/ns-icons" name="es-internal"

NameTrans fn="pfx2dir" from="/manual" dir="c:/program files/iPlanet/Servers/manual/https" name="es-internal"

NameTrans fn=document-root root="$docroot"

PathCheck fn=nt-uri-clean

PathCheck fn="check-acl" acl="default"

PathCheck fn=find-pathinfo

PathCheck fn=find-index index-names="index.html,home.html"

ObjectType fn=type-by-extension

ObjectType fn=force-type type=text/plain

Service type="magnus-internal/jsp" fn="NSServletService"

Service method=(GET|HEAD) type=magnus-internal/imagemap fn=imagemap

Service method=(GET|HEAD) type=magnus-internal/directory fn=index-common

Service method=(GET|HEAD|POST) type=*~magnus-internal/* fn=send-file

AddLog fn=flex-log name="access"

</Object>

<Object name=cgi>

ObjectType fn=force-type type=magnus-internal/cgi

Service fn=send-cgi

</Object>

<Object name="servlet">

ObjectType fn=force-type type=text/html

Service fn="NSServletService"

</Object>

<Object name="jsp092">

ObjectType fn="type-by-extension"

ObjectType fn="change-type" type="magnus-internal/jsp092" if-type="magnus-internal/jsp"

Service fn="NSServletService" type="magnus-internal/jsp092"

</Object>

<Object name="ServletByExt">

ObjectType fn=force-type type=magnus-internal/servlet

Service type="magnus-internal/servlet" fn="NSServletService"

</Object>

<Object name="es-internal">

PathCheck fn="check-acl" acl="es-internal"

</Object>

benny.s.pa at 2007-7-8 1:47:11 > top of Java-index,Web & Directory Servers,Web Servers...
# 4

Are you sure that you saved the config file

1) with only 7-bit US-ASCII characters, for instance proper " quotation marks (ASCII 0x22, not "curly" quotation marks)

2) as plain text (not RTF, etc.)

The 2nd scenario seems unlikely -- iWS probably wouldn't start if the file were binary. But the error "not full path: 槹?尋尋餜/xyz/" make it look like there's something messed up in your NameTrans line, and it seems plausible that there's some weird, non-US-ASCII character there that looks fine in Notepad.exe (and that your browser accepts, some weird high-value Unicode equivalent for ":" or something) but that isn't proper.

-Peter

PeterWatkinsa at 2007-7-8 1:47:11 > top of Java-index,Web & Directory Servers,Web Servers...
# 5
I have actually found out that with versions newer than 6.0, this is not a problem.
benny.s.pa at 2007-7-8 1:47:11 > top of Java-index,Web & Directory Servers,Web Servers...
Web & Directory Servers
Web Servers

Web & Directory Servers New Topic

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified