http -> https automatic forwarding

Patrick Dowler pdowler.cadc at gmail.com
Fri Feb 10 22:57:36 CET 2017 

Yeah, extraneous redirects generally mess up the post-redirect-get
pattern (eg as used in UWS async job creation).

We have also run into a few issues with redirects that change protocol:

- users think they are calling an http url but then they get some
obscure SSL error because their system CA bundle doesn't contain the
necessary certficicates to validate your server cert and that can
happen when your server cert is signed by a valid but intermediate CA
and the full chain isn't propagated correctly. I think this can be
correctly handled server-side by configuring correctly, but many
incorrect configurations work for some people so testing corner cases
is necessary (and difficult)

- at least in java, redirects that change protocol are not followed
automatically by the http library as the design means backing out of
using an HttpURLConnection and instantiating an HttpsURLConnection
instead; iirc applications have to detect the redirect and create a
new URLConnection from the Location even if they told the last one to
follow redirects.

Pat


On 8 February 2017 at 17:08, Walter Landry <wlandry at caltech.edu> wrote:
> Hi Everyone,
>
> Our organization is in the process of migrating everything we do to
> https.  Getting the services running under https and updating our
> registry entries is straightforward.  However, people have various
> scripts that they have already written, and we would like to avoid
> breaking them.  So we were wondering what is the best thing to do for
> clients that try to access the old http url's.
>
> My inclination is to provide a redirect.  As I understand it, the
> simple access methods (e.g. Simple Cone Search) allow a service to
> provide a redirect for the original query, so any compliant client
> should be able to handle a redirect to a https service.  I am less
> confident about what might happen when a user tries to POST something.
> Does anyone have any experience with this kind of transition for VO
> protocols?
>
> Thanks,
> Walter Landry



-- 
Patrick Dowler
Canadian Astronomy Data Centre
Victoria, BC, Canada

More information about the grid mailing list