Recently one of customers reported a bug with our product. They told us that our software does not work when there is a load balancer. First let me explain their environment to give a better understanding we had an issue.
At their environment there is a load balancer that is holding the SSL certificates, anything behind the load balancer is not SSL enabled. When a client connects to a server behind the load balancer using https, load balancer strips out the https section of the package, and send it to one of servers in http protocol (not https). Furthermore the company network policy says that you can not talk to any servers without using https. So basically even if “Server A” behind the load balancer tries to talk to “Server B” behind the load balancer, it has to be https (and of course load balancer will strip out the certificate from the communication). The reason for this setup is so that all the certificates are installed into load balancer not individual servers.
Our software is making a post request to one of the pages on the same server, sending some data. The problem is the page that is receiving the post data does not receive the post data, and throws an exception. After checking the fiddler logs, we saw what the problem was. Let me try to explain it by telling you the workflow.
- 1. Client hits the server that hosts our product using https protocol; assume this is: https://contoso.com/default.aspx.
2. Load balancer.gets the request, strips the https section, and calls http://contoso.com/default.aspx.
3. Our page gathers some data, and posts the data to list.aspx pages on the same site, but as it is landing to default.aspx with http, it trying to post the data to http://contoso.com/list.aspx, and don’t forget that this is post request.
4. Load Balancer gets the request, and knowing about the https policy, it sends a http 302 (redirect) to https://contoso.com/list.aspx instead of http. Himm this is a redirect with get, but we posted data in the previous step, and what happened to that data? GONE.
5. list.aspx page tries to read post data, and some viewstate as well and fails because the expected data is not received.
Load balancer should never change a post request to a get request, and one of the solutions to this problem is, configuring the load balancer to send http 307 (redirect post with user agent), in stead of 302.
The other solution can be installing the same certificates to the server.behind the load balancer, and telling the load balancer to use https between servers and itself.