IBM Security Verify

 View Only
Expand all | Collapse all

IBM Application Gateway redirection from http to https

  • 1.  IBM Application Gateway redirection from http to https

    Posted Thu September 17, 2020 03:44 AM
    Hello,

    I am trying IAG in Kubernetes exposing IAG with a LoadBalancer Service. Is it possible to redirect all incoming connections from http to https?

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------


  • 2.  RE: IBM Application Gateway redirection from http to https

    Posted Fri September 18, 2020 12:29 AM
    Javier,

    It is possible to do this by setting the following advanced configuration parameter (Configuration
    Mybluemix remove preview
    Configuration
    This entry defines customize legacy reverse proxy daemon configuration entries. This configuration is applied last and can be used to overload parameters specified in other sections of the configuration YAML. This entry is an array and can be used to specify multiple tuning parameters.
    View this on Mybluemix >
    )

    advanced:
      configuration:
        - stanza: server
          entry: redirect-http-to-https
          operation: set
          value: [ false ]

    ------------------------------
    Scott Exton
    IBM
    Gold Coast
    ------------------------------



  • 3.  RE: IBM Application Gateway redirection from http to https

    Posted Fri September 18, 2020 03:20 AM
    Just as a quick follow-up...

    Setting the IAG to respond to HTTP requests with a re-direct to HTTPS will only work if the client browser can reach port 80 on the IAG for it to respond.
    You'll need to make sure that this port is exposed as a service from the container and that it is being forwarded through the Load Balancer.

    I have read in some places about ability to perform HTTP->HTTPS redirect within the load balancer itself.  I assume this depends on the environment and the options available in the Load Balancer (or the ingress that sits behind it if applicable).

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 4.  RE: IBM Application Gateway redirection from http to https

    Posted Thu October 01, 2020 02:18 AM
    Hello Jon

    I am so sorry because I couldn't answer, I was on holidays. 

    I tried your solution, but I can't access port 8080 or 80. I tried it in docker and kubernetes but in both cases, I can access 8443 but I can't 8080 as documentation says, nor 80. 

    For your knowledge, in docker I tried to publish 8443 and 8080 or 80 using the publish flag.

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------



  • 5.  RE: IBM Application Gateway redirection from http to https

    Posted Thu October 01, 2020 05:30 AM
    Hi Javier,

    I had a proper look at this and was able to get it working.

    First of all, I found that the "protocols" configuration didn't work in the 20.01 version I was initially testing with.  I had to use 20.07 version.

    To get IAG to listen on HTTP port, I added this to the server section of configuration:

    server
      protocols:
        - http
        - https

    I also had to add the following to advanced configuration:

    advanced:
      configuration:
        - stanza: server
          entry: redirect-http-to-https
          operation: set
          value: [ true ]
        - stanza: server
          entry: web-http-port
          operation: set
          value: ["80"]
        - stanza: server
          entry: web-https-port
          operation: set
          value: ["443"]

    The first advanced configuration enables the redirect function.  The other two tell the IAG the ports that are being used externally so that its redirects are built for the correct location.

    For ports publishing, I user 127.0.0.1:80:8080 and 127.0.0.1:443:8443.

    I hope this help you get the function that you need.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 6.  RE: IBM Application Gateway redirection from http to https

    Posted Thu October 01, 2020 07:23 AM
    Thank you very much Jon. It works.

    ------------------------------
    Javier Garcia Pazos
    ------------------------------



  • 7.  RE: IBM Application Gateway redirection from http to https

    Posted Thu October 01, 2020 09:40 AM
    Hello again Jon,

    I wanted to try http connection (not redirection to https) but when I try to access a resource, I get a "Forbidden page". If I go through https, it works as expected. Is it possible to go through http?

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------



  • 8.  RE: IBM Application Gateway redirection from http to https

    Posted Thu October 01, 2020 09:56 AM
    Hi Javier,

    I suspect you'll only be able to access public resources over HTTP.  As soon as authentication is required, IAG looks for authentication mechanisms that are enabled for the protocol you're accessing with.  Since OIDC is the only supported authentication mechanism and it requires a secure connection, you just get back forbidden.

    If you add policies to allow public access to some pages you should be able to access those over HTTP.

    If you want to allow user to be redirected over HTTPS only when they access a protected page, you can modify the Forbidden page and add client-side JavaScript that redirects to HTTPS URL if not currently using HTTPS.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 9.  RE: IBM Application Gateway redirection from http to https

    Posted Thu October 01, 2020 10:15 AM
    Thank you very much Jon,

    I will try it but it was just a test. 

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------



  • 10.  RE: IBM Application Gateway redirection from http to https

    Posted Fri October 02, 2020 02:34 AM
    Hello

    As Jon explained, the redirect from HTTP to HTTPS will also depend on the environment where you are deploying the IAG containers.
    Here is an example of an Ingress definition (IBM Kubernetes service) , where you can see the annotation , which causes that HTTP traffic is being redirected to HTTPS traffic.    So (VPC) Load balancers, Application load balancers ,... all determine what traffic is arriving at the IAG container.
    Key is the understanding of the setup and the nodes which the request is travelling through. 
    ---
    kind: Ingress
    metadata:
    name: iagingressresource
    annotations:
    ingress.bluemix.net/redirect-to-https: "True"

    Kind regards,
    Serge Vereecke

    ------------------------------
    Serge Vereecke
    ------------------------------



  • 11.  RE: IBM Application Gateway redirection from http to https

    Posted Fri October 02, 2020 02:44 AM
    Hello Serge,

    I don't have a lot of experience using Ingress in Kubernetes. In fact, I am moving from docker swarm to GKE and I need a piece like IAG. So how is the best way to use IAG in Kubernetes? Exposing it as LoadBalancer or using one Ingress? 

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------



  • 12.  RE: IBM Application Gateway redirection from http to https

    Posted Fri October 02, 2020 03:17 AM
    Hello Javier,

    Use an Ingress object in GKE . See here for the steps :https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress
    The will automatically create also "external load balancer" .

    The ingress definition would look like the below snippet
    Storing TLS certificate/private key into a Kubernetes Secret
    kubectl create --namespace gke-system secret tls SECRET_NAME \
    --key privkey.pem \
    --cert fullchain.pem

    ------------
    apiVersion: networking.k8s.io/v1beta1
    kind: Ingress
    metadata:
    name: iagingressresource
    annotations:
    # If the class annotation is not specified it defaults to "gce".
    kubernetes.io/ingress.class: "gce"
    kubernetes.io/ingress.allow-http: "false" # If disabling HTTP is needed
    spec:
    tls:
    - secretName: secret-name # to be generated
    rules:
    - http:
    paths:
    - path: /
    backend:
    serviceName: iag
    servicePort: 8443
    -------------------
    The Service yaml
    #
    # The service description of the IAG service.
    #

    apiVersion: v1
    kind: Service

    metadata:
    name: iag

    spec:
    ports:
    - port: 8443
    name: iag
    protocol: TCP


    selector:
    app: iag
    -------
    Kind regards,
    Serge Vereecke


    ------------------------------
    Serge Vereecke
    ------------------------------



  • 13.  RE: IBM Application Gateway redirection from http to https

    Posted Fri October 02, 2020 02:57 AM
    Hi Jon,

    do you know if the AppGateway is available for IBM Power Systems? I'm afraid it's not as the WebSEAL container runs on Intel only.

    THX,
    Jens

    ------------------------------
    Jens Petersen
    ------------------------------



  • 14.  RE: IBM Application Gateway redirection from http to https

    Posted Fri October 02, 2020 03:20 AM
    Hi Jens,

    You are correct and this is true for all of the IBM Security Verify and Verify Access containers.  Our containers (like most containers in the world today) are written to run on an x86 Linux kernel.   This means they won't run on other processors (like Power or zSeries) and they also won't run on systems without a Linux kernel.

    Interesting fact: If you run Docker Community Edition on MacOS or Windows, a virtualized Linux kernel is running behind the scenes to provide the Linux kernel required.

    Cheers... Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------