Environment
Access Manager 3 FCS build
Novell Identity Server 491
NetWare Access Gateway 3.0.153
Linux Access Gateway build 56
Novell Identity Server 491
NetWare Access Gateway 3.0.153
Linux Access Gateway build 56
Situation
Configured a reverse proxy on an Access Gateway server (independent
of NetWare or Linux platform). All SSL options from browser to
proxy are enabled, including the redirect option to redirect HTTP
requests to HTTPS. The protected resources for this reverse proxy
did not require authentication. After applying changes,
health check status looked fine.
Users could access the reverse proxy successfully via browsers. However some users started reporting 409 errors. The error description was the following:
'Received a non-redirectable request on a secure service. Change the URL from http to https and send the request again'
Users could access the reverse proxy successfully via browsers. However some users started reporting 409 errors. The error description was the following:
'Received a non-redirectable request on a secure service. Change the URL from http to https and send the request again'
Resolution
The error serves as a warning that secure data may be exchanged
over an insecure HTTP channel. Change back end application so that
all HTTP POST methods are sent to HTTPS directly, rather than
HTTP.
Additional Information
The above 409 error occurs when a user-agent (browser or web based
application) sends HTTP data to the secure reverse proxy using the
POST method. The reverse proxy is setup to redirect HTTP requests
to HTTPS and therefor the reverse proxy should redirect the POST
request and data to HTTPS. The problem is that this POST data is
sensitive data, that should be only sent over a secure channel. If
the proxy were to redirect (via a HTTP 302 response) the POST data,
it would potentially open up a security hole.
By changing the back end to send the POST data over HTTPS, there is no issue with redirections.
By changing the back end to send the POST data over HTTPS, there is no issue with redirections.