Using URL Rewrite to Modify WebDAV PROPFIND Responses with BIG-IP's SSL Offloading
I ran into an interesting situation recently where a customer was using F5's BIG-IP for SSL offloading with their web farm and they were having problems with WebDAV. Here's the details of the scenario: BIG-IP adds a proprietary FRONT-END-HTTPS: ON
header to requests, and that header is ignored by IIS 7 because it's proprietary to BIG-IP. This is expected behavior, but it presented an interesting problem from a WebDAV perspective - the responses to PROPFIND requests contain XML with URLs. Since BIG-IP is performing SSL offloading, the requests use HTTPS to BIG-IP, then HTTP from BIG-IP to IIS, so the URLs in the XML of a PROPFIND response are listed using HTTP instead of HTTPS. So when a WebDAV client tries to access any of the URLs from the PROPFIND response, it's using the non-secure URL instead of the secure URL.
Here's what that looks like:
PROPFIND Request
PROPFIND / HTTP/1.1
Content-type: text/xml; charset="utf-8"
Translate: f
Depth: 0
FRONT-END-HTTPS: ON
Content-Length: 0
Host: localhost
Accept: */*
Connection: Keep-Alive
PROPFIND Response
<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response>
<D:href>http://example.com/</D:href>
<D:propstat>
<D:status>HTTP/1.1 200 OK</D:status>
<D:prop>
<D:getcontenttype/>
<D:getlastmodified>Wed, 08 Sep 2010 19:40:18 GMT</D:getlastmodified>
<D:ishidden>0</D:ishidden>
<!-- NOTE: Some lines were removed for brevity. -->
<D:displayname>/</D:displayname>
<D:getcontentlength>0</D:getcontentlength>
<D:iscollection>1</D:iscollection>
<D:creationdate>2006-06-29T00:14:48.612Z</D:creationdate>
<D:resourcetype>
<D:collection/>
</D:resourcetype>
</D:prop>
</D:propstat>
</D:response>
</D:multistatus>
Since BIG-IP is adding the proprietary FRONT-END-HTTPS: ON
header to requests, it seemed to me like this would be an easy problem to detect and resolve with the URL Rewrite module for IIS 7, and I worked with Daniel Vasquez Lopez and Ruslan Yakushev to come up with a URL Rewrite configuration that seems to remedy this customer’s situation.
If you have URL Rewrite installed and you add the following rule to the web.config file of your WebDAV website it will rewrite all of the http:// URLs to https:// URLs in PROPFIND responses when the FRONT-END-HTTPS: ON
header is present:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<rule name="FRONT_END_HTTPS" preCondition="" patternSyntax="ECMAScript">
<match filterByTags="None" pattern="<D:href>http://([^<]+)</D:href>" />
<action type="Rewrite" value="<D:href>https://{R:1}</D:href>" />
<conditions>
<add input="{HTTP_FRONT_END_HTTPS}" pattern="ON" />
<add input="{REQUEST_METHOD}" pattern="PROPFIND" />
<add input="{RESPONSE_STATUS}" pattern="207" />
</conditions>
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
The following is a small change from Ruslan that also worked:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<rule name="FRONT_END_HTTPS" preCondition="" patternSyntax="ECMAScript">
<match filterByTags="None" pattern="<D:href>http://(.+?)</D:href>" />
<action type="Rewrite" value="<D:href>https://{R:1}</D:href>" />
<conditions>
<add input="{HTTP_FRONT_END_HTTPS}" pattern="ON" />
<add input="{REQUEST_METHOD}" pattern="PROPFIND" />
<add input="{RESPONSE_STATUS}" pattern="207" />
</conditions>
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
My thanks to Daniel and Ruslan for their assistance with the URL Rewrite syntax!