Outsystems redirects with load balancer and SSL offloading

Outsystems redirects with load balancer and SSL offloading

We're developing a SaaS solution using Amazon AWS infrastucture and with communication happening over HTTPS. The idea is to use AWS ELB as a load balancer and to use auto scaling so that we can automatically bring up nodes when traffic so requires.

We are planning to let the ELB terminate SSL and forward connections as HTTP only to the Outsystems frontend servers. This would allow us to maximize performance and maintainbility (no need to store any SSL keys in the frontend servers - only in the ELB).

However, I've now found out that the redirects Outsystems sends contain absolute URLs. So when a user connects to ELB with HTTPS, the response will contain redirect urls that are HTTP. Also, some of the urls containing http:// in the beginning are defined javascript contents so simple IIS URL rewrite module won't solve the problem of converting HTTP to HTTPS.

I found an article describing load balancer scenario, but without SSL offloading:

In this discussion they state "If you must perform URL translations of SSL off load, then I suggest you reach out to the OutSystems Technical Support for alternatives."

Any suggestions on how to achieve SSL Offloading with Outsystems?

Hi Toni,

Please have a look at the following document:

You can find there the configurations required to support your scenario. In page 8 you can find the instructions to enable OutSystems Platform to support SSL offloading.

One of the configurations consists in adding an header to specify the original request protocol (X-Forwarded-Proto). As far as I can see ELB is handling this for you, which means that you can skipp that one:

Kind regards,
Ivo Gonçalves
Thanks for the fast response! It seemed that the solution for me should be easy, just run a command:

insert into OSSYS_PARAMETER (Name,Val) values ('OutSystems.HubEdition.HTTPtoHTTPSproxyHeader','XForwarded-Proto: https');

However, after testing, it seems like I'm still getting a wrong redirect url (starting with http) from Outsystems, for example, when an action logic sends the user to a new screen. I restarted the service, but no help. Any suggestions?
Hi Toni,

Did you restart the application server (IIS/JBoss) or just OutSystems services?

Were you able to check if the XForwared-Proto header is being injected by the ELB? 

Kind regards,
Ivo Gonçalves
I did an iisreset + restarted all Outsystems services.

I have also checked previously that the XForwarded-Proto header really does exist.
I restarted all servers and rechecked that the header exists: X-Forwarded-Proto: https. It seems like all is correct:

POST /xxx/LoginManyTenants.aspx?_ts=1445595602550 HTTP/1.1
host: elb-test-29044290.eu-central-1.elb.amazonaws.com
Accept: text/plain, */*; q=0.01
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,fi;q=0.6
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: ASP.NET_SessionId=wi2i4pbo54lyn3gyv3o4xp1s; osVisitor=70a89834-84bb-42ec-90b3-3c83033ae071; RT=s=1445595573979&r=https%3A%2F%2Felb-test-29044290.eu-central-1.elb.amazonaws.com%2FUtilyticsAuth%2FLogin.aspx; osVisit=944fe375-5157-4a5b-b0d8-ef8a37b6163f
Origin: https://elb-test-29044290.eu-central-1.elb.amazonaws.com
Referer: https://elb-test-29044290.eu-central-1.elb.amazonaws.com/UtilyticsAuth/LoginManyTenants.aspx?KeepLoggedIn=False
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
X-Requested-With: XMLHttpRequest
X-Forwarded-Port: 443
X-Forwarded-Proto: https
Content-Length: 1050
Connection: keep-alive

HTTP/1.1 200 OK
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
Set-Cookie: osVisit=944fe375-5157-4a5b-b0d8-ef8a37b6163f; expires=Fri, 23-Oct-2015 10:50:01 GMT; path=/; HttpOnly
X-Powered-By: ASP.NET
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
Date: Fri, 23 Oct 2015 10:20:02 GMT
Hi Toni,

Is that happening for every single request or just with specific scenarios?

Can you please recheck that the internal OutSystems parameter has the proper value?
select * from OSSYS_PARAMETER where name ='OutSystems.HubEdition.HTTPtoHTTPSproxyHeader'

Kind regards,
Ivo Gonçalves
It does not happen for every request. Only when there's a redirect (e.g. after user clicks save on a detail edit page and the action sends user back to a list page).

select * from OSSYS_PARAMETER where name ='OutSystems.HubEdition.HTTPtoHTTPSproxyHeader';

| ID  | NAME                                         | VAL                     | HOST | HOST_SERIAL |
| 171 | OutSystems.HubEdition.HTTPtoHTTPSproxyHeader | XForwarded-Proto: https | NULL | NULL        |
Turns out that I had a copy-paste error from the pdf. Should've been 'X-Forwarded-Proto: https' instead of 'XForwarded-Proto: https'.