Mixed Content Warnings when Using SSL Offloading? Use the Rewrite Feature…

As being part of the Networking SIG leadership team, I'll would like to kick-off my first personal blog article for the NSIG group with 1 of my NetScaler insights around SSL Offloading and Rewrite Policies. A very simple and effective feature!

NetScaler is one of the most advanced and impressive products that I've used throughout the past 5 years. Started with the configuration of the NetScaler Access Gateway / ICA Proxy, and ended up with all the advanced features, such as URL Rewrite, Content Switching (CSW), Global Server Load Balancing (GSLB) and URL transformations.

(I’m also advising you to take a look at GSLB, I'll already covered this feature earlier in a CUCG User Share Webinar, together with Fellow NSIG leaders Dave Brett and Carsten Brunss).

When you setup the following scenario…  SSL Offloading for Web Applications performing the transformation of the internal HTTP Protocol to a Secure HTTPS connection on the outside. Just let the NetScaler do the encryption. In some of the cases this works properly, but sometimes you'll need to replace the HTTP headers back to the original protocol to avoid problems in the links of the (web) application.

For example, the application doesn’t show the right redirections and it still places http:// in front of some of the links. Images are not loaded properly, and thinks it's still on HTTP instead of HTTPS. Internet Browsers returning with Mixed Content warning, as the examples below... 

To solve these problems, you’ll need to activate Rewrite Actions / policies, which will translate all the SSL Offloading HTTPS requests back to HTTP in the header. At that moment, the Web Application will know his way and the application will proceed working perfectly fine in a secure way!

In this article, I’ll show you how you can configure URL Rewrite / Responder Policies to make sure that your Web Application continues working after activating SSL Offloading, when the back-end is listening on the HTTP Protocol.




Errors without URL Rewrite 

The following error can return, when you activate SSL Offloading without using URL Rewrite policies…

The following Mixed Content errors will return in the internet browser developer tools


URL Rewrite configuration steps

Perform the following steps to use the rewrite feature to replace occurrences of http:// with https:// in the body of an HTTP response. In this way, the protocol transformation steps will be translated.

Step 1: Create a Rewrite Action through the following command

add rewrite action httpRewriteAction replace_all http.res.body(50000) "\"https://\"" -pattern http://

Step 2: Create rewrite policy

add rewrite policy httpRewritePolicy "http.res.body(50000).contains(\"http://\")" httpRewriteAction

Step 3: Bind the new Rewrite policy to the Virtual Server of the Web Application Server - as Response Rewrite Policy.

Note: Check the following Citrix Docs article for all the other Policies and Expressions possibilities that are available for NetScaler. https://docs.citrix.com/en-us/netscaler/11/appexpert/policies-and-expressions/ns-pi-summ-exmp-adv-expr-pol-wrapper-con.html

That’s it, I hope this solves your problem.


Christiaan Brinkhoff 

Networking SIG Leader, CTA

Are you a member of the CUGC Networking SIG? Join today!


Rewrite Policy Type

October 11, 2017 06:49 PM by Christian Tinello

Hi Christiaan,

nice article on rewrite.
Perhaps you write: 

Step 3: Bind the new policy to the Rewrite Policy to the Virtual Server of the Web Application Server - as request Rewrite Policy.

What i think is wrong is if you create rewite policy/action in "response" type you cannot bind it in a vip as request rewrite policy but only as response policy.



RE: Rewrite Policy Type

October 12, 2017 02:43 AM by Christiaan Brinkhoff

Thanks for the notify Christian!

You're right. I'll get that fixed.

The only possible way to configure this solution is as Rewrite / Reponse policy!

Please login to add your comments.

Recent Stories
How to Configure Enlightened Data Transport UDP Protocol (EDT) When Using Citrix Cloud–XenApp & XenDesktop Service with VDA and NetScaler Placed in Microsoft Azure Cloud

Results of the Latest Networking SIG User Share Webinar on Citrix Cloud Workspaces in Azure

Mixed Content Warnings when Using SSL Offloading? Use the Rewrite Feature…