Showing results for 
Search instead for 
Did you mean: 

Redirecting to POST

Not applicable

Redirecting to POST

Hi all, and Stingray Team,

I'm facing a problem where a request arrives in Stingray with HTTP protocol, and is redirected via a rule to HTTPS.
Currently the redirection is done through http.redirect.

This causes a major problem, as the original request is actually a POST, with POST data, and is redirected as a raw GET. All the data is lost.

My question is: is there a way to "redirect" some HTTP request to HTTPS, but keeping their method and data ?

A POST to would be redirected to , as a POST request, with POST data kept (or transfered) .

Seems http.redirect or http.changeSite do not allow POST redirection, and seems not made to send post request to the website, but is meant for zeus internal work (ie. post request, retrieve result & body, and continue script based on the result).

I would appreciate very much any input on this subject.

Thanks a lot !
Frederic Esnault

Frequent Contributor

Re: Redirecting to POST

Hi Frederic,

The http.redirect function sends back a '302 Moved Temporarily' response with a Location header containing the new URL.

The HTTP 1.1 spec suggests that clients should resend POST data after prompting the user, but acknowledges that some clients do not (they send GET requests instead):

This is a client issue, not a server one, and seems to be very common (as you have found).

A couple of comments:

  • Using http.redirect: this is a convenience function that wraps the http.sendResponse function; use http.sendResponse if you need more control over how clients are redirected, or look at http.changeSite.
  • Redirect to GETs: you could parse the HTTP POST in the traffic manager and construct a GET request that contained the parameters in the query string, then instruct the client to GET that new URL (over https).
  • Security: if clients are sending sensitive data over an HTTP connection, redirecting them to HTTPS and expecting them to resend the data will not make the service more secure. You need to prevent the initial HTTP-based POST, perhaps by rewriting the action field in the form or by inserting a fragment of javascript that does this.