ACE URL redirect

Unanswered Question
May 12th, 2007
User Badges:
  • Bronze, 100 points or more

I'm having some problems setting up a URL redirect from an ACE module. I have a class map that is matching content by VIP and I'm load balancing requests but I would like to be able to look at the source request and if it matches a specific list of IP's redirect the request to a different URL, and all other requests load balance to the server farm.


Thanks,


Bill

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 05/15/2007 - 05:00
User Badges:
  • Cisco Employee,

Bill,


you first need to classify the traffic.

Since you want different behavior depending on the source ip, you will need to use a class-map to match the ip the needs to be redirected.


ie:


class-map type http loadbalance match-all SRCIP1

match access-list ....

!


Then create 2 serverfarms.

One for loadbalancing and one for the url redirect.


Then create a policy-map that when matching your class-map above will use the redirect serverfarm and for the default class-map it uses the loadbalancing serverfarm


I hope this is clear enough like this.

If not, let me know.


Gilles.

Anonymous (not verified) Thu, 05/17/2007 - 06:52
User Badges:

Giles,


Thank you for your assistance. I have implemented the commands and can now redirect http traffic to another website based on source address. I'm still having problems redirecting SSL traffic. It appears that the ACE is sending back the redirect as clear text, instead of encrypting it and sending it back to the client. I have attached a copy of my config. Any suggestions would be greatly appreciated.


rserver redirect ENCORE-REDIRECT

webhost-redirection http://wserror.xyz.com 302

inservice

rserver host ORADS-RDR1

ip address 10.9.40.51

inservice

rserver host ORADS-RDR2

ip address 10.9.40.52

inservice

rserver host ORADS-RDR3

ip address 10.9.40.53

inservice


ssl-proxy service ENCORE_SSL_SERVER

key ROCENCORE.PEM

cert ROCENCORECERT.PEM

chaingroup ENCORE


serverfarm host ENCORE

failaction purge

probe ENCORE

rserver ORADS-RDR1 80

inservice

rserver ORADS-RDR2 80

inservice

rserver ORADS-RDR3 80

inservice

serverfarm redirect ENCORE-REDIRECT

rserver ENCORE-REDIRECT

inservice


sticky ip-netmask 255.255.255.255 address both ENCORE-sticky

timeout 130

serverfarm ENCORE


class-map match-all CLASS_MAP_ENCORE-http

2 match virtual-address 10.6.9.17 tcp eq www

class-map match-all CLASS_MAP_ENCORE-https

2 match virtual-address 10.6.9.17 tcp eq https

class-map type http loadbalance match-any CLASS_MAP_PROXIES

2 match source-address 10.6.171.10 255.255.255.255

3 match source-address 10.6.164.10 255.255.255.255

4 match source-address 10.6.185.10 255.255.255.255

5 match source-address 10.6.178.10 255.255.255.255

6 match source-address 10.6.132.2 255.255.255.255

class-map type management match-any REMOTE_ACCESS

description Remote access traffic match

4 match protocol icmp any


policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

class REMOTE_ACCESS

permit

policy-map type loadbalance first-match POLICYMAP_ENCORE_L7

class CLASS_MAP_PROXIES

serverfarm ENCORE-REDIRECT

class class-default

sticky-serverfarm ENCORE-sticky

policy-map multi-match POLICYMAP_ENCORE_L3L4

class CLASS_MAP_ENCORE-http

loadbalance vip inservice

loadbalance policy POLICYMAP_ENCORE_L7

loadbalance vip icmp-reply

class CLASS_MAP_ENCORE-https

loadbalance vip inservice

loadbalance policy POLICYMAP_ENCORE_L7

loadbalance vip icmp-reply

ssl-proxy server ENCORE_SSL_SERVER


access-group input ALL-ACCESS


interface vlan 10

description DATA_VLAN_AND_SVC_TO_ACE

ip address 10.6.9.3 255.255.255.240

service-policy input REMOTE_MGMT_ALLOW_POLICY

service-policy input POLICYMAP_ENCORE_L3L4

no shutdown


Thanks you,

Bill

Gilles Dufour Fri, 05/18/2007 - 01:32
User Badges:
  • Cisco Employee,

Bill,


this is a know code issue.

CSCsh52210: Redirect rserver behind SSL proxy send the redirect string not encrypted


This is fixed in version A1(4b) and later.


Gilles.

Actions

This Discussion