Redirect HTTP to HTTPS on CSS

joemarr_brodart · ‎01-12-2008

I thought this was a simple question, but I can't seem to make it work.

I want to redirect HTTP traffic to HTTPS for a particular site. The CSS is terminating the SSL, and the backend servers are listing on TCP 80.

No matter what I try, it isnt working. What am I missing?

!************************** SERVICE **************************

service somedomain_SSL

type ssl-accel

slot 2

add ssl-proxy-list somedomain_list

keepalive type none

compress enable

active

service www.somedomain.com_redirect

ip address 2.2.2.2

keepalive type none

type redirect

no prepend-http

domain https://test.somedomain.com

active

service www01.somedomain.com

ip address 10.101.0.43

active

service www02.somedomain.com

ip address 10.101.0.44

active

!*************************** OWNER ***************************

owner www.somedomain.com

content www.somedomain.com

vip address 10.101.0.8

protocol tcp

port 80

url "/*"

add service www.somedomain.com_redirect

active

content www.somedomain.com_SSL

vip address 10.101.0.8

add service somedomain_SSL

protocol tcp

port 443

active

!*************************** GROUP ***************************

group www.somedomain.com_Servers

vip address 10.101.0.8

add destination service www01.somedomain.com

add destination service www02.somedomain.com

active

joemarr_brodart · ‎01-13-2008

I seem to be making some progress on my own. Currently, Im now being redirected (using a HTTP proxy debugger, I see that Im getting a 302 and browser is showing the cert) but the page fails to display. Here is my current config.

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list somedomain_list

description "SSL List for www.somedomain.com"

ssl-server 1

ssl-server 1 vip address 10.101.0.8

ssl-server 1 rsacert somedomain-ssl

ssl-server 1 rsakey somedomain-ssl

ssl-server 1 cipher rsa-with-rc4-128-md5 10.101.0.8 80

active

!************************** SERVICE **************************

service somedomain_SSL

type ssl-accel

slot 2

add ssl-proxy-list somedomain_list

keepalive type none

compress enable

active

service www.somedomain.com_redirect

ip address 2.2.2.2

keepalive type none

type redirect

no prepend-http

redirect-string "https://test.somedomain.com"

active

service www01.somedomain.com

ip address 10.101.0.43

keepalive type http

protocol tcp

port 80

active

service www02.somedomain.com

ip address 10.101.0.44

keepalive type http

protocol tcp

port 80

active

!*************************** OWNER ***************************

owner www.somedomain.com

content www.somedomain.com_http

vip address 10.101.0.8

add service www.somedomain.com_redirect

protocol tcp

port 80

url "/*"

active

content www.somedomain.com_https

protocol tcp

add service somedomain_SSL

vip address 10.101.0.8

application ssl

port 443

add service www01.somedomain.com

active

!*************************** GROUP ***************************

group www.somedomain.com_Servers

vip address 10.101.0.8

add destination service www01.somedomain.com

add destination service www02.somedomain.com

active

joemarr_brodart · ‎01-13-2008

I finally figured it out. I need to create a backend content server for the SSL module to talk to. Once I did that and reconfigured the ssl-proxy to acknowlege it, it began to work. Here is the final config:

!*********************** SSL PROXY LIST ***********************

ssl-proxy-list somedomain_list

description "SSL List for www.somedomain.com"

ssl-server 1

ssl-server 1 vip address 10.101.0.8

ssl-server 1 rsacert somedomain-ssl

ssl-server 1 rsakey somedomain-ssl

ssl-server 1 urlrewrite 1 test.somedomain.com sslport 443 clearport 80

ssl-server 1 cipher rsa-with-rc4-128-md5 10.101.0.8 81

active

!************************** SERVICE **************************

service somedomain_SSL

type ssl-accel

slot 2

add ssl-proxy-list somedomain_list

keepalive type none

compress enable

active

service www.somedomain.com_redirect

ip address 2.2.2.2

keepalive type none

type redirect

no prepend-http

redirect-string "https://test.somedomain.com"

active

service www01.somedomain.com

ip address 10.101.0.43

keepalive type http

protocol tcp

port 80

active

service www02.somedomain.com

ip address 10.101.0.44

keepalive type http

protocol tcp

port 80

active

!*************************** OWNER ***************************

owner www.somedomain.com

content www.somedomain.com_decrypt

vip address 10.101.0.8

add service www01.somedomain.com

add service www02.somedomain.com

protocol tcp

port 81

active

content www.somedomain.com_http

vip address 10.101.0.8

add service www.somedomain.com_redirect

protocol tcp

port 80

url "//test.somedomain.com/*"

active

content www.somedomain.com_https

protocol tcp

add service somedomain_SSL

vip address 10.101.0.8

application ssl

port 443

active

!*************************** GROUP ***************************

group www.somedomain.com_Servers

vip address 10.101.0.8

add destination service www01.somedomain.com

add destination service www02.somedomain.com

active

joemarr_brodart · ‎01-13-2008

I guess I still have a couple of questions:

â€¢ What is the significance of the IP address in the redirect service:

service www.somedomain.com_redirect

ip address 2.2.2.2

â€¢ I will need to configure the use of sticky cookies, would this be done on content www.somedomain.com_decrypt ?

â€¢ I'm using a one armed config with NAT. My two servers are oracle 11i app servers. We chose the one armed config so that DB transactions did not go through the CSS. I believe this is going to cause issues with our webtrends install because all users are going to come from the 10.101.0.8 addy. Is there away around this? The servers and CSS are in a DMZ behind an ASA.